(feel free to refile under selinux/policy, if this is filed incorrectly) Description of problem: Some people store their sensitive data such as ssh keys on removable media (and if they aren't, they should. :)). Therefore, SELinux policies should allow ssh to read devices in /mnt. Currently attempting to access files stored on a flash card by issuing a "ssh hostname" or ssh-add .ssh/id_dsa results in something like: Mar 30 17:24:56 hagrid kernel: audit(1080685496.479:0): avc: denied { search } for pid=3418 exe=/usr/bin/ssh name=mnt dev=hda1 ino=114017 scontext=user_u:user_r:user_ssh_t tcontext=system_u:object_r:mnt_t tclass=dir
Another possibility is that a mounted file system has some secret data which normal users are not permitted to access, and thus allowing such an operation will on some systems permit unpriviledged users to use the ssh client to access data that they are otherwise not permitted to access. I believe that this is not a bug, it is a local configuration issue.
Being able to search the /mnt directory is not the same as being abole to read it. USB devices and such should get mounted as removable_t, which ssh is not allowed to read. We can either add a boolean or allow search of mnt_t dirs and reading of removable_t. Dan
I don't see why ssh shouldn't be able to read mnt_t. As for removable_t; right now HAL allows console users access to removable media by default. We want to support people storing data on USB keys and the like. So I'd suggest that if we have a boolean it should be on by default. Now there is the potential for a compromised ssh daemon to access potentially secret information stored on removable media; but right now a compromised ssh daemon could also simply transition to user_t or sysadm_t. I'd suggest that sites with data they wish to protect should be ensuring via the HAL policy files or whatever that the media gets an appropriate context mount or whatever.
Added to selinux-policy-strict-1.21.9-1