Bug 708986
| Summary: | enforcing MLS: root (sysadm_r or secadm_r) cannot run ssh-keygen | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Milos Malik <mmalik> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 5.7 | CC: | dwalsh |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-2.4.6-311.el5 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-07-21 09:19:06 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 693723 | ||
|
Description
Milos Malik
2011-05-30 10:31:04 UTC
I had to disable dontaudit rules to find out what is going on:
----
time->Mon May 30 06:05:45 2011
type=SYSCALL msg=audit(1306749945.721:223): arch=c000003e syscall=21 success=no
exit=-13 a0=1a074590 a1=1 a2=0 a3=6f746b7365642d65 items=0 ppid=2155 pid=2262 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="bash" exe="/bin/bash" subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1306749945.721:223): avc: denied { execute } for pid=2262 comm="bash" name="ssh-keygen" dev=dm-0 ino=2596603 scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:ssh_keygen_exec_t:s0 tclass=file
----
time->Mon May 30 06:30:01 2011
type=SYSCALL msg=audit(1306751401.009:338): arch=c000003e syscall=21 success=no
exit=-13 a0=630f0f0 a1=4 a2=d a3=6f746b7365642d65 items=0 ppid=13286 pid=13289 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=7 comm="bash" exe="/bin/bash" subj=root:secadm_r:secadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1306751401.009:338): avc: denied { read } for pid=13289 comm="bash" name="ssh-keygen" dev=dm-0 ino=2596603 scontext=root:secadm_r:secadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:ssh_keygen_exec_t:s0 tclass=file
----
time->Mon May 30 06:30:02 2011
type=SYSCALL msg=audit(1306751402.833:339): arch=c000003e syscall=59 success=no
exit=-13 a0=63107d0 a1=630e1c0 a2=631bc40 a3=8 items=0 ppid=13289 pid=13317 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=7 comm="bash" exe="/bin/bash" subj=root:secadm_r:secadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1306751402.833:339): avc: denied { execute } for pid=13317 comm="bash" name="ssh-keygen" dev=dm-0 ino=2596603 scontext=root:secadm_r:secadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:ssh_keygen_exec_t:s0 tclass=file
----
I guess we had the same issue on rhel6, right? No, we don't. The same scenario works on RHEL-6 where are following packages installed: selinux-policy-3.7.19-96.el6.noarch selinux-policy-targeted-3.7.19-96.el6.noarch selinux-policy-mls-3.7.19-96.el6.noarch selinux-policy-doc-3.7.19-96.el6.noarch selinux-policy-minimum-3.7.19-96.el6.noarch We have on RHEL6
optional_policy(`
ssh_run_keygen($3,$2)
')
in
ssh_role_template()
Milos,
if you add a local policy which will contain
policy_module(mykeygen,1.0)
require{
type sysadm_t;
role sysadm_r;
}
role sysadm_r types ssh_keygen_t;
ssh_domtrans_keygen(sysadm_t)
does it work?
Before "restorecon -Rv /root ; semodule -DB" ssh-keygen did not work and I saw following AVC:
----
time->Tue May 31 09:30:00 2011
type=SYSCALL msg=audit(1306848600.329:50): arch=c000003e syscall=4 success=no exit=-13 a0=2ae0cd25b900 a1=7ffff0875df0 a2=7ffff0875df0 a3=0 items=0 ppid=2844 pid=2931 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1306848600.329:50): avc: denied { search } for pid=2931 comm="ssh-keygen" name=".ssh" dev=dm-0 ino=17268750 scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=dir
----
time->Tue May 31 09:30:00 2011
type=SYSCALL msg=audit(1306848600.329:49): arch=c000003e syscall=4 success=no exit=-13 a0=7ffff087cec0 a1=7ffff0875df0 a2=7ffff0875df0 a3=0 items=0 ppid=2844 pid=2931 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1306848600.329:49): avc: denied { getattr } for pid=2931 comm="ssh-keygen" path="/root/.ssh" dev=dm-0 ino=17268750 scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=dir
----
After "restorecon -Rv /root ; semodule -DB" ssh-keygen did not work and I saw following AVC:
----
time->Tue May 31 09:34:26 2011
type=SYSCALL msg=audit(1306848866.374:60): arch=c000003e syscall=4 success=no exit=-13 a0=2b7b6044d900 a1=7fff0cd596f0 a2=7fff0cd596f0 a3=0 items=0 ppid=2844 pid=2959 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1306848866.374:60): avc: denied { search } for pid=2959 comm="ssh-keygen" name="root" dev=dm-0 ino=17268737 scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_dir_t:s0-s15:c0.c1023 tclass=dir
----
Try to add
userdom_sysadm_home_dir_filetrans(ssh_keygen_t, sshd_key_t, { dir file })
allow ssh_keygen_t sysadm_home_dir_t:dir search;
to local policy.
Following module fixed it. Now ssh-keygen works as expected for root user with sysadm_r role.
policy_module(mykeygen,1.0)
require{
type sshd_key_t;
type sysadm_t;
role sysadm_r;
}
role sysadm_r types ssh_keygen_t;
ssh_domtrans_keygen(sysadm_t)
userdom_sysadm_home_dir_filetrans(ssh_keygen_t, sshd_key_t, { dir file })
allow ssh_keygen_t sysadm_home_dir_t:dir search;
Could you also check the label is correct # matchpathcon /root/.ssh # ls -dZ /root/.ssh Good catch. There is a difference: # rm -rf /root/.ssh # ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: e6:4a:32:15:4b:e9:62:7b:e6:2f:8e:61:50:6d:1e:55 root.eng.rdu.redhat.com # matchpathcon /root/.ssh /root/.ssh root:object_r:sysadm_home_ssh_t:SystemLow # ls -dZ /root/.ssh drwx------ root root root:object_r:sshd_key_t:SystemLow /root/.ssh # Well, this is a fix for targeted policy. I like RHEL5 handling with users.
---
interface(`ssh_run_keygen',`
gen_require(`
type ssh_keygen_t;
type sshd_key_t;
')
role $2 types ssh_keygen_t;
ssh_domtrans_keygen($1)
ifdef(`targeted_policy',`
userdom_sysadm_home_dir_filetrans(ssh_keygen_t, sshd_key_t, dir )
',`
allow ssh_keygen_t $4:dir rw_dir_perms;
type_transition ssh_keygen_t $4:dir $3;
')
')
and
optional_policy(`
ssh_run_keygen($1_t, $1_r, $1_home_ssh_t, $1_home_dir_t)
')
in ssh_per_role_template() should fix the issue.
FIne with me. Fixed in selinux-policy-2.4.6-308.el5 Ok, I need to fix the interface. Milos, could you try it with selinux-policy-2.4.6-309.el5 # id -Z
root:sysadm_r:sysadm_t:SystemLow-SystemHigh
# cd /root
# rm -rf .ssh
# setenforce 0
# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
ec:ca:a7:a2:81:78:13:6c:ba:60:ae:26:ab:32:39:54 root.eng.bos.redhat.com
# ausearch -m avc -m user_avc -ts recent
----
time->Tue Jun 7 09:13:44 2011
type=SYSCALL msg=audit(1307452424.875:88): arch=c0000032 syscall=1212 success=yes exit=0 a0=3 a1=60000fffff9d2ff0 a2=0 a3=0 items=0 ppid=3318 pid=3584 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS1 ses=1 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1307452424.875:88): avc: denied { getattr } for pid=3584 comm="ssh-keygen" path="/root/.ssh/id_rsa" dev=dm-0 ino=8413173 scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_ssh_t:s0 tclass=file
----
time->Tue Jun 7 09:13:44 2011
type=SYSCALL msg=audit(1307452424.875:87): arch=c0000032 syscall=1028 success=yes exit=3 a0=200000080004bf48 a1=241 a2=180 a3=0 items=0 ppid=3318 pid=3584 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS1 ses=1 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1307452424.875:87): avc: denied { create } for pid=3584 comm="ssh-keygen" name="id_rsa" scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_ssh_t:s0 tclass=file
type=AVC msg=audit(1307452424.875:87): avc: denied { add_name } for pid=3584 comm="ssh-keygen" name="id_rsa" scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_ssh_t:s0 tclass=dir
type=AVC msg=audit(1307452424.875:87): avc: denied { write } for pid=3584 comm="ssh-keygen" name=".ssh" dev=dm-0 ino=8413169 scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_ssh_t:s0 tclass=dir
----
time->Tue Jun 7 09:13:44 2011
type=SYSCALL msg=audit(1307452424.876:89): arch=c0000032 syscall=1027 success=yes exit=1675 a0=3 a1=2000000800f10000 a2=68b a3=0 items=0 ppid=3318 pid=3584 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS1 ses=1 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1307452424.876:89): avc: denied { write } for pid=3584 comm="ssh-keygen" path="/root/.ssh/id_rsa" dev=dm-0 ino=8413173 scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_ssh_t:s0 tclass=file
----
Fixed in selinux-policy-2.4.6-311.el5 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1069.html An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1069.html |