| Summary: | Tag gsi-openssh | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Mattias Ellert <mattias.ellert> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 18 | CC: | dominick.grift, dwalsh, mgrepl | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | noarch | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2012-12-18 06:52:37 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
How did you start gsisshd service? You need to use unit file (service script for older distro). # ps -eZ |grep ssh Sorry for the delay in answering. Here is an example what us going on. On the server (CentOS 6 with CR repo and EPEL): [root@globus ~]# restorecon /usr/sbin/gsisshd [root@globus ~]# ls -Z /usr/sbin/gsisshd -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/sbin/gsisshd [root@globus ~]# service gsisshd restart Stopping gsisshd: [ OK ] Starting gsisshd: [ OK ] On the client (Fedora 16): [ellert@localhost ~]$ gsissh -p 2222 globus.grid.tsl.uu.se Unable to get valid context for ellert Last login: Fri Dec 23 05:31:48 2011 from c-36b0e455.0-0064-74657210.cust.bredbandsbolaget.se Connection to globus.grid.tsl.uu.se closed. On the server again: [root@globus ~]# chcon -t sshd_exec_t /usr/sbin/gsisshd [root@globus ~]# ls -Z /usr/sbin/gsisshd -rwxr-xr-x. root root system_u:object_r:sshd_exec_t:s0 /usr/sbin/gsisshd [root@globus ~]# service gsisshd restart Stopping gsisshd: [ OK ] Starting gsisshd: [ OK ] On the client again: [ellert@localhost ~]$ gsissh -p 2222 globus.grid.tsl.uu.se Last login: Fri Dec 23 05:32:01 2011 from c-36b0e455.0-0064-74657210.cust.bredbandsbolaget.se [ellert@globus ~]$ So login fails when the selinux type is wrong, but works when it is right. At least for this combination of client (Fedora 16) and server (CentOS 6). Added to F18.
commit 839461f382f58f1ab83ca45b5e2e0543f82d864d
Author: Miroslav Grepl <mgrepl>
Date: Sat Dec 15 20:04:28 2012 +0100
Label /usr/sbin/gsisshd as sshd_exec_t
selinux-policy-3.11.1-66.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-66.fc18 selinux-policy-3.11.1-66.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 541378 [details] Updated ssh.fc with gsi-openssh files added Description of problem: gsi-openssh was recently added to Fedora 15, 16 and rawhide and EPEL 5 and 6. The files should have the same tags as the corresponding files in the non-gsi openssh package. Version-Release number of selected component (if applicable): selinux-policy-3.9.16-49.fc15 selinux-policy-3.10.0-64.fc16 selinux-policy-3.10.0-64.fc17 selinux-policy-2.4.6-316.el5 selinux-policy-3.7.19-93.el6_1.7 How reproducible: Always Steps to Reproduce: 1. 2. 3. Actual results: Due to untagged gsisshd connections are killed with: pam_selinux(gsisshd:session): Security context user_u:user_r:policykit_grant_t:s0 is not allowed for user_u:user_r:policykit_grant_t:s0 Expected results: Accepted connection Additional info: The attachment contains an updated version of the ssh.fc based on the version in Fedora 16 with the patch in the srpm applied.