Bug 170557

Summary: selinux policy blocks rexec access
Product: [Fedora] Fedora Reporter: Gilles Detillieux <grdetil>
Component: selinux-policy-targetedAssignee: Russell Coker <rcoker>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4   
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: 1.27.1-2.7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-03-22 03:22:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gilles Detillieux 2005-10-12 21:25:13 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050810 Red Hat/1.7.10-0.90.1.legacy

Description of problem:
The default SELinux policy for FC4 (updated via yum) doesn't allow rexec access.  After enabling rexec in /etc/xinetd.d and opening up port 512/tcp in iptables, rexec access to the system still fails because of a broken or missing SELinux policy for /usr/sbin/in.rexecd.  By default, in.rexecd is assigned the context system_u:object_r:inetd_child_exec_t, which doesn't allow the process to do a whole lot.  Setting this to system_u:object_r:rshd_exec_t, which is the context for in.rshd, makes rexec access work.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.27.1-2.3

How reproducible:
Always

Steps to Reproduce:
1. yum install rsh-server; chkconfig rexec enable
2. Add entries for TCP port 512 to /etc/sysconfig/iptables and /etc/sysconfig/system-config-securitylevel, then "service iptables restart".
3. Try "rexec -a rhost '/usr/X11R6/bin/xterm -display myhost:0'", where rhost is the FC4 system on which you enabled rexec access.
  

Actual Results:  The rexec client reports:

rhost: No such file or directory
rexec: Error in rexec system call,
rexec: (The following system error may itself be in error)
rexec: Illegal seek

The /var/log/messages file on rhost reports:

Oct 12 14:20:55 rhost in.rexecd[5411]: connect from myhost
Oct 12 14:20:55 rhost rexec(pam_unix)[5411]: authentication failure; logname= uid=0 euid=0 tty=rexec ruser= rhost=  user=grdetil
Oct 12 14:20:58 rhost in.rexecd[5411]: PAM audit_open() failed: Permission denied
Oct 12 14:20:58 rhost in.rexecd[5411]: PAM audit_open() failed: Permission denied

Expected Results:  Client should open xterm window with shell running on rhost.  rhost should log:

Oct 12 15:40:32 rhost in.rexecd[6219]: connect from myhost
Oct 12 15:40:32 rhost rexec(pam_unix)[6219]: session opened for user grdetil by (uid=0)
Oct 12 15:40:32 rhost rexec(pam_unix)[6219]: session closed for user grdetil
Oct 12 15:40:32 rhost in.rexecd[6219]: login from myhost as grdetil

Additional info:

A quick but temporary fix is:

chcon system_u:object_r:rshd_exec_t /usr/sbin/in.rexecd

I say temporary because I realize that the next run of fixfiles, setfiles, restorecon, or whatever is likely to reset in.rexecd back to system_u:object_r:inetd_child_exec_t.  If it makes sense to have rexecd run under rshd's policy, then in.rexecd should probably be added to /etc/selinux/targeted/src/policy/file_contexts/program/rshd.fc (and ulimately make its way into /etc/selinux/targeted/contexts/files/file_contexts) to make the change permanent.  If rexecd ought to have its own independent policy, then these should be defined appropriately in /etc/selinux/targeted/src/policy/file_contexts/program/ and /etc/selinux/targeted/src/policy/domains/program/ in the next policy update.

Comment 1 Daniel Walsh 2005-10-13 12:40:11 UTC
I added rshd_exec_t for rexecd in rshd.fc, which will be in the next policy we
update.

For now you can add a line to
/etc/selinux/targeted/contexts/files/file_contexts.local to preserve it over a
restorecon.

Comment 2 Daniel Walsh 2005-10-17 18:14:37 UTC
Fixed in selinux-policy-*-1.27.1-2.6


Comment 3 Gilles Detillieux 2005-10-18 18:06:38 UTC
I beg to differ.  I'm running selinux-policy-targeted-1.27.1-2.6 as of this
morning, and there's still no reference to rexec in any file in /etc/selinux
other than the one I added to file_contexts.local on your recommendation.  Of
the 3 FC4 systems I looked at, only the 2 where I manually changed in.rexecd's
context have it set correctly.  Did the change fail to make it into all the
update RPMs for all FC releases?

Comment 4 Daniel Walsh 2005-10-18 18:13:18 UTC
Oops that should be in 2.7 then.  Available in test tonight or via
ftp://people.redhat.com/dwalsh/SELinux/FC4



Comment 5 Gilles Detillieux 2005-10-18 18:42:15 UTC
That did the job quite nicely.  Thanks!