Bug 1679236

Summary: Unable to ssh as some selinux users
Product: Red Hat Enterprise Linux 8 Reporter: Scott Poore <spoore>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED WONTFIX QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: high    
Version: 8.0CC: amore, lslebodn, lvrabec, mmalik, plautrba, ssekidde, zpytela
Target Milestone: rc   
Target Release: 8.1   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-04 11:51:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1682526    
Bug Blocks: 1778780    

Description Scott Poore 2019-02-20 16:25:38 UTC 
Description of problem:


I am unable to use ssh as a user when assigned to certain SELinux Users.  So far, reproducing this has required IPA be installed but, reproducing is done locally.

So, far, this is known to be an issue with guest_u and xguest_u:

[root@rhel8-6 ~]# setenforce 1
[root@rhel8-6 ~]# semanage login --modify -s guest_u -r s0 user1
[root@rhel8-6 ~]# date; ssh -l user1 $(hostname) "id -Z"
Wed Feb 20 10:13:22 CST 2019
Password: 
Last failed login: Wed Feb 20 09:52:50 CST 2019 from 192.168.122.86 on ssh:notty
There were 2 failed login attempts since the last successful login.
[root@rhel8-6 ~]# ausearch -m avc -m user_avc -m selinux_err -ts 10:13:22 | audit2allow


#============= guest_t ==============
allow guest_t init_t:process signal;


[root@rhel8-6 ~]# semanage login --modify -s xguest_u -r s0 user1
[root@rhel8-6 ~]# date; ssh -l user1 $(hostname) "id -Z"
Wed Feb 20 10:18:10 CST 2019
Password: 
Last failed login: Wed Feb 20 09:52:50 CST 2019 from 192.168.122.86 on ssh:notty
There were 2 failed login attempts since the last successful login.
[root@rhel8-6 ~]# ausearch -m avc -m user_avc -m selinux_err -ts 10:18:10 | audit2allow


[root@rhel8-6 ~]# 

So, I'm not seeing AVCs for the xguest issue.  I am guessing this in maybe supppressed by DONTAUDIT rules?

Also, I have heard but, not been able to confirm that this may affect unconfined_u as well.

Version-Release number of selected component (if applicable):
selinux-policy-3.14.1-59.el8.noarch


How reproducible:
With IPA, seems very consistent.

Steps to Reproduce:
1.  install idm module

dnf module reset idm
dnf module enable idm:DL1
dnf -y module install idm:DL1/dns

2.  setup ipa server

ipa-server-install -r EXAMPLE.COM -p Secret123 -a Secret123 -U

3.  create and configure local user for test

useradd user1
passwd user1

4.  add user1 selinux login as staff_u

semanage login --add -s staff_u -r s0-s0:c0.c1023 user1

5.  ssh and run id -Z to check mapping

ssh -l user1 $(hostname) "id -Z"

6.  modify user1 selinux login to guest_u (or xguest_u):

semanage login --modify -s guest_u -r s0 user1

7.  ssh and run id -Z again

ssh -l user1 $(hostname) "id -Z"


Actual results:

Step 7 fails.  if you drop the command "id -Z", you can see it fail to login.
Same occurs for at least guest_u and xguest_u


Expected results:

In IPA tests, we have been testing xguest at least for years now.  I believe the test suite dates back to early RHEL6 time frame.

Additional info:
Comment 1 Scott Poore 2019-02-20 17:28:18 UTC 
I tried leaving DONTAUDIT enabled and SELinux in Enforcing mode to incrementally build a set of modules that would allow this to work with no luck.

Eventually, I disabled DONTAUDIT and continued until I saw no more AVC denials.  It still didn't work.

So, to capture what was going on, I disable DONTAUDIT and set Permissive mode:

[root@rhel8-6 ~]# setenforce 0

[root@rhel8-6 ~]# semodule -DB

[root@rhel8-6 ~]# date; ssh -l user1 $(hostname) "id -Z"
Wed Feb 20 11:21:39 CST 2019
Password: 
xguest_u:xguest_r:xguest_t:s0

[root@rhel8-6 ~]# ausearch -m avc -m user_avc -m selinux_err -ts 11:21:39 | grep xguest| audit2allow -M xguest_permissive_dontauditdisabled
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i xguest_permissive_dontauditdisabled.pp

[root@rhel8-6 ~]# semodule -i xguest_permissive_dontauditdisabled.pp

[root@rhel8-6 ~]# setenforce 1

[root@rhel8-6 ~]# date; ssh -l user1 $(hostname) "id -Z"Wed Feb 20 11:23:15 CST 2019
Password: 
xguest_u:xguest_r:xguest_t:s0


I re-enabled DONTAUDIT and it still worked.

[root@rhel8-6 ~]# cat xguest_permissive_dontauditdisabled.te

module xguest_permissive_dontauditdisabled 1.0;

require {
	type systemd_systemctl_exec_t;
	type init_exec_t;
	type xguest_t;
	type cgroup_t;
	type systemd_unit_file_t;
	type fixed_disk_device_t;
	type security_t;
	type mount_var_run_t;
	type init_t;
	class file { execute execute_no_trans getattr map open read write };
	class unix_stream_socket { ioctl read write };
	class dir { add_name create getattr read remove_name rmdir write };
	class blk_file getattr;
	class security { compute_av compute_create };
	class netlink_selinux_socket { bind create };
	class process siginh;
}

#============= init_t ==============
allow init_t xguest_t:process siginh;

#============= xguest_t ==============
allow xguest_t cgroup_t:dir { add_name create remove_name rmdir write };
allow xguest_t cgroup_t:file { getattr open read write };
allow xguest_t fixed_disk_device_t:blk_file getattr;

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow xguest_t init_exec_t:file map;
allow xguest_t init_exec_t:file { execute read };
allow xguest_t init_t:unix_stream_socket { ioctl read write };
allow xguest_t mount_var_run_t:dir read;
allow xguest_t security_t:file write;
allow xguest_t security_t:security { compute_av compute_create };
allow xguest_t self:netlink_selinux_socket { bind create };

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow xguest_t systemd_systemctl_exec_t:file map;
allow xguest_t systemd_systemctl_exec_t:file { execute execute_no_trans open read };
allow xguest_t systemd_unit_file_t:dir getattr;
Comment 2 Scott Poore 2019-02-20 17:36:13 UTC 
Also, same for guest except, the first time I saw now relevant AVCs:

[root@rhel8-6 ~]# setenforce 0

[root@rhel8-6 ~]# semodule -DB

[root@rhel8-6 ~]# date; ssh -l user1 $(hostname) "id -Z"
Wed Feb 20 11:29:53 CST 2019
Password: 
Last failed login: Wed Feb 20 10:48:40 CST 2019 from 192.168.122.86 on ssh:notty
There were 4 failed login attempts since the last successful login.

[root@rhel8-6 ~]# ausearch -m avc -m user_avc -m selinux_err -ts 11:29:53 | grep guest| audit2allow -M guest_permissive_dontauditdisabled
Nothing to do



Could the above have been a timing issue?



Trying again this time after restarting systemd-logind and using semanage command:

[root@rhel8-6 ~]# semanage dontaudit off

[root@rhel8-6 ~]# systemctl restart systemd-logind

[root@rhel8-6 ~]# date; ssh -l user1 $(hostname) "id -Z"Wed Feb 20 11:31:17 CST 2019
Password: 
guest_u:guest_r:guest_t:s0

[root@rhel8-6 ~]# ausearch -m avc -m user_avc -m selinux_err -ts 11:31 |grep guest|audit2allow -M guest_permissive_dontauditdisabled
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i guest_permissive_dontauditdisabled.pp

[root@rhel8-6 ~]# semodule -i guest_permissive_dontauditdisabled.pp

[root@rhel8-6 ~]# semanage dontaudit on

[root@rhel8-6 ~]# semodule -B

[root@rhel8-6 ~]# date; ssh -l user1 $(hostname) "id -Z"Wed Feb 20 11:33:20 CST 2019
Password: 
guest_u:guest_r:guest_t:s0


[root@rhel8-6 ~]# cat guest_permissive_dontauditdisabled.te

module guest_permissive_dontauditdisabled 1.0;

require {
	type cgroup_t;
	type init_t;
	type virtio_device_t;
	type security_t;
	type init_exec_t;
	type mount_var_run_t;
	type systemd_systemctl_exec_t;
	type udev_var_run_t;
	type systemd_unit_file_t;
	type guest_t;
	type fixed_disk_device_t;
	class file { execute execute_no_trans getattr map open read write };
	class unix_stream_socket { ioctl read write };
	class dir { add_name create getattr read remove_name rmdir search write };
	class lnk_file read;
	class process { siginh signal };
	class blk_file getattr;
	class chr_file getattr;
	class security { compute_av compute_create };
	class netlink_selinux_socket { bind create };
}

#============= guest_t ==============
allow guest_t cgroup_t:dir { add_name create remove_name rmdir write };
allow guest_t cgroup_t:file { getattr open read write };
allow guest_t fixed_disk_device_t:blk_file getattr;

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow guest_t init_exec_t:file map;
allow guest_t init_exec_t:file { execute read };
allow guest_t init_t:dir search;
allow guest_t init_t:file { getattr open read };
allow guest_t init_t:lnk_file read;
allow guest_t init_t:process signal;
allow guest_t init_t:unix_stream_socket { ioctl read write };
allow guest_t mount_var_run_t:dir read;
allow guest_t security_t:dir read;
allow guest_t security_t:file { getattr open read write };
allow guest_t security_t:security { compute_av compute_create };
allow guest_t self:netlink_selinux_socket { bind create };

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow guest_t systemd_systemctl_exec_t:file map;
allow guest_t systemd_systemctl_exec_t:file { execute execute_no_trans open read };
allow guest_t systemd_unit_file_t:dir getattr;
allow guest_t udev_var_run_t:dir read;
allow guest_t udev_var_run_t:file { getattr open read };
allow guest_t virtio_device_t:chr_file getattr;

#============= init_t ==============
allow init_t guest_t:process siginh;
Comment 3 Lukas Vrabec 2019-02-22 10:45:34 UTC 
*** Bug 1679944 has been marked as a duplicate of this bug. ***
Comment 4 Milos Malik 2019-04-26 09:06:31 UTC 
I'm not sure if networking for guest_u or xguest_u users is supported.
Comment 5 Milos Malik 2019-04-26 09:11:33 UTC 
Please look at Table 3.1. SELinux User Capabilities in following document:

 * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-targeted_policy-confined_and_unconfined_users?lb_target=stage

Because logging in via ssh is considered networking, then I see it as not supported.
Comment 6 Lukas Vrabec 2019-07-04 11:51:33 UTC 
Hi Scott, 

Thanks for your report. I have some follow up from comment#5. Based on that document, users guest_u and xguest_u cannot connect to another systems via ssh, for guest_u is networking completely blocked and xguest_u could only use firefox to browse webpages. 

So this ticket contains unsupported solution and I'm closing this bug as WONTFIX. 

Thanks,
Lukas.
Comment 7 Scott Poore 2019-07-08 15:53:13 UTC 
Hi Lukas, Milos,

Sorry, I missed comment #5 when it was originally posted.  Knowing this helps but, is slightly confusing when we consider the test results we've seen previously.  IPA has had tests using guest_u for ssh for a long time.  I can't recall how long but, I believe it has been used for the whole time in RHEL7.  Also, IIRC, at some point after selinux-policy was patched in RHEL 8.0.0, it started working again.  I'm not quite sure why/when.  I've notified a couple of the IPA QEs about the situation in case the results for the tests change.  Let me know if we need to track down more info for this one.

Thanks,
Scott