Bug 1618771

Summary: Targeted policy denies polyinstantiated directories for sshd
Product: [Fedora] Fedora Reporter: Unto Sten <sten.unto>
Component: selinux-policy-targetedAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: unspecified    
Version: 28CC: dwalsh, jjelen, sten.unto
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-11-09 05:25:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Unto Sten 2018-08-17 14:41:22 UTC 
Description of problem:

selinux-policy-targeted denies polyinstantiated directories for sshd.


Version-Release number of selected component (if applicable):

3.14.1-37


How reproducible:

Always


Steps to Reproduce:
1. setsebool -P polyinstantiation_enabled on
2. Add the following line to /etc/security/namespace.conf

/tmp     /tmp-inst/         level      root,adm


3. Try to login using ssh

Actual results:

[untosten@localhost]$ ssh polytest@fedora-test
polytest.0.1's password:
PTY allocation request failed on channel 0
Connection to 127.0.0.1 closed.


Expected results:

SSH login should work and /tmp be polyinstantiated.

Additional info:

Audit log required dac_override capability for sshd_t:

type=AVC msg=audit(1534510283.114:291): avc:  denied  { dac_override } for  pid=3083 comm="sshd" capability=1  scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=capability permissive=0

journalctl -u sshd shows:

Aug 17 15:51:23 localhost.localdomain sshd[3083]: pam_namespace(sshd:session): Error creating or accessing instance parent /tmp-inst, Permission denied
Aug 17 15:51:23 localhost.localdomain sshd[3083]: pam_unix(sshd:session): session opened for user polytest by (uid=0) 
Aug 17 15:51:23 localhost.localdomain sshd[3083]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session 

####################

I allowed dac_override. SSH login still failed:

type=AVC msg=audit(1534510435.460:325): avc:  denied  { create } for  pid=30827 comm="sshd" name="tmp-inst" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0

Aug 17 15:53:55 localhost.localdomain sshd[30827]: pam_namespace(sshd:session): Error creating or accessing instance parent /tmp-inst, Permission denied
Aug 17 15:53:55 localhost.localdomain sshd[30827]: pam_unix(sshd:session): session opened for user polytest by (uid=0)
Aug 17 15:53:55 localhost.localdomain sshd[30827]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session

####################

So I allowed { create } too. After that SSH logins worked and /tmp was polyinstantiated.

But is there any better method to get polyinstantiation working, without granting sshd_t dac_override capability?
Comment 1 Lukas Vrabec 2018-08-28 18:52:30 UTC 
Hi, 

Could you downgrade openssh package and then try to reproduce it? 

THanks,
Lukas.
Comment 2 Unto Sten 2018-08-29 07:16:50 UTC 
I downloaded package from Fedora Linux 27:

 openssh-7.6p1-5.fc27.x86_64.rpm

and the dependencies. Did:

  rpm -Uvh --force /tmp/openssh*rpm

and added missing dependency:

  dnf -y install tcp_wrappers-libs


The older OpenSSH daemon runs fine, but I still get the denied { dac_override }.

The connecting client's error message is a bit different, it does not complain about failed PTY allocation, but I guess this difference is irrelevant to our problem:

[untosten@localhost]$ ssh polytest@fedora-test
polytest.0.1's password: 
Connection to 127.0.0.1 closed.
Comment 3 Unto Sten 2018-08-29 07:24:29 UTC 
I am not sure, but I may have possibly read from somewhere that they removed some dac_override permissions from apps on Fedora Linux lately. If that is so, this bug may be a consequence of those changes? I do not know. Just one path to investigate.
Comment 4 Fedora Update System 2018-09-06 21:56:25 UTC 
selinux-policy-3.14.1-42.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217
Comment 5 Fedora Update System 2018-09-07 17:11:52 UTC 
selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217
Comment 6 Unto Sten 2018-09-08 10:37:31 UTC 
Hi Lukas!


Thanks, your selinux-policy-3.14.1-42.fc2 indeed fixes the dac_override problem, but ssh logins still fail. The reason is that sshd_t cannot create directories in the root directory:


time->Sat Sep  8 13:22:47 2018
type=AVC msg=audit(1536402167.897:200): avc:  denied  { create } for  pid=1721 comm="sshd" name="tmp-inst" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0

Is this something that Red Hat could allow by default, or is it admin's own decision to allow this right?

I am not totally sure, but personally I am inclined to think that perhaps the SELinux boolean 

  polyinstantiation_enabled

should allow this too? 

My rationale is the admin asked for polyinstantion_enabled after all, and it would be convenient if it all worked "out of the box" without any extra steps.
Comment 7 Lukas Vrabec 2018-09-10 09:26:00 UTC 
Jakub,
Any idea whats going on here? 

Thanks,
Lukas.
Comment 8 Unto Sten 2018-09-10 13:06:51 UTC 
Hi!

Lukas, I am not Jakub, and I am not totally sure what exactly are you asking, but anyway here's what I know:

SSH needs this right because pam_namespace.so wants to create a mount point in the root directory. Polyinstantiated directories are based on bind mounts. 

For example, to hide and protect public /tmp, pam_namespace mounts /tmp-inst/whatever on top of it. This operation provides private directories for users, that is basically all there is to it. See /etc/security/namespace.conf, e.g.

/tmp     /tmp-inst/       	level      root,adm
Comment 9 Fedora Update System 2018-09-11 16:55:05 UTC 
selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Unto Sten 2018-09-11 17:54:21 UTC 
Fedora Update System has marked this case as "CLOSED, but it is not resolved yet.
Comment 11 Unto Sten 2018-09-11 17:56:36 UTC 
(In reply to Unto Sten from comment #10)
> Fedora Update System has marked this case as "CLOSED, but it is not resolved
> yet.

Ummm. Sorry. Apparently I do not know how to use Bugzilla, did ERRATA -> NOTABUG.
Comment 12 Lukas Vrabec 2018-09-16 20:39:23 UTC 
Unto, 

Next selinux-policy update should contain fix for this issue. 

THanks,
Lukas.
Comment 13 Unto Sten 2018-09-17 16:11:29 UTC 
Hi Lukas!

Great news, thanks!!!
Comment 14 Fedora Update System 2018-11-05 08:21:24 UTC 
selinux-policy-3.14.1-48.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-8004d37878
Comment 15 Fedora Update System 2018-11-06 23:27:31 UTC 
selinux-policy-3.14.1-48.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-8004d37878
Comment 16 Fedora Update System 2018-11-09 05:25:42 UTC 
selinux-policy-3.14.1-48.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.