Bug 987554
Summary: | ssh cannot create controlmaster socket when running as confined user | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Michael S. <misc> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 19 | CC: | brian, dominick.grift, dwalsh, mattias.ellert, mgrepl, plautrba, rh-bugzilla, tmraz |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-10-21 16:11:55 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Michael S.
2013-07-23 16:03:27 UTC
So in fact, there is 3 operations, as seen by running in permissive mode : type=AVC msg=audit(1374604682.020:5133): avc: denied { create } for pid=13572 comm="ssh" name="misc.example.com:22.sWlPsweTDbYJoss6" scontext=staff_u:staff_r:ssh_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=sock_file type=AVC msg=audit(1374604682.020:5134): avc: denied { link } for pid=13572 comm="ssh" name="misc.example.com:22.sWlPsweTDbYJoss6" dev="dm-3" ino=3422336 scontext=staff_u:staff_r:ssh_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=sock_file type=AVC msg=audit(1374604682.020:5135): avc: denied { unlink } for pid=13572 comm="ssh" name="misc.example.com:22.sWlPsweTDbYJoss6" dev="dm-3" ino=3422336 scontext=staff_u:staff_r:ssh_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=sock_file What is the default value for ControlPath? Seems like we should have a transition for this, although it would be nice if the socket was put into a subdir like .cache/ssh/ Or /run/user/UID/ssh e506a4253b8b80ec6e0e59d5e3be4709aeba45ef fixes this in git. There is no default for Controlpath. And I would indeed recommend to place the controlSocket in a protected directory, since it can be used to connect to a remote server without password ( in fact, that's quite tricky because using controlpath even put no log on remote server ) As stated, there's no default value for ControlPath and ssh won't prepare a multiplexing if ControlPath is not set. So it's up to an user to set and place the control socket to the right place. Also the control socekt is created using umask(0177) so it should be accesibble only to the owner. Is this a case where we should give an example location like ~/.ssh/ControlSocket. home directory is a bad choice because it is usually on NFS shares and '~/.ssh/%r@%h:%p' will cause conflicts when running ssh on different hosts. You might add the local hostname %l to avoid this conflict but this can make the resulting path name too long. A place below $XDG_RUNTIME_DIR would be an excellent place but unfortunately, ControlPath does not expand shell variables and the uid must be hardcoded. We have rules for HOMEDIR. Petr, should we make a note in sshd_config how Dan wrote? So what dir should the control socket go into so that it does not run afoul of selinux? |