| Summary: | enforcing MLS: user_u and staff_u cannot run ssh-keygen | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Milos Malik <mmalik> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 5.7 | CC: | dwalsh |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-2.4.6-312.el5 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-07-21 09:20:51 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Following policy module fixed the problem:
module mypolicy 1.0;
require {
type staff_t;
type ssh_keygen_t;
type home_root_t;
type staff_home_ssh_t;
type user_home_ssh_t;
type user_t;
type user_devpts_t;
type staff_devpts_t;
class chr_file { read write };
class dir { search rmdir };
}
#============= ssh_keygen_t ==============
allow ssh_keygen_t home_root_t:dir search;
allow ssh_keygen_t staff_devpts_t:chr_file { read write };
allow ssh_keygen_t user_devpts_t:chr_file { read write };
#============= staff_t ==============
allow staff_t staff_home_ssh_t:dir rmdir;
#============= user_t ==============
allow user_t user_home_ssh_t:dir rmdir;
Fixed in selinux-policy-2.4.6-312.el5 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1069.html An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1069.html |
Description of problem: They cannot even delete .ssh directory in their home directories. Version-Release number of selected component (if applicable): selinux-policy-minimum-2.4.6-311.el5 selinux-policy-devel-2.4.6-311.el5 selinux-policy-mls-2.4.6-311.el5 selinux-policy-targeted-2.4.6-311.el5 selinux-policy-2.4.6-311.el5 selinux-policy-strict-2.4.6-311.el5 How reproducible: always Steps to Reproduce: 1. get a RHEL-5.7 machine where MLS policy is active and is in enforcing mode 2. create an user_u or staff_u user 3. set up a password for that user 4. log in as that user via ssh 5. delete .ssh directory if present 6. run ssh-keygen Actual results: * public/private key pair generation failed * following AVCs (I had to disable dontaudit rules to see denials): ---- time->Wed Jun 8 09:48:45 2011 type=SYSCALL msg=audit(1307540925.996:384): arch=c0000032 syscall=1056 success=no exit=-13 a0=6000000000008420 a1=6000000000008420 a2=60000fffffae7598 a3=3 items=0 ppid=3400 pid=4167 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=pts1 ses=8 comm="rm" exe="/bin/rm" subj=staff_u:staff_r:staff_t:s0 key=(null) type=AVC msg=audit(1307540925.996:384): avc: denied { rmdir } for pid=4167 comm="rm" name=".ssh" dev=dm-0 ino=3801115 scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:object_r:staff_home_ssh_t:s0 tclass=dir ---- time->Wed Jun 8 09:48:49 2011 type=SYSCALL msg=audit(1307540929.404:385): arch=c0000032 syscall=1056 success=no exit=-13 a0=6000000000008420 a1=6000000000008420 a2=60000fffffcbf598 a3=3 items=0 ppid=3306 pid=4168 auid=502 uid=502 gid=502 euid=502 suid=502 fsuid=502 egid=502 sgid=502 fsgid=502 tty=pts0 ses=7 comm="rm" exe="/bin/rm" subj=user_u:user_r:user_t:s0 key=(null) type=AVC msg=audit(1307540929.404:385): avc: denied { rmdir } for pid=4168 comm="rm" name=".ssh" dev=dm-0 ino=3801118 scontext=user_u:user_r:user_t:s0 tcontext=user_u:object_r:user_home_ssh_t:s0 tclass=dir ---- time->Wed Jun 8 09:51:15 2011 type=SYSCALL msg=audit(1307541075.324:392): arch=c0000032 syscall=1033 success=yes exit=0 a0=6000000000036560 a1=600000000002bf70 a2=600000000002c740 a3=0 items=0 ppid=3306 pid=4185 auid=502 uid=502 gid=502 euid=502 suid=502 fsuid=502 egid=502 sgid=502 fsgid=502 tty=(none) ses=7 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=user_u:user_r:ssh_keygen_t:s0 key=(null) type=AVC msg=audit(1307541075.324:392): avc: denied { noatsecure } for pid=4185 comm="ssh-keygen" scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:ssh_keygen_t:s0 tclass=process type=AVC msg=audit(1307541075.324:392): avc: denied { rlimitinh } for pid=4185 comm="ssh-keygen" scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:ssh_keygen_t:s0 tclass=process type=AVC msg=audit(1307541075.324:392): avc: denied { siginh } for pid=4185 comm="ssh-keygen" scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:ssh_keygen_t:s0 tclass=process type=AVC msg=audit(1307541075.324:392): avc: denied { read write } for pid=4185 comm="ssh-keygen" path="/dev/pts/0" dev=devpts ino=2 scontext=user_u:user_r:ssh_keygen_t:s0 tcontext=user_u:object_r:user_devpts_t:s0 tclass=chr_file type=AVC msg=audit(1307541075.324:392): avc: denied { read write } for pid=4185 comm="ssh-keygen" path="/dev/pts/0" dev=devpts ino=2 scontext=user_u:user_r:ssh_keygen_t:s0 tcontext=user_u:object_r:user_devpts_t:s0 tclass=chr_file type=AVC msg=audit(1307541075.324:392): avc: denied { read write } for pid=4185 comm="ssh-keygen" path="/dev/pts/0" dev=devpts ino=2 scontext=user_u:user_r:ssh_keygen_t:s0 tcontext=user_u:object_r:user_devpts_t:s0 tclass=chr_file type=AVC msg=audit(1307541075.324:392): avc: denied { read write } for pid=4185 comm="ssh-keygen" name="0" dev=devpts ino=2 scontext=user_u:user_r:ssh_keygen_t:s0 tcontext=user_u:object_r:user_devpts_t:s0 tclass=chr_file ---- time->Wed Jun 8 09:51:07 2011 type=SYSCALL msg=audit(1307541067.772:389): arch=c0000032 syscall=1033 success=yes exit=0 a0=6000000000046990 a1=60000000000365b0 a2=6000000000037ab0 a3=0 items=0 ppid=3400 pid=4184 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=8 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=staff_u:staff_r:ssh_keygen_t:s0 key=(null) type=AVC msg=audit(1307541067.772:389): avc: denied { noatsecure } for pid=4184 comm="ssh-keygen" scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:staff_r:ssh_keygen_t:s0 tclass=process type=AVC msg=audit(1307541067.772:389): avc: denied { rlimitinh } for pid=4184 comm="ssh-keygen" scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:staff_r:ssh_keygen_t:s0 tclass=process type=AVC msg=audit(1307541067.772:389): avc: denied { siginh } for pid=4184 comm="ssh-keygen" scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:staff_r:ssh_keygen_t:s0 tclass=process type=AVC msg=audit(1307541067.772:389): avc: denied { read write } for pid=4184 comm="ssh-keygen" path="/dev/pts/1" dev=devpts ino=3 scontext=staff_u:staff_r:ssh_keygen_t:s0 tcontext=staff_u:object_r:staff_devpts_t:s0 tclass=chr_file type=AVC msg=audit(1307541067.772:389): avc: denied { read write } for pid=4184 comm="ssh-keygen" path="/dev/pts/1" dev=devpts ino=3 scontext=staff_u:staff_r:ssh_keygen_t:s0 tcontext=staff_u:object_r:staff_devpts_t:s0 tclass=chr_file type=AVC msg=audit(1307541067.772:389): avc: denied { read write } for pid=4184 comm="ssh-keygen" path="/dev/pts/1" dev=devpts ino=3 scontext=staff_u:staff_r:ssh_keygen_t:s0 tcontext=staff_u:object_r:staff_devpts_t:s0 tclass=chr_file type=AVC msg=audit(1307541067.772:389): avc: denied { read write } for pid=4184 comm="ssh-keygen" name="1" dev=devpts ino=3 scontext=staff_u:staff_r:ssh_keygen_t:s0 tcontext=staff_u:object_r:staff_devpts_t:s0 tclass=chr_file ---- Expected results: * no AVCs * public/private key pair is generated successfully