Bug 119498 - SELinux policy should allow ssh and ssh-agent to search mnt_t
SELinux policy should allow ssh and ssh-agent to search mnt_t
Product: Fedora
Classification: Fedora
Component: openssh (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2004-03-30 17:29 EST by Konstantin Ryabitsev
Modified: 2007-11-30 17:10 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-06-15 15:17:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Konstantin Ryabitsev 2004-03-30 17:29:00 EST
(feel free to refile under selinux/policy, if this is filed incorrectly)

Description of problem:
Some people store their sensitive data such as ssh keys on removable
media (and if they aren't, they should. :)). Therefore, SELinux
policies should allow ssh to read devices in /mnt. Currently
attempting to access files stored on a flash card by issuing a "ssh
hostname" or ssh-add .ssh/id_dsa results in something like:

Mar 30 17:24:56 hagrid kernel: audit(1080685496.479:0): avc:  denied 
{ search } for  pid=3418 exe=/usr/bin/ssh name=mnt dev=hda1 ino=114017
scontext=user_u:user_r:user_ssh_t tcontext=system_u:object_r:mnt_t
Comment 1 Russell Coker 2004-08-27 08:12:15 EDT
Another possibility is that a mounted file system has some secret 
data which normal users are not permitted to access, and thus 
allowing such an operation will on some systems permit unpriviledged 
users to use the ssh client to access data that they are otherwise 
not permitted to access. 
I believe that this is not a bug, it is a local configuration issue. 
Comment 2 Daniel Walsh 2005-02-07 10:44:20 EST
Being able to search the /mnt directory is not the same as being abole to read it.
USB devices and such should get mounted as removable_t, which ssh is not allowed
to read.  We can either add a boolean or allow search of mnt_t dirs and reading
of removable_t.

Comment 3 Colin Walters 2005-02-07 11:18:52 EST
I don't see why ssh shouldn't be able to read mnt_t.

As for removable_t; right now HAL allows console users access to
removable media by default.  We want to support people storing data on
USB keys and the like.  So I'd suggest that if we have a boolean it
should be on by default.

Now there is the potential for a compromised ssh daemon to access
potentially secret information stored on removable media; but right
now a compromised ssh daemon could also simply transition to user_t or

I'd suggest that sites with data they wish to protect should be
ensuring via the HAL policy files or whatever that the media gets an
appropriate context mount or whatever.
Comment 4 Daniel Walsh 2005-02-09 11:04:39 EST
Added to selinux-policy-strict-1.21.9-1

Note You need to log in before you can comment on or make changes to this bug.