Bug 1618771
Summary: | Targeted policy denies polyinstantiated directories for sshd | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Unto Sten <sten.unto> |
Component: | selinux-policy-targeted | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
Severity: | low | Docs Contact: | |
Priority: | unspecified | ||
Version: | 28 | CC: | dwalsh, jjelen, sten.unto |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-11-09 05:25:42 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Unto Sten
2018-08-17 14:41:22 UTC
Hi, Could you downgrade openssh package and then try to reproduce it? THanks, Lukas. I downloaded package from Fedora Linux 27: openssh-7.6p1-5.fc27.x86_64.rpm and the dependencies. Did: rpm -Uvh --force /tmp/openssh*rpm and added missing dependency: dnf -y install tcp_wrappers-libs The older OpenSSH daemon runs fine, but I still get the denied { dac_override }. The connecting client's error message is a bit different, it does not complain about failed PTY allocation, but I guess this difference is irrelevant to our problem: [untosten@localhost]$ ssh polytest@fedora-test polytest.0.1's password: Connection to 127.0.0.1 closed. I am not sure, but I may have possibly read from somewhere that they removed some dac_override permissions from apps on Fedora Linux lately. If that is so, this bug may be a consequence of those changes? I do not know. Just one path to investigate. selinux-policy-3.14.1-42.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217 selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217 Hi Lukas! Thanks, your selinux-policy-3.14.1-42.fc2 indeed fixes the dac_override problem, but ssh logins still fail. The reason is that sshd_t cannot create directories in the root directory: time->Sat Sep 8 13:22:47 2018 type=AVC msg=audit(1536402167.897:200): avc: denied { create } for pid=1721 comm="sshd" name="tmp-inst" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0 Is this something that Red Hat could allow by default, or is it admin's own decision to allow this right? I am not totally sure, but personally I am inclined to think that perhaps the SELinux boolean polyinstantiation_enabled should allow this too? My rationale is the admin asked for polyinstantion_enabled after all, and it would be convenient if it all worked "out of the box" without any extra steps. Jakub, Any idea whats going on here? Thanks, Lukas. Hi! Lukas, I am not Jakub, and I am not totally sure what exactly are you asking, but anyway here's what I know: SSH needs this right because pam_namespace.so wants to create a mount point in the root directory. Polyinstantiated directories are based on bind mounts. For example, to hide and protect public /tmp, pam_namespace mounts /tmp-inst/whatever on top of it. This operation provides private directories for users, that is basically all there is to it. See /etc/security/namespace.conf, e.g. /tmp /tmp-inst/ level root,adm selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. Fedora Update System has marked this case as "CLOSED, but it is not resolved yet. (In reply to Unto Sten from comment #10) > Fedora Update System has marked this case as "CLOSED, but it is not resolved > yet. Ummm. Sorry. Apparently I do not know how to use Bugzilla, did ERRATA -> NOTABUG. Unto, Next selinux-policy update should contain fix for this issue. THanks, Lukas. Hi Lukas! Great news, thanks!!! selinux-policy-3.14.1-48.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-8004d37878 selinux-policy-3.14.1-48.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-8004d37878 selinux-policy-3.14.1-48.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. |