Bug 228398
Summary: | LSPP: Not able to ssh into the machine with multiple categories | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Kylene J Hall <kylene> | ||||
Component: | mcstrans | Assignee: | Daniel Walsh <dwalsh> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 5.0 | CC: | iboverma, klaus, linda.knippers, sgrubb, tmraz | ||||
Target Milestone: | --- | Keywords: | OtherQA | ||||
Target Release: | --- | ||||||
Hardware: | s390x | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | RHSA-2007-0542 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2007-11-07 15:34:37 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 224041 | ||||||
Attachments: |
|
Description
Kylene J Hall
2007-02-12 22:17:34 UTC
I updated my system using the new kickstart/certification RPM and making sure I got the latest of all relevant packages from the repo and everything works. Something must have happened when I updated libselinux yesterday. Sorry for the confusion. Created attachment 148016 [details]
unittest for mcstrans
Update mcstrans-0.2.3-1 on people.
You need to update to the package and then you can use the test suite. If you
find a translation that fails, please add to the testsuite.
I don't know if this belongs here or not. Let me know what you want me to do. I have found there is a limit to the number of categories that you ssh in with. i.e. the first example works, the second example with one more category does not. (I have update to the latest level of mctrans) [root/abat_r/SystemLow@KWUSER1 framework]# ssh testuser/user_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105@localhost Could not create directory '/root/.ssh'. The authenticity of host 'localhost (127.0.0.1)' can't be established. RSA key fingerprint is 49:f5:9f:53:f1:aa:76:cf:59:dd:7a:6f:eb:b2:b9:e9. Are you sure you want to continue connecting (yes/no)? yes Failed to add the host to the list of known hosts (/root/.ssh/known_hosts). Password: Last login: Tue Feb 13 15:17:46 2007 from kwuser1.endicott.ibm.com [testuser/user_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105@KWUSER1 ~]$ exit logout Connection to localhost closed. [root/abat_r/SystemLow@KWUSER1 framework]# ssh testuser/user_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105,c107@localhost Could not create directory '/root/.ssh'. The authenticity of host 'localhost (127.0.0.1)' can't be established. RSA key fingerprint is 49:f5:9f:53:f1:aa:76:cf:59:dd:7a:6f:eb:b2:b9:e9. Are you sure you want to continue connecting (yes/no)? yes Failed to add the host to the list of known hosts (/root/.ssh/known_hosts). Password: Last login: Tue Feb 13 15:18:02 2007 from kwuser1.endicott.ibm.com Connection to localhost closed. [root/abat_r/SystemLow@KWUSER1 framework]# I've seen the error before: Could not create directory '/root/.ssh'. I think its because /root and its contents don't have the right context. If you do a 'restorecon -v -R /root' you might have better luck. Actually, that doesn't explain the difference in behavior that you see but I think it explains some of the error messages. The issue isn't about the /root/.ssh. I am not able to login with many categories. Notice that the example where the category list goes up to 105 succeeds but the list that goes up to 107 fails. This seems wierd. Are you sure you sshd is running with the correct context. Why would a testuser be trying to update /root/.ssh? I have successfully logged in with ssh root/sysadm_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105,c107,c108,c109,c110,c111,c211,c213,c215,c217,c219,c221,c223,c225,c227,c229,c231,c233,c235,c237,c239,c241,c243,c245,c247,c249,c251,c253,c255,c257,c259,c261,c263,c265,c267,c269,c271,c273,c275,c277,c279,c281,c283,c285,c287,c289,c291,c293,c295,c297,c299,c301,c303,c305,c307,c308,c309,c310,c311,c411,c413@xxy root/sysadm_r/s5:c1,c3,c5,c7,c@xxy's password: Last login: Tue Feb 13 17:04:36 2007 from dhcp-10-12-33-199.boston.devel.redhat.com [root@xxy ~]# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:sysadm_r:sysadm_t:s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105,c107.c111,c211,c213,c215,c217,c219,c221,c223,c225,c227,c229,c231,c233,c235,c237,c239,c241,c243,c245,c247,c249,c251,c253,c255,c257,c259,c261,c263,c265,c267,c269,c271,c273,c275,c277,c279,c281,c283,c285,c287,c289,c291,c293,c295,c297,c299,c301,c303,c305,c307.c311,c411,c413 But it soon breaks after that. Of course this is an evil test. :^) Sorry to cause the confusion with the /root/.ssh it was just a label problem. For our tests we ssh in as a user and the /bin/su - to root and run our frameworks from there. I have retested on another machine just to make sure I am not crazy. This is on an s390x installed today with the latest RC, kickstart and lspp rpm along with updating all the packages on dwalsh people page repo and the kernel to lspp.64. Here are the results I get (I can't test as root do to the lspp config): [root/abat_r/SystemLow@KWUSER3 framework]# ssh testuser/user_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105,c107,c108,c109,c110,c111,c211,c213,c215,c217,c219,c221,c223,c225,c227,c229,c231,c233,c235,c237,c239,c241,c243,c245,c247,c249,c251,c253,c255,c257,c259,c261,c263,c265,c267,c269,c271,c273,c275,c277,c279,c281,c283,c285,c287,c289,c291,c293,c295,c297,c299,c301,c303,c305,c307,c308,c309,c310,c311,c411,c413@localhost Password: Last login: Tue Feb 13 16:25:39 2007 from kwuser2.endicott.ibm.com Connection to localhost closed. [root/abat_r/SystemLow@KWUSER3 framework]# ssh testuser/user_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105,c107@localhost Password: Last login: Tue Feb 13 16:40:41 2007 from kwuser2.endicott.ibm.com Connection to localhost closed. [root/abat_r/SystemLow@KWUSER3 framework]# ssh testuser/user_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105@localhost Password: Last login: Tue Feb 13 16:41:09 2007 from kwuser2.endicott.ibm.com [testuser/user_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105@KWUSER3 ~]$ exit logout Connection to localhost closed. [root/abat_r/SystemLow@KWUSER3 framework]# ssh ealuser/staff_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105@localhost Password: Last login: Tue Feb 13 16:28:02 2007 from sig-9-76-206-16.mts.ibm.com [ealuser/staff_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105@KWUSER3 ~]$ exit logout Connection to localhost closed. [root/abat_r/SystemLow@KWUSER3 framework]# ssh ealuser/staff_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105,c107@localhost Password: Last login: Tue Feb 13 16:41:45 2007 from kwuser2.endicott.ibm.com Connection to localhost closed. [root/abat_r/SystemLow@KWUSER3 framework]# You call the test case evil but the original testcase was trying to specify all the odd categories up to 1023. This was simply pairing down to where the failure point is. The question is whether the test case is realistic. IE We can go in and try to figure out what the problem is. or is the size of this enough to get I have run some tests on mcstrans and libselinux and it seems to handle much larger data than this, so I think this might be a openssh problem. Basically running a test with 1024 categories works with the latest mcstrans. I tried the ssh on another platform (ppc64) to get another data point. I had the same results as the s390x. [ealuser/staff_r/SystemLow@hvracer3 ~]$ ssh ealuser/staff_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105@localhost The authenticity of host 'localhost (127.0.0.1)' can't be established. RSA key fingerprint is 2f:7d:54:30:69:db:d1:5b:8f:68:a4:56:05:73:dd:c0. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'localhost' (RSA) to the list of known hosts. Password: Last login: Wed Feb 14 13:14:52 2007 from sig-9-65-34-127.mts.ibm.com [ealuser/staff_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105@hvracer3 ~]$ exit logout Connection to localhost closed. [ealuser/staff_r/SystemLow@hvracer3 ~]$ ssh ealuser/staff_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105,c107@localhost Password: Last login: Wed Feb 14 13:17:02 2007 from localhost.localdomain Connection to localhost closed. the problem is the filesystem's filename size limit (polyinstantiation attacks again). With the above testcase, check /var/log/secure: Feb 15 09:12:30 zaphod sshd[2160]: pam_namespace(sshd:session): Error creating /home/home.inst/staff_u:object_r:staff_home_dir_t:s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105,c109,c111_ealuser, File name too long If I use a user which is not polyinst (add it to /etc/security/namespace.conf), I can successfully log-in with: [root@zaphod framework]# ssh abat//s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105,c107,c109,c111,c113,c115,c117,c119,c121,c123,c125,c127,c129,c131,c133,c135,c137,c139,c141,c143,c145,c147,c149,c151,c153,c155,c157,c159,c161,c163,c165,c167,c169,c171,c173,c175,c177,c179,c181,c183,c185,c187,c189,c191,c193,c195,c197,c199,c201,c203,c205,c207,c209,c211,c213,c215,c217,c219,c221,c223,c225,c227,c229,c231,c233,c235,c237,c239,c241,c243,c245,c247,c249,c251,c253,c255,c257,c259,c261,c263,c265,c267,c269,c271,c273,c275,c277,c279,c281,c283,c285,c287,c289,c291,c293,c295,c297,c299,c301,c303,c305,c307,c309,c311,c313,c315,c317,c319,c321,c323,c325,c327,c329,c331,c333,c335,c337,c339,c341,c343,c345,c347,c349,c351,c353,c355,c357,c359,c361,c363,c365,c367,c369,c371,c373,c375,c377,c379,c381,c383,c385,c387,c389,c391,c393,c395,c397,c399,c401,c403,c405,c407,c409,c411,c413,c415,c417,c419,c421,c423,c425,c427,c429,c431,c433,c435,c437,c439,c441,c443,c445,c447,c449,c451,c453,c455,c457,c459,c461,c463,c465,c467,c469,c471,c473,c475,c477,c479,c481,c483,c485,c487,c489,c491,c493,c495,c497,c499,c501,c503,c505,c507,c509,c511,c513,c515,c517,c519,c521,c523,c525,c527,c529,c531,c533,c535,c537,c539,c541,c543,c545,c547,c549,c551,c553,c555,c557,c559,c561,c563,c565,c567,c569,c571,c573,c575,c577,c579,c581,c583,c585,c587,c589,c591,c593,c595,c597,c599,c601,c603,c605,c607,c609,c611,c613,c615,c617,c619,c621,c623,c625,c627,c629,c631,c633,c635,c637,c639,c641,c643,c645,c647,c649,c651,c653,c655,c657,c659,c661,c663,c665,c667,c669,c671,c673,c675,c677,c679,c681,c683,c685,c687,c689,c691,c693,c695,c697,c699,c701,c703,c705,c707,c709,c711,c713,c715,c717,c719,c721,c723,c725,c727,c729,c731,c733,c735,c737,c739,c741,c743,c745,c747,c749,c751,c753,c755,c757,c759,c761,c763,c765,c767,c769,c771,c773,c775,c777,c779,c781,c783,c785,c787,c789,c791,c793,c795,c797,c799,c801,c803,c805,c807,c809,c811,c813,c815,c817,c819,c821,c823,c825,c827,c829,c831,c833,c835,c837,c839,c841,c843,c845,c847,c849,c851,c853,c855,c857,c859,c861,c863,c865,c867,c869,c871,c873,c875,c877,c879,c881,c883,c885,c887,c889,c891,c893,c895,c897,c899,c901,c903,c905,c907,c909,c911,c913,c915,c917,c919,c921,c923,c925,c927,c929,c931,c933,c935,c937,c939,c941,c943,c945,c947,c949,c951,c953,c955,c957,c959,c961,c963,c965,c967,c969,c971,c973,c975,c977,c979,c981,c983,c985,c987,c989,c991,c993,c995,c997,c999,c1001,c1003,c1005,c1007,c1009,c1011,c1013,c1015,c1017,c1019,c1021,c1023@localhost Password: Last login: Thu Feb 15 10:04:22 2007 from localhost.localdomain [abat@zaphod ~]$ id uid=502(abat) gid=502(abat) groups=10(wheel),502(abat) context=abat_u:abat_r:abat_t:s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105,c107,c109,c111,c113,c115,c117,c119,c121,c123,c125,c127,c129,c131,c133,c135,c137,c139,c141,c143,c145,c147,c149,c151,c153,c155,c157,c159,c161,c163,c165,c167,c169,c171,c173,c175,c177,c179,c181,c183,c185,c187,c189,c191,c193,c195,c197,c199,c201,c203,c205,c207,c209,c211,c213,c215,c217,c219,c221,c223,c225,c227,c229,c231,c233,c235,c237,c239,c241,c243,c245,c247,c249,c251,c253,c255,c257,c259,c261,c263,c265,c267,c269,c271,c273,c275,c277,c279,c281,c283,c285,c287,c289,c291,c293,c295,c297,c299,c301,c303,c305,c307,c309,c311,c313,c315,c317,c319,c321,c323,c325,c327,c329,c331,c333,c335,c337,c339,c341,c343,c345,c347,c349,c351,c353,c355,c357,c359,c361,c363,c365,c367,c369,c371,c373,c375,c377,c379,c381,c383,c385,c387,c389,c391,c393,c395,c397,c399,c401,c403,c405,c407,c409,c411,c413,c415,c417,c419,c421,c423,c425,c427,c429,c431,c433,c435,c437,c439,c441,c443,c445,c447,c449,c451,c453,c455,c457,c459,c461,c463,c465,c467,c469,c471,c473,c475,c477,c479,c481,c483,c485,c487,c489,c491,c493,c495,c497,c499,c501,c503,c505,c507,c509,c511,c513,c515,c517,c519,c521,c523,c525,c527,c529,c531,c533,c535,c537,c539,c541,c543,c545,c547,c549,c551,c553,c555,c557,c559,c561,c563,c565,c567,c569,c571,c573,c575,c577,c579,c581,c583,c585,c587,c589,c591,c593,c595,c597,c599,c601,c603,c605,c607,c609,c611,c613,c615,c617,c619,c621,c623,c625,c627,c629,c631,c633,c635,c637,c639,c641,c643,c645,c647,c649,c651,c653,c655,c657,c659,c661,c663,c665,c667,c669,c671,c673,c675,c677,c679,c681,c683,c685,c687,c689,c691,c693,c695,c697,c699,c701,c703,c705,c707,c709,c711,c713,c715,c717,c719,c721,c723,c725,c727,c729,c731,c733,c735,c737,c739,c741,c743,c745,c747,c749,c751,c753,c755,c757,c759,c761,c763,c765,c767,c769,c771,c773,c775,c777,c779,c781,c783,c785,c787,c789,c791,c793,c795,c797,c799,c801,c803,c805,c807,c809,c811,c813,c815,c817,c819,c821,c823,c825,c827,c829,c831,c833,c835,c837,c839,c841,c843,c845,c847,c849,c851,c853,c855,c857,c859,c861,c863,c865,c867,c869,c871,c873,c875,c877,c879,c881,c883,c885,c887,c889,c891,c893,c895,c897,c899,c901,c903,c905,c907,c909,c911,c913,c915,c917,c919,c921,c923,c925,c927,c929,c931,c933,c935,c937,c939,c941,c943,c945,c947,c949,c951,c953,c955,c957,c959,c961,c963,c965,c967,c969,c971,c973,c975,c977,c979,c981,c983,c985,c987,c989,c991,c993,c995,c997,c999,c1001,c1003,c1005,c1007,c1009,c1011,c1013,c1015,c1017,c1019,c1021,c1023 [abat@zaphod ~]$ What needs to happen is that both pam and sshd need to check if the basename of the file/dir is < NAME_MAX from limits.h and that the whole path is < PATH_MAX. It could possibly change to a hashed name if this limit is violated. I think the original namespace patch used hashes but this was dropped for readibility. So, maybe we should have readability until we hit the NAME_MAX limit and then switch to cryptic dir names. The original problem was in mcstrans and should be resolved with the current LSPP packages. I have created bug 230120 for the 'large number of categories problem'. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0542.html |