Bug 119498

Summary: SELinux policy should allow ssh and ssh-agent to search mnt_t
Product: [Fedora] Fedora Reporter: Konstantin Ryabitsev <icon>
Component: opensshAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: tmraz, walters
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-06-15 15:17:48 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description Konstantin Ryabitsev 2004-03-30 17:29:00 EST
(feel free to refile under selinux/policy, if this is filed incorrectly)

Description of problem:
Some people store their sensitive data such as ssh keys on removable
media (and if they aren't, they should. :)). Therefore, SELinux
policies should allow ssh to read devices in /mnt. Currently
attempting to access files stored on a flash card by issuing a "ssh
hostname" or ssh-add .ssh/id_dsa results in something like:

Mar 30 17:24:56 hagrid kernel: audit(1080685496.479:0): avc:  denied 
{ search } for  pid=3418 exe=/usr/bin/ssh name=mnt dev=hda1 ino=114017
scontext=user_u:user_r:user_ssh_t tcontext=system_u:object_r:mnt_t
tclass=dir
Comment 1 Russell Coker 2004-08-27 08:12:15 EDT
Another possibility is that a mounted file system has some secret 
data which normal users are not permitted to access, and thus 
allowing such an operation will on some systems permit unpriviledged 
users to use the ssh client to access data that they are otherwise 
not permitted to access. 
 
I believe that this is not a bug, it is a local configuration issue. 
Comment 2 Daniel Walsh 2005-02-07 10:44:20 EST
Being able to search the /mnt directory is not the same as being abole to read it.
USB devices and such should get mounted as removable_t, which ssh is not allowed
to read.  We can either add a boolean or allow search of mnt_t dirs and reading
of removable_t.

Dan
Comment 3 Colin Walters 2005-02-07 11:18:52 EST
I don't see why ssh shouldn't be able to read mnt_t.

As for removable_t; right now HAL allows console users access to
removable media by default.  We want to support people storing data on
USB keys and the like.  So I'd suggest that if we have a boolean it
should be on by default.

Now there is the potential for a compromised ssh daemon to access
potentially secret information stored on removable media; but right
now a compromised ssh daemon could also simply transition to user_t or
sysadm_t.

I'd suggest that sites with data they wish to protect should be
ensuring via the HAL policy files or whatever that the media gets an
appropriate context mount or whatever.
Comment 4 Daniel Walsh 2005-02-09 11:04:39 EST
Added to selinux-policy-strict-1.21.9-1