Bug 224637

Summary: LSPP: Problem SSH-ing into LSPP system with multiple categories
Product: Red Hat Enterprise Linux 5 Reporter: Kylene J Hall <kylene>
Component: libselinuxAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Jay Turner <jturner>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.0CC: dwalsh, iboverma, klaus, kweidner, linda.knippers, sgrubb, srevivo, tmraz
Target Milestone: ---Keywords: OtherQA
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2007-0541 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-11-07 16:37:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 224041    

Description Kylene J Hall 2007-01-26 20:16:30 UTC 
Description of problem:
I have been unable to ssh into an LSPP system with multiple categories.

For example the following work:
ssh testuser/user_r/s2@localhost
ssh testuser/user_r/s2:c0@localhost
ssh testuser/user_r/s2:c1@localhost

But these do not:
ssh testuser/user_r/s2:c0.c1@localhost
ssh testuser/user_r/s2:c0,c1@localhost

Tested on multiple architectures as well.

Version-Release number of selected component (if applicable):
Policy version: selinux-policy-mls-2.4.6-28.el5
Kernel version: kernel-2.6.18-1.3015.2.1.el5.lspp.63
Comment 1 Irina Boverman 2007-01-26 20:24:45 UTC 
This is needed for LSPP certification.
Comment 2 Pete Graner 2007-01-29 18:48:43 UTC 
Reassigning to sgrubb. Steve reassign as necessary.
Comment 3 Daniel Walsh 2007-02-05 20:36:41 UTC 
Fixed in mcstrans-0.2.1-1.el5.i386.rpm
Comment 4 Daniel Walsh 2007-02-05 21:25:28 UTC 
*** Bug 225355 has been marked as a duplicate of this bug. ***
Comment 5 Klaus Kiwi (Old account no longer used) 2007-02-06 02:18:57 UTC 
confirmed fix against mcstrans-0.2.1-1.el5
Comment 6 Kylene J Hall 2007-02-07 22:01:21 UTC 
We have tested with mcstrans and the mechanism does not seem totally fixed.  We
are able to ssh in with a range of categories such as this:
[root@rheal3c filters]# ssh testuser/user_r/s0:c1.c3@localhost
Password:
Last login: Wed Feb  7 15:54:36 2007 from rheal3c.endicott.ibm.com
-bash-3.1$ id
uid=501(testuser) gid=501(testuser) groups=501(testuser)
context=testuser_u:user_r:user_t:s0:c1.c3

However, a list of categories results in only the first category being given,
like this:
[root@rheal3c filters]# ssh testuser/user_r/s0:c1,c3@localhost
Password:
Last login: Wed Feb  7 13:20:02 2007 from rheal3c.endicott.ibm.com
-bash-3.1$ id
uid=501(testuser) gid=501(testuser) groups=501(testuser)
context=testuser_u:user_r:user_t:s0:c1
Comment 7 Tomas Mraz 2007-02-08 21:30:58 UTC 
What do you see in /var/log/secure for the second case?
Comment 8 Kylene J Hall 2007-02-09 00:09:46 UTC 
From /var/log/messages when I attemp ssh testuser/user_r/s0:c1,c3@localhost

Feb  8 18:05:54 rheal3c sshd[30475]: Accepted keyboard-interactive/pam for
testuser from 127.0.0.1 port 34398 ssh2
Feb  8 18:05:54 rheal3c sshd[30475]: permit MLS level s0:c1,c3 (user range
s0-s15:c0.c1023)

From /var/log/secure when I attempt ssh testuser/user_r/s0:c1,c3@localhost

Feb  8 18:05:56 rheal3c sshd[30475]: pam_namespace(sshd:session): Checking for
ns override in dir /tmp for uid 501
Feb  8 18:05:56 rheal3c sshd[30475]: pam_namespace(sshd:session): Unmounting
instance dir for user 501 & dir /tmp
Feb  8 18:05:56 rheal3c sshd[30475]: pam_namespace(sshd:session): Unmount of
/tmp succeeded
Feb  8 18:05:56 rheal3c sshd[30475]: pam_namespace(sshd:session): Checking for
ns override in dir /var/tmp for uid 501
Feb  8 18:05:56 rheal3c sshd[30475]: pam_namespace(sshd:session): Unmounting
instance dir for user 501 & dir /var/tmp
Feb  8 18:05:56 rheal3c sshd[30475]: pam_namespace(sshd:session): Unmount of
/var/tmp succeeded
Feb  8 18:05:56 rheal3c sshd[30475]: pam_namespace(sshd:session): Checking for
ns override in dir /home/testuser for uid 501
Feb  8 18:05:56 rheal3c sshd[30475]: pam_namespace(sshd:session): Unmounting
instance dir for user 501 & dir /home/testuser
Feb  8 18:05:56 rheal3c sshd[30475]: pam_namespace(sshd:session): Unmount of
/home/testuser succeeded
Feb  8 18:05:56 rheal3c sshd[30475]: pam_namespace(sshd:session): resetting
namespace ok for pid 30475
Comment 9 Tomas Mraz 2007-02-09 14:20:50 UTC 
Isn't there really anything else for this case in the /var/log/{messages,secure} ?

Because the messages in /var/log/messages just say that the requested MLS level
was checked OK and the messages in /var/log/secure say that pam_namespace is
unmounting the polyinstantiated directories (perhaps after some failure?).

What's the contents of /etc/pam.d/sshd?
Comment 10 Tomas Mraz 2007-02-09 16:23:19 UTC 
So it seems like a bug in get_default_context_with_level().
Comment 11 Kylene J Hall 2007-02-10 00:27:06 UTC 
I don't understand why this bug was moved to modified.  Is there a fix in a
package that is available somewhere?  The remaining issues maybe SystemZ
specific.  I have not been able to confirm.
Comment 12 Daniel Walsh 2007-02-12 14:59:14 UTC 
Fixed in libselinux-1.33.4-3
Comment 13 Kylene J Hall 2007-02-12 17:28:48 UTC 
Still not working for me on zSeries:

[root@rheal3a framework]# ssh testuser/user_r/s0:c1,c3@localhost
Password:
Last login: Mon Feb 12 11:22:58 2007 from rheal3a.endicott.ibm.com
-bash-3.1$ id
uid=501(testuser) gid=501(testuser) groups=501(testuser)
context=testuser_u:user_r:user_t:s0:c1
-bash-3.1$ rpm -qa | grep libselinux
libselinux-devel-1.33.4-3.el5
libselinux-1.33.4-3.el5
libselinux-devel-1.33.4-3.el5
libselinux-1.33.4-3.el5
libselinux-python-1.33.4-3.el5
Comment 14 Daniel Walsh 2007-02-12 18:37:04 UTC 
ps -eZ | grep ssh
Comment 15 Kylene J Hall 2007-02-12 18:56:25 UTC 
[root@rheal3c ltp-merged]# ps -eZ | grep ssh
system_u:system_r:sshd_t:s0-s15:c0.c1023 1140 ? 00:00:00 sshd
system_u:system_r:sshd_t:s0-s15:c0.c1023 1221 ? 00:00:00 sshd
system_u:system_r:sshd_t:s0-s15:c0.c1023 1226 ? 00:00:00 sshd
Comment 16 Kylene J Hall 2007-02-12 19:53:41 UTC 
Another interesting peculiarity:

If the categories in a range are right next to each other i.e. c0.c1 id shows
only the lower number but if the range spans at least one number as in c1.c3
then it works as expected.  See example below.

[root@rheal3c framework]# ssh testuser/user_r/s0:c1.c3@localhost
Password:
Last login: Mon Feb 12 13:50:21 2007 from rheal3c.endicott.ibm.com
-bash-3.1$ id
uid=501(testuser) gid=501(testuser) groups=501(testuser)
context=testuser_u:user_r:user_t:s0:c1.c3
-bash-3.1$ exit
logout
Connection to localhost closed.
[root@rheal3c framework]# ssh testuser/user_r/s0:c1.c2@localhost
Password:
Last login: Mon Feb 12 13:50:54 2007 from rheal3c.endicott.ibm.com
-bash-3.1$ id
uid=501(testuser) gid=501(testuser) groups=501(testuser)
context=testuser_u:user_r:user_t:s0:c1
Comment 17 Kylene J Hall 2007-02-12 20:40:57 UTC 
Ok another interesting tidbit:  on ppc64 the '.' is changed to a ',' when the
categories are right next to each other.  This is not wrong just different than
we expected and I thought it might be helpful in deciphering what is going on
with s390x.

[root@zaphod framework]# ssh testuser/user_r/s3:c4.c5-s5:c4.c5@localhost
uid=501(testuser) gid=501(testuser) groups=501(testuser)
context=testuser_u:user_r:user_t:s3:c4,c5-s5:c4,c5
Comment 18 Klaus Kiwi (Old account no longer used) 2007-02-13 12:47:22 UTC 
(In reply to comment #17)
> Ok another interesting tidbit:  on ppc64 the '.' is changed to a ',' when the
> categories are right next to each other.  This is not wrong just different than
> we expected and I thought it might be helpful in deciphering what is going on
> with s390x.
> 
> [root@zaphod framework]# ssh testuser/user_r/s3:c4.c5-s5:c4.c5@localhost
> uid=501(testuser) gid=501(testuser) groups=501(testuser)
> context=testuser_u:user_r:user_t:s3:c4,c5-s5:c4,c5
> 
> 

Kylie, 
 this is not exclusive to s390x, and neither to ssh/login. Check below:

[root@linux11 ~]# mount -vo
loop,context=\"root:object_r:tmp_t:s3:c4.c5-s5:c4.c5\" filesystem.img mountp/
mount: translated context 'root:object_r:tmp_t:s3:c4.c5-s5:c4.c5' to
'root:object_r:tmp_t:s3:c4.c5-s5:c4.c5'
mount: going to use the loop device /dev/loop0
mount: you didn't specify a filesystem type for /dev/loop0
       I will try type vfat
/root/filesystem.img on /root/mountp type vfat
(rw,loop=/dev/loop0,context="root:object_r:tmp_t:s3:c4.c5-s5:c4.c5")
[root@linux11 ~]# ls --scontext -d mountp/
root:object_r:tmp_t:s3:c4,c5-s5:c4,c5 mountp/
[root@linux11 ~]#  

System Info:
[root@linux11 ~]# uname -a
Linux linux11.internal 2.6.18-6.el5.lspp.64 #1 SMP Wed Jan 24 18:14:36 EST 2007
s390x s390x s390x GNU/Linux
[root@linux11 ~]# rpm -qa | egrep 'policy-mls|libselinux|mcstrans'
mcstrans-0.2.2-1.el5
libselinux-devel-1.33.4-4.el5
libselinux-1.33.4-4.el5
libselinux-1.33.4-4.el5
selinux-policy-mls-2.4.6-37.el5
libselinux-python-1.33.4-4.el5
[root@linux11 ~]#
Comment 19 Kylene J Hall 2007-02-13 16:25:34 UTC 
Klaus- This bug is not about things being translated differently than one might
expect (i.e. small ranges being expanded to their comma format) but rather the
range not working at all.  Like you said that part is working for you on another
s390x system so I will install today with the latest kickstart and updated
policy (as I think that is the only package version we differed on) and post new
status here.
Comment 20 Irina Boverman 2007-02-14 20:58:31 UTC 
per 2/12 discussion, this bug should stay "modified", and Kylene should open new
bugs to track other issues.
Comment 26 errata-xmlrpc 2007-11-07 16:37:27 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0541.html