Bug 131083 - sshd does not permit SE Linux logins
sshd does not permit SE Linux logins
Product: Fedora
Classification: Fedora
Component: openssh (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
Depends On:
Blocks: FC3Blocker
  Show dependency treegraph
Reported: 2004-08-27 08:17 EDT by Russell Coker
Modified: 2007-11-30 17:10 EST (History)
2 users (show)

See Also:
Fixed In Version: 3.9p1-2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-09-03 17:00:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Russell Coker 2004-08-27 08:17:07 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.3; Linux) (KHTML, like Gecko)

Description of problem:
After upgrading my server to openssh-server-3.9p1-1 I could not login any more.

The sshd was not relabelling the terminal device node to the new SE Linux context, so the context remained as sshd_devpts_t instead of being correctly set to user_devpts_t or staff_devpts_t.  The previous version worked well.

I can give you administrative access to a SE Linux test machine running the latest rawhide to duplicate this if necessary.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Upgrade a SE Linux machine to the latest rawhide and observe that you can't login.

Actual Results:  The below message appears in /var/log/messages and the session is terminated.

avc:  denied  { read write } for  pid=18055 exe=/bin/bash 
path=/dev/pts/1 dev=devpts ino=3 scontext=root:staff_r:staff_t tcontext=root:object_r:sshd_devpts_t tclass=chr_file

Additional info:
Comment 1 Russell Coker 2004-08-27 08:19:29 EDT
The above occurs when using the "strict" policy.  Using "targeted" 
it is likely to work without problems although I have not yet tested 
this.  In any case using "targeted" will give different symptoms if 
it fails. 
Comment 2 Stephen Smalley 2004-08-27 08:44:04 EDT
Looks like the openssh-selinux.patch wasn't properly updated for
openssh-3.9p1, and unfortunately it happened to compile nonetheless.
In sshpty.c, the -selinux patch is referencing "ttyname" whereas the
function parameter is now named "tty".  It happens to compile (albeit
with warnings) because ttyname is defined in global scope for
ttyname(3), so I guess we are passing a _function pointer_ here rather
than the tty name.  s/ttyname/tty/g please in the openssh-selinux.patch.
Comment 3 Nalin Dahyabhai 2004-09-03 17:00:48 EDT
This should be fixed in 3.9p1-2 and later.  Please reopen if you find
that this is not the case.  Thanks!

Note You need to log in before you can comment on or make changes to this bug.