Bug 224637
Summary: | LSPP: Problem SSH-ing into LSPP system with multiple categories | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Kylene J Hall <kylene> |
Component: | libselinux | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED ERRATA | QA Contact: | Jay Turner <jturner> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 5.0 | CC: | dwalsh, iboverma, klaus, kweidner, linda.knippers, sgrubb, srevivo, tmraz |
Target Milestone: | --- | Keywords: | OtherQA |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | RHBA-2007-0541 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-11-07 16:37:27 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 224041 |
Description
Kylene J Hall
2007-01-26 20:16:30 UTC
This is needed for LSPP certification. Reassigning to sgrubb. Steve reassign as necessary. Fixed in mcstrans-0.2.1-1.el5.i386.rpm *** Bug 225355 has been marked as a duplicate of this bug. *** confirmed fix against mcstrans-0.2.1-1.el5 We have tested with mcstrans and the mechanism does not seem totally fixed. We are able to ssh in with a range of categories such as this: [root@rheal3c filters]# ssh testuser/user_r/s0:c1.c3@localhost Password: Last login: Wed Feb 7 15:54:36 2007 from rheal3c.endicott.ibm.com -bash-3.1$ id uid=501(testuser) gid=501(testuser) groups=501(testuser) context=testuser_u:user_r:user_t:s0:c1.c3 However, a list of categories results in only the first category being given, like this: [root@rheal3c filters]# ssh testuser/user_r/s0:c1,c3@localhost Password: Last login: Wed Feb 7 13:20:02 2007 from rheal3c.endicott.ibm.com -bash-3.1$ id uid=501(testuser) gid=501(testuser) groups=501(testuser) context=testuser_u:user_r:user_t:s0:c1 What do you see in /var/log/secure for the second case? From /var/log/messages when I attemp ssh testuser/user_r/s0:c1,c3@localhost Feb 8 18:05:54 rheal3c sshd[30475]: Accepted keyboard-interactive/pam for testuser from 127.0.0.1 port 34398 ssh2 Feb 8 18:05:54 rheal3c sshd[30475]: permit MLS level s0:c1,c3 (user range s0-s15:c0.c1023) From /var/log/secure when I attempt ssh testuser/user_r/s0:c1,c3@localhost Feb 8 18:05:56 rheal3c sshd[30475]: pam_namespace(sshd:session): Checking for ns override in dir /tmp for uid 501 Feb 8 18:05:56 rheal3c sshd[30475]: pam_namespace(sshd:session): Unmounting instance dir for user 501 & dir /tmp Feb 8 18:05:56 rheal3c sshd[30475]: pam_namespace(sshd:session): Unmount of /tmp succeeded Feb 8 18:05:56 rheal3c sshd[30475]: pam_namespace(sshd:session): Checking for ns override in dir /var/tmp for uid 501 Feb 8 18:05:56 rheal3c sshd[30475]: pam_namespace(sshd:session): Unmounting instance dir for user 501 & dir /var/tmp Feb 8 18:05:56 rheal3c sshd[30475]: pam_namespace(sshd:session): Unmount of /var/tmp succeeded Feb 8 18:05:56 rheal3c sshd[30475]: pam_namespace(sshd:session): Checking for ns override in dir /home/testuser for uid 501 Feb 8 18:05:56 rheal3c sshd[30475]: pam_namespace(sshd:session): Unmounting instance dir for user 501 & dir /home/testuser Feb 8 18:05:56 rheal3c sshd[30475]: pam_namespace(sshd:session): Unmount of /home/testuser succeeded Feb 8 18:05:56 rheal3c sshd[30475]: pam_namespace(sshd:session): resetting namespace ok for pid 30475 Isn't there really anything else for this case in the /var/log/{messages,secure} ? Because the messages in /var/log/messages just say that the requested MLS level was checked OK and the messages in /var/log/secure say that pam_namespace is unmounting the polyinstantiated directories (perhaps after some failure?). What's the contents of /etc/pam.d/sshd? So it seems like a bug in get_default_context_with_level(). I don't understand why this bug was moved to modified. Is there a fix in a package that is available somewhere? The remaining issues maybe SystemZ specific. I have not been able to confirm. Fixed in libselinux-1.33.4-3 Still not working for me on zSeries: [root@rheal3a framework]# ssh testuser/user_r/s0:c1,c3@localhost Password: Last login: Mon Feb 12 11:22:58 2007 from rheal3a.endicott.ibm.com -bash-3.1$ id uid=501(testuser) gid=501(testuser) groups=501(testuser) context=testuser_u:user_r:user_t:s0:c1 -bash-3.1$ rpm -qa | grep libselinux libselinux-devel-1.33.4-3.el5 libselinux-1.33.4-3.el5 libselinux-devel-1.33.4-3.el5 libselinux-1.33.4-3.el5 libselinux-python-1.33.4-3.el5 ps -eZ | grep ssh [root@rheal3c ltp-merged]# ps -eZ | grep ssh system_u:system_r:sshd_t:s0-s15:c0.c1023 1140 ? 00:00:00 sshd system_u:system_r:sshd_t:s0-s15:c0.c1023 1221 ? 00:00:00 sshd system_u:system_r:sshd_t:s0-s15:c0.c1023 1226 ? 00:00:00 sshd Another interesting peculiarity: If the categories in a range are right next to each other i.e. c0.c1 id shows only the lower number but if the range spans at least one number as in c1.c3 then it works as expected. See example below. [root@rheal3c framework]# ssh testuser/user_r/s0:c1.c3@localhost Password: Last login: Mon Feb 12 13:50:21 2007 from rheal3c.endicott.ibm.com -bash-3.1$ id uid=501(testuser) gid=501(testuser) groups=501(testuser) context=testuser_u:user_r:user_t:s0:c1.c3 -bash-3.1$ exit logout Connection to localhost closed. [root@rheal3c framework]# ssh testuser/user_r/s0:c1.c2@localhost Password: Last login: Mon Feb 12 13:50:54 2007 from rheal3c.endicott.ibm.com -bash-3.1$ id uid=501(testuser) gid=501(testuser) groups=501(testuser) context=testuser_u:user_r:user_t:s0:c1 Ok another interesting tidbit: on ppc64 the '.' is changed to a ',' when the categories are right next to each other. This is not wrong just different than we expected and I thought it might be helpful in deciphering what is going on with s390x. [root@zaphod framework]# ssh testuser/user_r/s3:c4.c5-s5:c4.c5@localhost uid=501(testuser) gid=501(testuser) groups=501(testuser) context=testuser_u:user_r:user_t:s3:c4,c5-s5:c4,c5 (In reply to comment #17) > Ok another interesting tidbit: on ppc64 the '.' is changed to a ',' when the > categories are right next to each other. This is not wrong just different than > we expected and I thought it might be helpful in deciphering what is going on > with s390x. > > [root@zaphod framework]# ssh testuser/user_r/s3:c4.c5-s5:c4.c5@localhost > uid=501(testuser) gid=501(testuser) groups=501(testuser) > context=testuser_u:user_r:user_t:s3:c4,c5-s5:c4,c5 > > Kylie, this is not exclusive to s390x, and neither to ssh/login. Check below: [root@linux11 ~]# mount -vo loop,context=\"root:object_r:tmp_t:s3:c4.c5-s5:c4.c5\" filesystem.img mountp/ mount: translated context 'root:object_r:tmp_t:s3:c4.c5-s5:c4.c5' to 'root:object_r:tmp_t:s3:c4.c5-s5:c4.c5' mount: going to use the loop device /dev/loop0 mount: you didn't specify a filesystem type for /dev/loop0 I will try type vfat /root/filesystem.img on /root/mountp type vfat (rw,loop=/dev/loop0,context="root:object_r:tmp_t:s3:c4.c5-s5:c4.c5") [root@linux11 ~]# ls --scontext -d mountp/ root:object_r:tmp_t:s3:c4,c5-s5:c4,c5 mountp/ [root@linux11 ~]# System Info: [root@linux11 ~]# uname -a Linux linux11.internal 2.6.18-6.el5.lspp.64 #1 SMP Wed Jan 24 18:14:36 EST 2007 s390x s390x s390x GNU/Linux [root@linux11 ~]# rpm -qa | egrep 'policy-mls|libselinux|mcstrans' mcstrans-0.2.2-1.el5 libselinux-devel-1.33.4-4.el5 libselinux-1.33.4-4.el5 libselinux-1.33.4-4.el5 selinux-policy-mls-2.4.6-37.el5 libselinux-python-1.33.4-4.el5 [root@linux11 ~]# Klaus- This bug is not about things being translated differently than one might expect (i.e. small ranges being expanded to their comma format) but rather the range not working at all. Like you said that part is working for you on another s390x system so I will install today with the latest kickstart and updated policy (as I think that is the only package version we differed on) and post new status here. per 2/12 discussion, this bug should stay "modified", and Kylene should open new bugs to track other issues. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0541.html |