/proc mounted in chroot breaks su

Fri Jan 28 17:49:58 UTC 2005

Thanks, that was exactly the problem.  I mounted /selinux and everybody
seems to be playing nicely now.  I really appreciate you picking my post out
of the flood and helping me.

At this point my work with SELinux and chroot is part proof-of-concept, part
learning by tinkering.  Once I've learned the capabilities and limitations
of each, I'll develop an actual plan to secure things for real.  I just
found Russell Coker's paper on combining the two, so absorbing that is my
next step.

 - Stephen Brueckner, ATC-NY

-----Original Message-----
From: Stephen Smalley [mailto:sds at epoch.ncsc.mil] 
Sent: Friday, January 28, 2005 7:16 AM
To: For users of Fedora Core releases
Cc: Daniel J Walsh
Subject: Re: /proc mounted in chroot breaks su

On Thu, 2005-01-27 at 17:13, Steve Brueckner wrote:
> Hello, I've got what I think might be a real zinger for y'all:
> 
> I've got a chrooted environment that's pretty much a duplicate of my
primary
> file system (I copied almost everything into it).  I've also got /proc
> mounted in the chroot environment.  Yes, I realize what a security risk
that
> is, but I need the Java to work in the chrooted environment, and that
> requires access to /proc for heap and thread information.  I'm using FC3
> with SELinux enabled but in permissive mode (targeted policy).  Since it's
> in permissive mode, I don't think the SELinux is coming into play here.
> 
> My problem is that I can't drop privilege once I'm in the chrooted
> environment unless I umount /proc from the chrooted environment.  For
> example:
> 
> # /usr/sbin/chroot /chrootdir
> # su steve
> Password: (I enter it correctly)
> could not open session
> #
> 
> But if I umount /chrootdir/proc I get this:
> 
> # /usr/sbin/chroot /chrootdir
> # su steve
> $
> 
> Note that in the first case, su prompts for my password and in the second
> case it doesn't.
> 
> Outside of the chrooted environment, su behaves (correctly) just like su
> inside the chrooted environment with /chrootdir/proc unmounted.  This is
an
> apparent paradox: outside the chrooted environment su has access to /proc
> and behaves correctly, but inside the chrooted environment su behaves
> incorrectly when it has access to /proc, and only works when its access to
> /proc is removed!
> 
> Any thoughts, ideas, or solutions are welcome.  Thanks.

This could actually be an SELinux issue.  If /proc is mounted, then
libselinux can tell that SELinux is enabled in the kernel (via a check
for selinuxfs in /proc/filesystems), so pam_selinux will run upon an
attempted su.  But pam_selinux needs to interrogate /selinux (selinuxfs)
to get the set of reachable security contexts for the new user.  Hence,
mounting /proc without mounting /selinux in your chroot could yield the
behavior you describe.  Now, you could certainly modify your
/etc/pam.d/su in your chroot to remove pam_selinux from it so that it
doesn't attempt to run pam_selinux at all.  Of course, having su in your
chroot is begging for trouble in the first place...

-- 
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency

-- 
fedora-list mailing list
fedora-list at redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list