Bug 692828
| Summary: | MLS: under staff_u and user_u user ssh-keygen creates .ssh and underlying files with bad context | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Miroslav Vadkerti <mvadkert> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.1 | CC: | dwalsh, ebenes, mgrepl, mmalik |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-84.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-05-19 12:27:26 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 584498, 682670, 846801, 846802 | ||
|
Description
Miroslav Vadkerti
2011-04-01 10:25:41 UTC
Adding ~/.ssh/* to /etc/selinux/restorecond_user.conf fixes this issue. This should be added to the defaults I think. I don't know why but after few login attempts the context of ~/.ssh/* now doesn't change to ssh_home_t. Looks like I the comment #1 is bogus. So please ignore it. restorecond would discover this mislabel and fix the directory without adding .ssh/* to the conf. I think we should add ssh_run_keygen(sysadm_r, sysadm_r) to get the label correct in the first place. I think this fix can wait for 6.2, or get it in 6.1 if we have time. Mirek,
could you try to test it with the following local policy
# cat mykeygen.te
policy_module(mykeygen, 1.0)
require{
type staff_t;
role staff_r;
}
ssh_run_keygen(staff_t, staff_r)
and
# make -f /usr/share/selinux/devel/include/Makefile
# semodule -i mykeygen.pp
I tried the above module, but now ssh-keygen cannot create .ssh directory and underlying files. I see these denials in audit.log (after enabling noaudit rules):
type=AVC msg=audit(1301886542.606:2181): avc: denied { rlimitinh } for pid=28126 comm="ssh-keygen" scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:staff_r:ssh_keygen_t:s0 tclass=process
type=AVC msg=audit(1301886542.606:2181): avc: denied { siginh } for pid=28126 comm="ssh-keygen" scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:staff_r:ssh_keygen_t:s0 tclass=process
type=AVC msg=audit(1301886542.606:2181): avc: denied { noatsecure } for pid=28126 comm="ssh-keygen" scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:staff_r:ssh_keygen_t:s0 tclass=process
type=AVC msg=audit(1301886546.933:2182): avc: denied { search } for pid=28126 comm="ssh-keygen" name="/" dev=dm-3 ino=2 scontext=staff_u:staff_r:ssh_keygen_t:s0 tcontext=system_u:object_r:home_root_t:s0-s15:c0.c1023 tclass=dir
type=AVC msg=audit(1301886546.933:2183): avc: denied { search } for pid=28126 comm="ssh-keygen" name="/" dev=dm-3 ino=2 scontext=staff_u:staff_r:ssh_keygen_t:s0 tcontext=system_u:object_r:home_root_t:s0-s15:c0.c1023 tclass=dir
And also the above module doesn't count user_u user in, where the behavior remains the same.
Please note that this seems similar to bug 692457 reported for root/sysadm_r
We already have ssh_run_keygen(sysadm_r, sysadm_r) in policy. And we have userdom_search_admin_dir(ssh_keygen_t) So try to test it with files_search_home(ssh_keygen_t) in the local policy. For the staff_u user the problems are solved using this custom module:
# cat mykeygen.te
policy_module(mykeygen, 1.3)
require{
type staff_t;
type ssh_home_t;
type ssh_keygen_t;
role staff_r;
}
ssh_run_keygen(staff_t, staff_r)
userdom_search_user_home_dirs(ssh_keygen_t)
userdom_user_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
now back to the problem to the user_u user. Should be enough to s/staff/user in the above module?
Ok, user_u works also when added another ssh_run_keygen macro for user_u. The final custom module that solves all the issues is:
-----
# cat mykeygen.te
policy_module(mykeygen, 1.4)
require{
type staff_t;
type user_t;
type ssh_home_t;
type ssh_keygen_t;
role staff_r;
role user_r;
}
ssh_run_keygen(user_t, user_r)
ssh_run_keygen(staff_t, staff_r)
userdom_search_user_home_dirs(ssh_keygen_t)
userdom_user_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
-----
Thanks for the help Mirek!
Miroslav lets add ssh_run_keygen($3,$2) to ssh_role_template Fixed in selinux-policy-3.7.19-81.el6 Under staff_u ssh-keygen does not work at all. $ rpm -qa selinux-policy\* selinux-policy-targeted-3.7.19-81.el6.noarch selinux-policy-doc-3.7.19-81.el6.noarch selinux-policy-minimum-3.7.19-81.el6.noarch selinux-policy-mls-3.7.19-81.el6.noarch selinux-policy-3.7.19-81.el6.noarch $ sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: mls $ id uid=503(sshstaff) gid=504(sshstaff) groups=504(sshstaff) context=staff_u:staff_r:staff_t:s0 $ ssh-keygen $ echo $? 1 $ I had to disable dontaudit rules first to see what's going on:
# ausearch -m avc -m user_avc -ts today -i | grep staff_u
type=SYSCALL msg=audit(04/06/2011 04:30:58.407:11816) : arch=i386 syscall=execve success=yes exit=0 a0=8f17640 a1=bf88eaac a2=8f24768 a3=bf88eaac items=0 ppid=2798 pid=2808 auid=sshstaff uid=sshstaff gid=sshstaff euid=sshstaff suid=sshstaff fsuid=sshstaff egid=sshstaff sgid=sshstaff fsgid=sshstaff tty=ttyS0 ses=12 comm=bash exe=/bin/bash subj=staff_u:staff_r:staff_t:s0 key=(null)
type=AVC msg=audit(04/06/2011 04:30:58.407:11816) : avc: denied { noatsecure } for pid=2808 comm=bash scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0 tclass=process
type=AVC msg=audit(04/06/2011 04:30:58.407:11816) : avc: denied { siginh } for pid=2808 comm=bash scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0 tclass=process
type=SYSCALL msg=audit(04/06/2011 04:31:16.117:11817) : arch=i386 syscall=execve success=yes exit=0 a0=9bbd0e8 a1=9bc0498 a2=9bc45a0 a3=9bc0498 items=0 ppid=2808 pid=2834 auid=sshstaff uid=sshstaff gid=sshstaff euid=sshstaff suid=sshstaff fsuid=sshstaff egid=sshstaff sgid=sshstaff fsgid=sshstaff tty=(none) ses=12 comm=ssh-keygen exe=/usr/bin/ssh-keygen subj=staff_u:staff_r:ssh_keygen_t:s0 key=(null)
type=AVC msg=audit(04/06/2011 04:31:16.117:11817) : avc: denied { noatsecure } for pid=2834 comm=ssh-keygen scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:staff_r:ssh_keygen_t:s0 tclass=process
type=AVC msg=audit(04/06/2011 04:31:16.117:11817) : avc: denied { siginh } for pid=2834 comm=ssh-keygen scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:staff_r:ssh_keygen_t:s0 tclass=process
type=AVC msg=audit(04/06/2011 04:31:16.117:11817) : avc: denied { rlimitinh } for pid=2834 comm=ssh-keygen scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:staff_r:ssh_keygen_t:s0 tclass=process
type=AVC msg=audit(04/06/2011 04:31:16.117:11817) : avc: denied { read write } for pid=2834 comm=ssh-keygen path=/dev/ttyS0 dev=devtmpfs ino=5225 scontext=staff_u:staff_r:ssh_keygen_t:s0 tcontext=staff_u:object_r:user_tty_device_t:s0 tclass=chr_file
type=AVC msg=audit(04/06/2011 04:31:16.117:11817) : avc: denied { read write } for pid=2834 comm=ssh-keygen path=/dev/ttyS0 dev=devtmpfs ino=5225 scontext=staff_u:staff_r:ssh_keygen_t:s0 tcontext=staff_u:object_r:user_tty_device_t:s0 tclass=chr_file
type=AVC msg=audit(04/06/2011 04:31:16.117:11817) : avc: denied { read write } for pid=2834 comm=ssh-keygen path=/dev/ttyS0 dev=devtmpfs ino=5225 scontext=staff_u:staff_r:ssh_keygen_t:s0 tcontext=staff_u:object_r:user_tty_device_t:s0 tclass=chr_file
type=AVC msg=audit(04/06/2011 04:31:16.117:11817) : avc: denied { read write } for pid=2834 comm=ssh-keygen name=ttyS0 dev=devtmpfs ino=5225 scontext=staff_u:staff_r:ssh_keygen_t:s0 tcontext=staff_u:object_r:user_tty_device_t:s0 tclass=chr_file
#
Well, this is a new issue which I am fixing. Fixed in selinux-policy-3.7.19-82.el6 Miroslav did you put this transition into the ssh_role_template? Yes, I did.
optional_policy(`
ssh_run_keygen($3,$2)
')
This is a strange. It works for staff_t but not for user_t. I will look at it tomorrow.
Ok, I have found a bug in unprivuser.te
ifndef(`distro_redhat',`
optional_policy(`
spamassassin_role(user_r, user_t)
')
optional_policy(`
ssh_role_template(user, user_r, user_t)
')
...
...
')
Yes we should uncomment that one. Maybe grab the version from F15. Fixed in selinux-policy-3.7.19-84.el6 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0526.html |