Bug 837815

Summary: MLS user with category s8:c101 cannot ssh to the system
Product: Red Hat Enterprise Linux 6 Reporter: Niranjan Mallapadi Raghavender <mniranja>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 6.3CC: dwalsh, jrieden, mmalik, mvadkert
Target Milestone: rcKeywords: Regression, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-156.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 03:25:09 EST Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On:    
Bug Blocks: 840674, 840699    

Description Niranjan Mallapadi Raghavender 2012-07-05 07:51:03 EDT
Description of problem:

On a RHEL6.3 system with MLS policy an user created with category s8:c101 cannot login to the system through ssh 

Below messages are seen:

type=AVC msg=audit(1341466838.962:19126): avc:  denied  { rlimitinh } for  pid=3530 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1341466838.962:19126): avc:  denied  { siginh } for  pid=3530 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1341466838.962:19126): avc:  denied  { noatsecure } for  pid=3530 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1341466838.962:19126): arch=c000003e syscall=59 success=yes exit=0 a0=7fd582ec7c98 a1=7ffffa04c9f0 a2=7fd5830ce368 a3=7 items=0 ppid=3528 pid=3530 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="unix_chkpwd" exe="/sbin/unix_chkpwd" subj=system_u:system_r:chkpwd_t:s0-s15:c0.c1023 key=(null)
type=USER_AUTH msg=audit(1341466838.965:19127): user pid=3528 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='op=PAM:authentication acct="dwalsh" exe="/usr/sbin/sshd" hostname=192.168.122.1 addr=192.168.122.1 terminal=ssh res=success'
type=AVC msg=audit(1341466838.967:19128): avc:  denied  { rlimitinh } for  pid=3531 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1341466838.967:19128): avc:  denied  { siginh } for  pid=3531 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1341466838.967:19128): avc:  denied  { noatsecure } for  pid=3531 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s15:c0.c1023 tclass=process

/var/log/secure

Jul  5 10:57:33 webserver sshd[3419]: Accepted password for dwalsh from 192.168.122.1 port 35119 ssh2
Jul  5 10:57:33 webserver sshd[3419]: pam_unix(sshd:session): session opened for user dwalsh by (uid=0)
Jul  5 10:57:33 webserver sshd[3423]: fatal: Write failed: Permission denied
Jul  5 10:57:33 webserver sshd[3423]: fatal: mm_request_send: write: Permission denied
Jul  5 10:57:33 webserver sshd[3419]: pam_unix(sshd:session): session closed for user dwalsh



Version-Release number of selected component (if applicable):


selinux-policy-targeted-3.7.19-154.el6.noarch
selinux-policy-3.7.19-154.el6.noarch
selinux-policy-mls-3.7.19-154.el6.noarch


How reproducible:


Steps to Reproduce:
1. Create a user 
 useradd -Z sysadm_u joh

2. Assign category s8:c101 
semanage login -a -s sysadm_u -r s8:c101 john

3. Login through ssh 
  
Actual results:

Unable to logon through ssh

Expected results:

Should be able to logon through ssh

Additional info:
Comment 5 Miroslav Grepl 2012-07-09 08:28:09 EDT
Fixed in selinux-policy-3.7.19-156.el6
Comment 9 errata-xmlrpc 2013-02-21 03:25:09 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html