Bug 1373707

Summary: enabling MLS policy per RHEL7 SELinux Admin's Guide denies root login via tty, serial, ssh
Product: Red Hat Enterprise Linux 7 Reporter: Ryan Sawhill <rsawhill>
Component: initscriptsAssignee: initscripts Maintenance Team <initscripts-maint-list>
Status: CLOSED DUPLICATE QA Contact: qe-baseos-daemons
Severity: medium Docs Contact:
Priority: medium    
Version: 7.2CC: deekej, jjaburek, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-08 08:59:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
audit log with AVCs covering permissive-mode tty, ssh, ttyS logins none

Description Ryan Sawhill 2016-09-07 03:01:52 UTC 
Created attachment 1198490 [details]
audit log with AVCs covering permissive-mode tty, ssh, ttyS logins

DESCRIPTION OF PROBLEM:

  After following the standard instructions to enable MLS on a fully up-to-date RHEL 7.2.z machine with virtually no other config changes, root cannot login via ssh, tty, or serial.

  After the relabel and second reboot, login via tty & serial each generate an AVC by comm=abrt-dbus which doesn't seem like that big of a deal. Logging in over ssh on the other hand logs what would have been a denial by comm=sshd of perm dyntransition.

  After `setenforce 1`, trying to login via tty, serial, and ssh ALL FAIL and none generate AVCs. Re-enabling dontaudit (semodule -DB) gets tons of stuff, including the unix_chkpwd command needing to do its thing.

VERSION-RELEASE NUMBER OF SELECTED COMPONENT:

  selinux-policy-mls-3.13.1-60.el7_2.7.noarch

HOW REPRODUCIBLE:

  100%

STEPS TO REPRODUCE:

  0. Follow instructions from SELinux Admin's Guide: http://red.ht/2c8k5kH

  Or ... to be explicit:
  
  0. I used a RHEL 7.2 kickstart with @base + screen, vim-enhanced, kernel-doc, sos, elinks, setools-console, policycoreutils-python, psmisc, and ntp
  1. Register with `subscription-manager` and then restrict repos to just base rhel7 server repo
  2. `yum update -y; reboot`
  3. `yum install selinux-policy-mls -y`
  4. `sed -i -e '/^SELINUX=/s/=.*/=permissive/' -e '/^SELINUXTYPE=/s/=.*/=mls/' /etc/selinux/config`
  5. `fixfiles -F onboot; reboot`
  6. After the relabel and second reboot, login and `setenforce 1`
  7. Try to login via tty, serial, or ssh and see that all fail with no AVCs.
  8. `semodule -DB`
  9. Try again and take a look at all the AVCs.
  
ACTUAL RESULTS:

  root user cannot login via any means after following standard instructions to enable MLS with latest packages.
  
EXPECTED RESULTS:

  root CAN login.
  I don't care whether this requires extra boolean-flipping or messing with `semanage`, but it clearly needs to be tested and documented.


ADDITIONAL INFO:

I created this BZ at the suggestion of Simon Sekidde in an selinux-internal-list mail thread.
I'm attaching an audit.log from this system while in permissive mode.
I basically did the above steps, then switched back to permissive, then did:

~~~
service auditd rotate
setenforce 0    # just to be explicit
auditctl -m " L O G G I N G  I N  V I A  S S H  C O M E S  N E X T "
# then I logged in via ssh
auditctl -m " L O G G I N G  I N  V I A  S E R I A L  C O M E S  N E X T "
# then I logged in via serial
auditctl -m " L O G G I N G  I N  V I A  T T Y  C O M E S  N E X T 
# then I logged in via tty
service auditd stop
~~~

I didn't log out of any consoles in order to cut down on noise.

Here you can see a little from the log:

[root@selinux72 ~]# ausearch -if audit.log -m user
----
time->Tue Sep  6 22:03:07 2016
type=USER msg=audit(1473213787.232:1479): pid=23441 uid=0 auid=0 ses=60 subj=root:sysadm_r:auditctl_t:s0 msg=' L O G G I N G  I N  V I A  S S H  C O M E S  N E X T  exe="/usr/sbin/auditctl" hostname=? addr=? terminal=pts/1 res=success'
----
time->Tue Sep  6 22:04:13 2016
type=USER msg=audit(1473213853.424:1504): pid=23542 uid=0 auid=0 ses=60 subj=root:sysadm_r:auditctl_t:s0 msg=' L O G G I N G  I N  V I A  S E R I A L  C O M E S  N E X T  exe="/usr/sbin/auditctl" hostname=? addr=? terminal=pts/1 res=success'
----
time->Tue Sep  6 22:07:23 2016
type=USER msg=audit(1473214043.986:1520): pid=23636 uid=0 auid=0 ses=60 subj=root:sysadm_r:auditctl_t:s0 msg=' L O G G I N G  I N  V I A  T T Y  C O M E S  N E X T  exe="/usr/sbin/auditctl" hostname=? addr=? terminal=pts/1 res=success'

[root@selinux72 ~]# ausearch -if audit.log -m avc | aureport -a -i 

AVC Report
========================================================
# date time comm subj syscall class permission obj event
========================================================
1. 09/06/2016 22:03:07 auditctl root:sysadm_r:sysadm_t:s0 execve process noatsecure root:sysadm_r:auditctl_t:s0 denied 1478
2. 09/06/2016 22:03:07 auditctl root:sysadm_r:sysadm_t:s0 execve process siginh root:sysadm_r:auditctl_t:s0 denied 1478
3. 09/06/2016 22:03:07 auditctl root:sysadm_r:sysadm_t:s0 execve process rlimitinh root:sysadm_r:auditctl_t:s0 denied 1478
4. 09/06/2016 22:03:10 hostname root:sysadm_r:sysadm_t:s0 execve process noatsecure root:sysadm_r:hostname_t:s0 denied 1501
5. 09/06/2016 22:03:10 hostname root:sysadm_r:sysadm_t:s0 execve process siginh root:sysadm_r:hostname_t:s0 denied 1501
6. 09/06/2016 22:03:10 hostname root:sysadm_r:sysadm_t:s0 execve process rlimitinh root:sysadm_r:hostname_t:s0 denied 1501
7. 09/06/2016 22:03:10 unix_chkpwd system_u:system_r:sshd_t:s0-s15:c0.c1023 execve process noatsecure system_u:system_r:chkpwd_t:s0-s15:c0.c1023 denied 1487
8. 09/06/2016 22:03:10 unix_chkpwd system_u:system_r:sshd_t:s0-s15:c0.c1023 execve process siginh system_u:system_r:chkpwd_t:s0-s15:c0.c1023 denied 1487
9. 09/06/2016 22:03:10 unix_chkpwd system_u:system_r:sshd_t:s0-s15:c0.c1023 execve process rlimitinh system_u:system_r:chkpwd_t:s0-s15:c0.c1023 denied 1487
10. 09/06/2016 22:03:10 abrt-dbus system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 openat dir read system_u:object_r:var_spool_t:s0 denied 1502
11. 09/06/2016 22:04:15 unix_chkpwd system_u:system_r:local_login_t:s0-s15:c0.c1023 execve process noatsecure system_u:system_r:chkpwd_t:s0-s15:c0.c1023 denied 1506
12. 09/06/2016 22:04:15 unix_chkpwd system_u:system_r:local_login_t:s0-s15:c0.c1023 execve process siginh system_u:system_r:chkpwd_t:s0-s15:c0.c1023 denied 1506
13. 09/06/2016 22:04:15 unix_chkpwd system_u:system_r:local_login_t:s0-s15:c0.c1023 execve process rlimitinh system_u:system_r:chkpwd_t:s0-s15:c0.c1023 denied 1506
14. 09/06/2016 22:04:15 unix_chkpwd system_u:system_r:chkpwd_t:s0-s15:c0.c1023 execve chr_file read write system_u:object_r:tty_device_t:s0 denied 1506
15. 09/06/2016 22:04:13 auditctl root:sysadm_r:sysadm_t:s0 execve process noatsecure root:sysadm_r:auditctl_t:s0 denied 1503
16. 09/06/2016 22:04:13 auditctl root:sysadm_r:sysadm_t:s0 execve process siginh root:sysadm_r:auditctl_t:s0 denied 1503
17. 09/06/2016 22:04:13 auditctl root:sysadm_r:sysadm_t:s0 execve process rlimitinh root:sysadm_r:auditctl_t:s0 denied 1503
18. 09/06/2016 22:04:15 login system_u:system_r:getty_t:s0-s15:c0.c1023 execve process noatsecure system_u:system_r:local_login_t:s0-s15:c0.c1023 denied 1505
19. 09/06/2016 22:04:15 login system_u:system_r:getty_t:s0-s15:c0.c1023 execve process siginh system_u:system_r:local_login_t:s0-s15:c0.c1023 denied 1505
20. 09/06/2016 22:04:15 login system_u:system_r:getty_t:s0-s15:c0.c1023 execve process rlimitinh system_u:system_r:local_login_t:s0-s15:c0.c1023 denied 1505
21. 09/06/2016 22:04:18 bash system_u:system_r:local_login_t:s0-s15:c0.c1023 execve process noatsecure root:sysadm_r:sysadm_t:s0-s15:c0.c1023 denied 1516
22. 09/06/2016 22:04:18 bash system_u:system_r:local_login_t:s0-s15:c0.c1023 execve process siginh root:sysadm_r:sysadm_t:s0-s15:c0.c1023 denied 1516
23. 09/06/2016 22:04:18 hostname root:sysadm_r:sysadm_t:s0-s15:c0.c1023 execve process noatsecure root:sysadm_r:hostname_t:s0-s15:c0.c1023 denied 1517
24. 09/06/2016 22:04:18 hostname root:sysadm_r:sysadm_t:s0-s15:c0.c1023 execve process siginh root:sysadm_r:hostname_t:s0-s15:c0.c1023 denied 1517
25. 09/06/2016 22:04:18 hostname root:sysadm_r:sysadm_t:s0-s15:c0.c1023 execve process rlimitinh root:sysadm_r:hostname_t:s0-s15:c0.c1023 denied 1517
26. 09/06/2016 22:04:18 login system_u:system_r:local_login_t:s0-s15:c0.c1023 setsockopt capability net_admin system_u:system_r:local_login_t:s0-s15:c0.c1023 denied 1512
27. 09/06/2016 22:04:18 abrt-dbus system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 openat dir read system_u:object_r:var_spool_t:s0 denied 1518
28. 09/06/2016 22:07:23 auditctl root:sysadm_r:sysadm_t:s0 execve process noatsecure root:sysadm_r:auditctl_t:s0 denied 1519
29. 09/06/2016 22:07:23 auditctl root:sysadm_r:sysadm_t:s0 execve process siginh root:sysadm_r:auditctl_t:s0 denied 1519
30. 09/06/2016 22:07:23 auditctl root:sysadm_r:sysadm_t:s0 execve process rlimitinh root:sysadm_r:auditctl_t:s0 denied 1519
31. 09/06/2016 22:07:25 login system_u:system_r:getty_t:s0-s15:c0.c1023 execve process noatsecure system_u:system_r:local_login_t:s0-s15:c0.c1023 denied 1521
32. 09/06/2016 22:07:25 login system_u:system_r:getty_t:s0-s15:c0.c1023 execve process siginh system_u:system_r:local_login_t:s0-s15:c0.c1023 denied 1521
33. 09/06/2016 22:07:25 login system_u:system_r:getty_t:s0-s15:c0.c1023 execve process rlimitinh system_u:system_r:local_login_t:s0-s15:c0.c1023 denied 1521
34. 09/06/2016 22:07:25 unix_chkpwd system_u:system_r:local_login_t:s0-s15:c0.c1023 execve process noatsecure system_u:system_r:chkpwd_t:s0-s15:c0.c1023 denied 1522
35. 09/06/2016 22:07:25 unix_chkpwd system_u:system_r:local_login_t:s0-s15:c0.c1023 execve process siginh system_u:system_r:chkpwd_t:s0-s15:c0.c1023 denied 1522
36. 09/06/2016 22:07:25 unix_chkpwd system_u:system_r:local_login_t:s0-s15:c0.c1023 execve process rlimitinh system_u:system_r:chkpwd_t:s0-s15:c0.c1023 denied 1522
37. 09/06/2016 22:07:25 unix_chkpwd system_u:system_r:chkpwd_t:s0-s15:c0.c1023 execve chr_file read write system_u:object_r:tty_device_t:s0 denied 1522
38. 09/06/2016 22:07:26 login system_u:system_r:local_login_t:s0-s15:c0.c1023 setsockopt capability net_admin system_u:system_r:local_login_t:s0-s15:c0.c1023 denied 1528
39. 09/06/2016 22:07:26 bash system_u:system_r:local_login_t:s0-s15:c0.c1023 execve process noatsecure root:sysadm_r:sysadm_t:s0-s15:c0.c1023 denied 1532
40. 09/06/2016 22:07:26 bash system_u:system_r:local_login_t:s0-s15:c0.c1023 execve process siginh root:sysadm_r:sysadm_t:s0-s15:c0.c1023 denied 1532
41. 09/06/2016 22:07:26 hostname root:sysadm_r:sysadm_t:s0-s15:c0.c1023 execve process noatsecure root:sysadm_r:hostname_t:s0-s15:c0.c1023 denied 1533
42. 09/06/2016 22:07:26 hostname root:sysadm_r:sysadm_t:s0-s15:c0.c1023 execve process siginh root:sysadm_r:hostname_t:s0-s15:c0.c1023 denied 1533
43. 09/06/2016 22:07:26 hostname root:sysadm_r:sysadm_t:s0-s15:c0.c1023 execve process rlimitinh root:sysadm_r:hostname_t:s0-s15:c0.c1023 denied 1533
44. 09/06/2016 22:07:26 abrt-dbus system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 openat dir read system_u:object_r:var_spool_t:s0 denied 1534
Comment 1 Ryan Sawhill 2016-09-07 03:07:00 UTC 
One last note: at the suggestion of plautrba in the mailthread, I did `setsebool -P ssh_sysadm_login=on`, prior to capturing the audit.log. While it might have made a difference, it didn't clear everything else up.

Also, to be CRYSTAL CLEAR, my kickstart does NOTHING ELSE with semanage. No user/role nonsense. Nothing has been customized.

[root@selinux72 ~]# semanage user -l

                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

guest_u         user       s0         s0                             guest_r
root            user       s0         s0-s15:c0.c1023                auditadm_r staff_r secadm_r sysadm_r system_r
staff_u         user       s0         s0-s15:c0.c1023                auditadm_r staff_r secadm_r sysadm_r system_r
sysadm_u        user       s0         s0-s15:c0.c1023                sysadm_r
system_u        user       s0         s0-s15:c0.c1023                system_r
user_u          user       s0         s0                             user_r
xguest_u        user       s0         s0                             xguest_r
[root@selinux72 ~]# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          user_u               s0                   *
root                 root                 s0-s15:c0.c1023      *
system_u             system_u             s0-s15:c0.c1023      *
Comment 3 Petr Lautrbach 2016-09-07 08:48:34 UTC 
This is an initscripts bug #1353975 which will be fixed in RHEL-7.3 and we should probably propose it for rhel-7.2.z as well.

The problem is that /etc directory is mislabeled after reboot:

# ls -ldZ /etc
drwxr-xr-x. root root system_u:object_r:etc_t:s15:c0.c1023 /etc


The fix is to add -F option to restorecon in /usr/lib/systemd/rhel-import-state:

# diff -u /usr/lib/systemd/rhel-import-state.bug /usr/lib/systemd/rhel-import-state
--- /usr/lib/systemd/rhel-import-state.bug      2016-09-07 04:44:45.413231227 -0400
+++ /usr/lib/systemd/rhel-import-state  2016-09-07 04:44:51.645274588 -0400
@@ -7,5 +7,5 @@
 
 # run restorecon on the copied files
 if [ -e /sys/fs/selinux/enforce -a -x /usr/sbin/restorecon ]; then
-    find . -mindepth 1 -print0 | { cd / && xargs --null restorecon -i; }
+    find . -mindepth 1 -print0 | { cd / && xargs --null restorecon -i -F; }
 fi
Comment 4 Ryan Sawhill 2016-09-07 16:37:24 UTC 
We can close this as a duplicate to that bug #1353975 if you guys like. Up to you.

Of course I agree that there should be a 7.2.z initscripts release ASAP, since this is a total blocker, but I don't currently have any non-RH customers asking about MLS in RHEL 7.2.