Bug 837815
| Summary: | MLS user with category s8:c101 cannot ssh to the system | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Niranjan Mallapadi Raghavender <mniranja> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 6.3 | CC: | dwalsh, jrieden, mmalik, mvadkert |
| Target Milestone: | rc | Keywords: | Regression, ZStream |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-156.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-02-21 08:25:09 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 840674, 840699 | ||
Fixed in selinux-policy-3.7.19-156.el6 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html |
Description of problem: On a RHEL6.3 system with MLS policy an user created with category s8:c101 cannot login to the system through ssh Below messages are seen: type=AVC msg=audit(1341466838.962:19126): avc: denied { rlimitinh } for pid=3530 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s15:c0.c1023 tclass=process type=AVC msg=audit(1341466838.962:19126): avc: denied { siginh } for pid=3530 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s15:c0.c1023 tclass=process type=AVC msg=audit(1341466838.962:19126): avc: denied { noatsecure } for pid=3530 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s15:c0.c1023 tclass=process type=SYSCALL msg=audit(1341466838.962:19126): arch=c000003e syscall=59 success=yes exit=0 a0=7fd582ec7c98 a1=7ffffa04c9f0 a2=7fd5830ce368 a3=7 items=0 ppid=3528 pid=3530 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="unix_chkpwd" exe="/sbin/unix_chkpwd" subj=system_u:system_r:chkpwd_t:s0-s15:c0.c1023 key=(null) type=USER_AUTH msg=audit(1341466838.965:19127): user pid=3528 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='op=PAM:authentication acct="dwalsh" exe="/usr/sbin/sshd" hostname=192.168.122.1 addr=192.168.122.1 terminal=ssh res=success' type=AVC msg=audit(1341466838.967:19128): avc: denied { rlimitinh } for pid=3531 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s15:c0.c1023 tclass=process type=AVC msg=audit(1341466838.967:19128): avc: denied { siginh } for pid=3531 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s15:c0.c1023 tclass=process type=AVC msg=audit(1341466838.967:19128): avc: denied { noatsecure } for pid=3531 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s15:c0.c1023 tclass=process /var/log/secure Jul 5 10:57:33 webserver sshd[3419]: Accepted password for dwalsh from 192.168.122.1 port 35119 ssh2 Jul 5 10:57:33 webserver sshd[3419]: pam_unix(sshd:session): session opened for user dwalsh by (uid=0) Jul 5 10:57:33 webserver sshd[3423]: fatal: Write failed: Permission denied Jul 5 10:57:33 webserver sshd[3423]: fatal: mm_request_send: write: Permission denied Jul 5 10:57:33 webserver sshd[3419]: pam_unix(sshd:session): session closed for user dwalsh Version-Release number of selected component (if applicable): selinux-policy-targeted-3.7.19-154.el6.noarch selinux-policy-3.7.19-154.el6.noarch selinux-policy-mls-3.7.19-154.el6.noarch How reproducible: Steps to Reproduce: 1. Create a user useradd -Z sysadm_u joh 2. Assign category s8:c101 semanage login -a -s sysadm_u -r s8:c101 john 3. Login through ssh Actual results: Unable to logon through ssh Expected results: Should be able to logon through ssh Additional info: