Bug 692457

Summary: MLS: under root ssh cannot create .ssh and underlying files
Product: Red Hat Enterprise Linux 6 Reporter: Miroslav Vadkerti <mvadkert>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Miroslav Vadkerti <mvadkert>
Severity: high Docs Contact:
Priority: high    
Version: 6.1CC: dwalsh, ebenes, mgrepl
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-81.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 12:27:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 584498, 682670, 846801, 846802    

Description Miroslav Vadkerti 2011-03-31 12:03:55 UTC 
Description of problem:
# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=staff_u:sysadm_r:sysadm_t:SystemLow-SystemHigh
# rm -rf ~/.ssh
# ssh eal@localhost
Could not create directory '/root/.ssh'.
== snip ==

When enabling no audit rules I see:
type=AVC msg=audit(1301572338.311:253335): avc:  denied  { rlimitinh } for  pid=12601 comm="ssh" scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=staff_u:sysadm_r:ssh_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1301572338.311:253335): avc:  denied  { siginh } for  pid=12601 comm="ssh" scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=staff_u:sysadm_r:ssh_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1301572338.311:253335): avc:  denied  { noatsecure } for  pid=12601 comm="ssh" scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=staff_u:sysadm_r:ssh_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1301572338.327:253336): avc:  denied  { search } for  pid=12601 comm="ssh" name="root" dev=dm-0 ino=15 scontext=staff_u:sysadm_r:ssh_t:s0-s15:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir


Version-Release number of selected component (if applicable):
selinux-policy-mls-3.7.19-79.el6.noarch

How reproducible:
100%

Steps to Reproduce:
see description
  
Actual results:
Cannot create .ssh and access underlying files

Expected results:
Can create .ssh and access underlying files
Comment 1 Daniel Walsh 2011-03-31 12:21:31 UTC 
Does ssh actually attempt to create the /root/.ssh directory, Or is this a bogus error message.

Miroslav lets add

userdom_search_admin_dir(ssh_t)
Comment 2 Miroslav Vadkerti 2011-03-31 12:26:57 UTC 
No it is not a bogus message. When .ssh directory does not exist it tries to create it as it will be creating known_hosts later on.

I will try
Comment 3 Daniel Walsh 2011-03-31 12:45:09 UTC 
Miroslav then we need

userdom_search_admin_dir(sshd_t)
userdom_admin_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
Comment 4 Miroslav Vadkerti 2011-03-31 14:53:31 UTC 
Seems to be workign fine with this custom module:

# cat mypol.te 
policy_module(mypol,1.0);

require {
    type sshd_t;
    type ssh_t;
    type ssh_home_t;
}

userdom_search_admin_dir(sshd_t)
userdom_admin_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
Comment 5 Miroslav Grepl 2011-04-05 19:11:31 UTC 
Fixed in selinux-policy-3.7.19-81.el6
Comment 7 Miroslav Vadkerti 2011-04-07 11:31:04 UTC 
This issue is fixed in selinux-policy-mls-3.7.19-81.el6. I could not reproduce the problem anymore on our test machine
Comment 9 errata-xmlrpc 2011-05-19 12:27:18 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html