Bug 708986
Summary: | enforcing MLS: root (sysadm_r or secadm_r) cannot run ssh-keygen | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Milos Malik <mmalik> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 5.7 | CC: | dwalsh |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-2.4.6-311.el5 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-07-21 09:19:06 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 693723 |
Description
Milos Malik
2011-05-30 10:31:04 UTC
I had to disable dontaudit rules to find out what is going on: ---- time->Mon May 30 06:05:45 2011 type=SYSCALL msg=audit(1306749945.721:223): arch=c000003e syscall=21 success=no exit=-13 a0=1a074590 a1=1 a2=0 a3=6f746b7365642d65 items=0 ppid=2155 pid=2262 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="bash" exe="/bin/bash" subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1306749945.721:223): avc: denied { execute } for pid=2262 comm="bash" name="ssh-keygen" dev=dm-0 ino=2596603 scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:ssh_keygen_exec_t:s0 tclass=file ---- time->Mon May 30 06:30:01 2011 type=SYSCALL msg=audit(1306751401.009:338): arch=c000003e syscall=21 success=no exit=-13 a0=630f0f0 a1=4 a2=d a3=6f746b7365642d65 items=0 ppid=13286 pid=13289 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=7 comm="bash" exe="/bin/bash" subj=root:secadm_r:secadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1306751401.009:338): avc: denied { read } for pid=13289 comm="bash" name="ssh-keygen" dev=dm-0 ino=2596603 scontext=root:secadm_r:secadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:ssh_keygen_exec_t:s0 tclass=file ---- time->Mon May 30 06:30:02 2011 type=SYSCALL msg=audit(1306751402.833:339): arch=c000003e syscall=59 success=no exit=-13 a0=63107d0 a1=630e1c0 a2=631bc40 a3=8 items=0 ppid=13289 pid=13317 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=7 comm="bash" exe="/bin/bash" subj=root:secadm_r:secadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1306751402.833:339): avc: denied { execute } for pid=13317 comm="bash" name="ssh-keygen" dev=dm-0 ino=2596603 scontext=root:secadm_r:secadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:ssh_keygen_exec_t:s0 tclass=file ---- I guess we had the same issue on rhel6, right? No, we don't. The same scenario works on RHEL-6 where are following packages installed: selinux-policy-3.7.19-96.el6.noarch selinux-policy-targeted-3.7.19-96.el6.noarch selinux-policy-mls-3.7.19-96.el6.noarch selinux-policy-doc-3.7.19-96.el6.noarch selinux-policy-minimum-3.7.19-96.el6.noarch We have on RHEL6 optional_policy(` ssh_run_keygen($3,$2) ') in ssh_role_template() Milos, if you add a local policy which will contain policy_module(mykeygen,1.0) require{ type sysadm_t; role sysadm_r; } role sysadm_r types ssh_keygen_t; ssh_domtrans_keygen(sysadm_t) does it work? Before "restorecon -Rv /root ; semodule -DB" ssh-keygen did not work and I saw following AVC: ---- time->Tue May 31 09:30:00 2011 type=SYSCALL msg=audit(1306848600.329:50): arch=c000003e syscall=4 success=no exit=-13 a0=2ae0cd25b900 a1=7ffff0875df0 a2=7ffff0875df0 a3=0 items=0 ppid=2844 pid=2931 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1306848600.329:50): avc: denied { search } for pid=2931 comm="ssh-keygen" name=".ssh" dev=dm-0 ino=17268750 scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=dir ---- time->Tue May 31 09:30:00 2011 type=SYSCALL msg=audit(1306848600.329:49): arch=c000003e syscall=4 success=no exit=-13 a0=7ffff087cec0 a1=7ffff0875df0 a2=7ffff0875df0 a3=0 items=0 ppid=2844 pid=2931 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1306848600.329:49): avc: denied { getattr } for pid=2931 comm="ssh-keygen" path="/root/.ssh" dev=dm-0 ino=17268750 scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=dir ---- After "restorecon -Rv /root ; semodule -DB" ssh-keygen did not work and I saw following AVC: ---- time->Tue May 31 09:34:26 2011 type=SYSCALL msg=audit(1306848866.374:60): arch=c000003e syscall=4 success=no exit=-13 a0=2b7b6044d900 a1=7fff0cd596f0 a2=7fff0cd596f0 a3=0 items=0 ppid=2844 pid=2959 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1306848866.374:60): avc: denied { search } for pid=2959 comm="ssh-keygen" name="root" dev=dm-0 ino=17268737 scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_dir_t:s0-s15:c0.c1023 tclass=dir ---- Try to add userdom_sysadm_home_dir_filetrans(ssh_keygen_t, sshd_key_t, { dir file }) allow ssh_keygen_t sysadm_home_dir_t:dir search; to local policy. Following module fixed it. Now ssh-keygen works as expected for root user with sysadm_r role. policy_module(mykeygen,1.0) require{ type sshd_key_t; type sysadm_t; role sysadm_r; } role sysadm_r types ssh_keygen_t; ssh_domtrans_keygen(sysadm_t) userdom_sysadm_home_dir_filetrans(ssh_keygen_t, sshd_key_t, { dir file }) allow ssh_keygen_t sysadm_home_dir_t:dir search; Could you also check the label is correct # matchpathcon /root/.ssh # ls -dZ /root/.ssh Good catch. There is a difference: # rm -rf /root/.ssh # ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: e6:4a:32:15:4b:e9:62:7b:e6:2f:8e:61:50:6d:1e:55 root.eng.rdu.redhat.com # matchpathcon /root/.ssh /root/.ssh root:object_r:sysadm_home_ssh_t:SystemLow # ls -dZ /root/.ssh drwx------ root root root:object_r:sshd_key_t:SystemLow /root/.ssh # Well, this is a fix for targeted policy. I like RHEL5 handling with users. --- interface(`ssh_run_keygen',` gen_require(` type ssh_keygen_t; type sshd_key_t; ') role $2 types ssh_keygen_t; ssh_domtrans_keygen($1) ifdef(`targeted_policy',` userdom_sysadm_home_dir_filetrans(ssh_keygen_t, sshd_key_t, dir ) ',` allow ssh_keygen_t $4:dir rw_dir_perms; type_transition ssh_keygen_t $4:dir $3; ') ') and optional_policy(` ssh_run_keygen($1_t, $1_r, $1_home_ssh_t, $1_home_dir_t) ') in ssh_per_role_template() should fix the issue. FIne with me. Fixed in selinux-policy-2.4.6-308.el5 Ok, I need to fix the interface. Milos, could you try it with selinux-policy-2.4.6-309.el5 # id -Z root:sysadm_r:sysadm_t:SystemLow-SystemHigh # cd /root # rm -rf .ssh # setenforce 0 # ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: ec:ca:a7:a2:81:78:13:6c:ba:60:ae:26:ab:32:39:54 root.eng.bos.redhat.com # ausearch -m avc -m user_avc -ts recent ---- time->Tue Jun 7 09:13:44 2011 type=SYSCALL msg=audit(1307452424.875:88): arch=c0000032 syscall=1212 success=yes exit=0 a0=3 a1=60000fffff9d2ff0 a2=0 a3=0 items=0 ppid=3318 pid=3584 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS1 ses=1 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1307452424.875:88): avc: denied { getattr } for pid=3584 comm="ssh-keygen" path="/root/.ssh/id_rsa" dev=dm-0 ino=8413173 scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_ssh_t:s0 tclass=file ---- time->Tue Jun 7 09:13:44 2011 type=SYSCALL msg=audit(1307452424.875:87): arch=c0000032 syscall=1028 success=yes exit=3 a0=200000080004bf48 a1=241 a2=180 a3=0 items=0 ppid=3318 pid=3584 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS1 ses=1 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1307452424.875:87): avc: denied { create } for pid=3584 comm="ssh-keygen" name="id_rsa" scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_ssh_t:s0 tclass=file type=AVC msg=audit(1307452424.875:87): avc: denied { add_name } for pid=3584 comm="ssh-keygen" name="id_rsa" scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_ssh_t:s0 tclass=dir type=AVC msg=audit(1307452424.875:87): avc: denied { write } for pid=3584 comm="ssh-keygen" name=".ssh" dev=dm-0 ino=8413169 scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_ssh_t:s0 tclass=dir ---- time->Tue Jun 7 09:13:44 2011 type=SYSCALL msg=audit(1307452424.876:89): arch=c0000032 syscall=1027 success=yes exit=1675 a0=3 a1=2000000800f10000 a2=68b a3=0 items=0 ppid=3318 pid=3584 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS1 ses=1 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1307452424.876:89): avc: denied { write } for pid=3584 comm="ssh-keygen" path="/root/.ssh/id_rsa" dev=dm-0 ino=8413173 scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_ssh_t:s0 tclass=file ---- Fixed in selinux-policy-2.4.6-311.el5 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1069.html An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1069.html |