Bug 119498
Summary: | SELinux policy should allow ssh and ssh-agent to search mnt_t | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Konstantin Ryabitsev <icon> |
Component: | openssh | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Brian Brock <bbrock> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | tmraz, walters |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-06-15 19:17:48 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Konstantin Ryabitsev
2004-03-30 22:29:00 UTC
Another possibility is that a mounted file system has some secret data which normal users are not permitted to access, and thus allowing such an operation will on some systems permit unpriviledged users to use the ssh client to access data that they are otherwise not permitted to access. I believe that this is not a bug, it is a local configuration issue. Being able to search the /mnt directory is not the same as being abole to read it. USB devices and such should get mounted as removable_t, which ssh is not allowed to read. We can either add a boolean or allow search of mnt_t dirs and reading of removable_t. Dan I don't see why ssh shouldn't be able to read mnt_t. As for removable_t; right now HAL allows console users access to removable media by default. We want to support people storing data on USB keys and the like. So I'd suggest that if we have a boolean it should be on by default. Now there is the potential for a compromised ssh daemon to access potentially secret information stored on removable media; but right now a compromised ssh daemon could also simply transition to user_t or sysadm_t. I'd suggest that sites with data they wish to protect should be ensuring via the HAL policy files or whatever that the media gets an appropriate context mount or whatever. Added to selinux-policy-strict-1.21.9-1 |