Bug 616838
| Summary: | SELinux is preventing /usr/bin/ssh access to a leaked /dev/ptmx file descriptor. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Matěj Cepl <mcepl> | ||||
| Component: | gvfs | Assignee: | Tomáš Bžatek <tbzatek> | ||||
| Status: | CLOSED ERRATA | QA Contact: | desktop-bugs <desktop-bugs> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 6.1 | CC: | dwalsh, mgrepl, mishu, tbzatek, tpelka, tsmetana, vbenes | ||||
| Target Milestone: | rc | Keywords: | RHELNAK, SELinux | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | gvfs-1.4.3-10.el6 | Doc Type: | Bug Fix | ||||
| Doc Text: |
Cause: A filedescriptor which was unused was not closed after fork
Consequence: A SELinux alert has been generated
Fix: Leaked filedescriptor is now closed after fork
Result: No SELinux alert is generated
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2011-05-19 13:02:54 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Matěj Cepl
2010-07-21 14:09:26 UTC
This issue has been proposed when we are only considering blocker issues in the current Red Hat Enterprise Linux release. ** If you would still like this issue considered for the current release, ask your support representative to file as a blocker on your behalf. Otherwise ask that it be considered for the next Red Hat Enterprise Linux release. ** There is no occurence of string "ptmx" in the ssh binary. There is only one occurence of string "ptmx" in the dynamic libraries loaded by ssh.... in libc.so.6 rerouting to glibc This is not a problem with ssh but with the tool that launched ssh. Matej what app were you running that launched ssh? Or it could be the Konsole? Or terminal you were running this in? Created attachment 447934 [details]
patch to close /dev/ptmx after fork
Oh yes, that could be gvfsd-sftp, we do open /dev/ptmx indeed and don't close it for child process after fork. Can you please test the attached patch?
Patch has been pushed to gvfs git master: http://git.gnome.org/browse/gvfs/commit/?id=070b4c4968591b612f3db1aafd9bba07a4ee0004 Forgot to tell that in order to reproduce this issue, user must be in a staff_u context. See http://danwalsh.livejournal.com/18312.html (In reply to comment #0) > Kontext zdroje staff_u:staff_r:ssh_t:s0-s0:c0.c1023 Sorry no, but are you testing with the fix applied? Yes and no AVCs in both cases. I would mark this as closed, since we found a potential cause. If it happens again we can reopen it.
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
Cause: A filedescriptor which was unused was not closed after fork
Consequence: A SELinux alert has been generated
Fix: Leaked filedescriptor is now closed after fork
Result: No SELinux alert is generated
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0536.html |