Bug 131083

Summary: sshd does not permit SE Linux logins
Product: [Fedora] Fedora Reporter: Russell Coker <russell>
Component: opensshAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED RAWHIDE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dwalsh, sds
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Fixed In Version: 3.9p1-2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-09-03 17:00:48 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 130887    

Description Russell Coker 2004-08-27 08:17:07 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.3; Linux) (KHTML, like Gecko)

Description of problem:
After upgrading my server to openssh-server-3.9p1-1 I could not login any more.

The sshd was not relabelling the terminal device node to the new SE Linux context, so the context remained as sshd_devpts_t instead of being correctly set to user_devpts_t or staff_devpts_t.  The previous version worked well.

I can give you administrative access to a SE Linux test machine running the latest rawhide to duplicate this if necessary.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Upgrade a SE Linux machine to the latest rawhide and observe that you can't login.

Actual Results:  The below message appears in /var/log/messages and the session is terminated.

avc:  denied  { read write } for  pid=18055 exe=/bin/bash 
path=/dev/pts/1 dev=devpts ino=3 scontext=root:staff_r:staff_t tcontext=root:object_r:sshd_devpts_t tclass=chr_file

Additional info:
Comment 1 Russell Coker 2004-08-27 08:19:29 EDT
The above occurs when using the "strict" policy.  Using "targeted" 
it is likely to work without problems although I have not yet tested 
this.  In any case using "targeted" will give different symptoms if 
it fails. 
Comment 2 Stephen Smalley 2004-08-27 08:44:04 EDT
Looks like the openssh-selinux.patch wasn't properly updated for
openssh-3.9p1, and unfortunately it happened to compile nonetheless.
In sshpty.c, the -selinux patch is referencing "ttyname" whereas the
function parameter is now named "tty".  It happens to compile (albeit
with warnings) because ttyname is defined in global scope for
ttyname(3), so I guess we are passing a _function pointer_ here rather
than the tty name.  s/ttyname/tty/g please in the openssh-selinux.patch.
Comment 3 Nalin Dahyabhai 2004-09-03 17:00:48 EDT
This should be fixed in 3.9p1-2 and later.  Please reopen if you find
that this is not the case.  Thanks!