Bug 1004269 - kerberos telnetd runs as init_t when krb5-telnet.socket is active
Summary: kerberos telnetd runs as init_t when krb5-telnet.socket is active
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 1004161
TreeView+ depends on / blocked
 
Reported: 2013-09-04 10:21 UTC by Milos Malik
Modified: 2014-06-18 02:25 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.12.1-77.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-13 09:48:52 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Milos Malik 2013-09-04 10:21:29 UTC 
Description of problem:

Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-73.el7.noarch
selinux-policy-devel-3.12.1-73.el7.noarch
selinux-policy-doc-3.12.1-73.el7.noarch
selinux-policy-minimum-3.12.1-73.el7.noarch
selinux-policy-mls-3.12.1-73.el7.noarch
selinux-policy-targeted-3.12.1-73.el7.noarch
krb5-appl-servers-1.0.3-7.el7.x86_64

How reproducible:
always

Steps to Reproduce:
# systemctl enable krb5-telnet.socket
ln -s '/usr/lib/systemd/system/krb5-telnet.socket' '/etc/systemd/system/sockets.target.wants/krb5-telnet.socket'
# systemctl start krb5-telnet.socket
# systemctl status krb5-telnet.socket
krb5-telnet.socket - Kerberos-aware Telnet Server Activation Socket
   Loaded: loaded (/usr/lib/systemd/system/krb5-telnet.socket; enabled)
   Active: active (listening) since Wed 2013-09-04 12:16:03 CEST; 32s ago
   Listen: [::]:23 (Stream)
 Accepted: 0; Connected: 0

Sep 04 12:16:03 rhel70 systemd[1]: Listening on Kerberos-aware Telnet Serve...t.
# nc -v 127.0.0.1 23
Ncat: Version 6.40 ( http://nmap.org/ncat )
Ncat: Connected to 127.0.0.1:23.
��%^Z
[1]+  Stopped                 nc -v 127.0.0.1 23
# ps -efZ | grep telnet
system_u:system_r:init_t:s0     root     21932     1  0 12:16 ?        00:00:00 /usr/kerberos/sbin/telnetd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 21934 24725  0 12:17 pts/0 00:00:00 grep --color=auto telnet
# fg
nc -v 127.0.0.1 23
^C
# 

Actual results:
 * telnetd process is not labelled correctly

Expected results:
 * telnetd process is labelled correctly
Comment 1 Milos Malik 2013-09-04 11:45:07 UTC 
This bug talks about the kerberized version of telnet server.

# matchpathcon /usr/kerberos/sbin/telnetd 
/usr/kerberos/sbin/telnetd	system_u:object_r:telnetd_exec_t:s0
# rpm -qf /usr/kerberos/sbin/telnetd 
krb5-appl-servers-1.0.3-7.el7.x86_64
# 

I believe that the fix will also solve the same problem of the original telnet server, because the files are labelled similarly.

# matchpathcon /usr/sbin/in.telnetd 
/usr/sbin/in.telnetd	system_u:object_r:telnetd_exec_t:s0
# rpm -qf /usr/sbin/in.telnetd 
telnet-server-0.17-57.el7.x86_64
#
Comment 2 Daniel Walsh 2013-09-04 12:49:17 UTC 
This looks like a labeling problem.  What is /usr/kerberos/sbin/telnetd labeled?
Comment 3 Milos Malik 2013-09-04 12:54:39 UTC 
# ls -Z /usr/kerberos/sbin/telnetd
-rwxr-xr-x. root root system_u:object_r:telnetd_exec_t:s0 /usr/kerberos/sbin/telnetd
#
Comment 4 Miroslav Grepl 2013-09-04 12:56:30 UTC 
Actually the problem with all these bugs is we miss init domain for these inetd domain.
Comment 5 Daniel Walsh 2013-09-04 12:59:47 UTC 
You are right.  So these domains all have to be made init daemons.
Comment 7 Daniel Walsh 2013-09-05 12:58:43 UTC 
bed107b183700a0277093de44e59f041dc146408 fixes this in git.
Comment 9 Ludek Smid 2014-06-13 09:48:52 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.
Note You need to log in before you can comment on or make changes to this bug.