1373707 – enabling MLS policy per RHEL7 SELinux Admin's Guide denies root login via tty, serial, ssh

Bug 1373707 - enabling MLS policy per RHEL7 SELinux Admin's Guide denies root login via tty, serial, ssh

Summary: enabling MLS policy per RHEL7 SELinux Admin's Guide denies root login via tty...

Keywords:
Status:	CLOSED DUPLICATE of bug 1353975
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	initscripts
Sub Component:
Version:	7.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	initscripts Maintenance Team
QA Contact:	qe-baseos-daemons
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-09-07 03:01 UTC by Ryan Sawhill
Modified:	2019-12-16 06:39 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-09-08 08:59:52 UTC
Target Upstream Version:

Attachments	(Terms of Use)
audit log with AVCs covering permissive-mode tty, ssh, ttyS logins (26.41 KB, text/plain) 2016-09-07 03:01 UTC, Ryan Sawhill	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1353975	1	None	None	None	2021-01-20 06:05:38 UTC
Red Hat Knowledge Base (Solution)	2607681	0	None	None	None	2016-09-07 17:12:31 UTC

Description Ryan Sawhill 2016-09-07 03:01:52 UTC

Created attachment 1198490 [details]
audit log with AVCs covering permissive-mode tty, ssh, ttyS logins

DESCRIPTION OF PROBLEM:

  After following the standard instructions to enable MLS on a fully up-to-date RHEL 7.2.z machine with virtually no other config changes, root cannot login via ssh, tty, or serial.

  After the relabel and second reboot, login via tty & serial each generate an AVC by comm=abrt-dbus which doesn't seem like that big of a deal. Logging in over ssh on the other hand logs what would have been a denial by comm=sshd of perm dyntransition.

  After `setenforce 1`, trying to login via tty, serial, and ssh ALL FAIL and none generate AVCs. Re-enabling dontaudit (semodule -DB) gets tons of stuff, including the unix_chkpwd command needing to do its thing.

VERSION-RELEASE NUMBER OF SELECTED COMPONENT:

  selinux-policy-mls-3.13.1-60.el7_2.7.noarch

HOW REPRODUCIBLE:

  100%

STEPS TO REPRODUCE:

  0. Follow instructions from SELinux Admin's Guide: http://red.ht/2c8k5kH

  Or ... to be explicit:
  
  0. I used a RHEL 7.2 kickstart with @base + screen, vim-enhanced, kernel-doc, sos, elinks, setools-console, policycoreutils-python, psmisc, and ntp
  1. Register with `subscription-manager` and then restrict repos to just base rhel7 server repo
  2. `yum update -y; reboot`
  3. `yum install selinux-policy-mls -y`
  4. `sed -i -e '/^SELINUX=/s/=.*/=permissive/' -e '/^SELINUXTYPE=/s/=.*/=mls/' /etc/selinux/config`
  5. `fixfiles -F onboot; reboot`
  6. After the relabel and second reboot, login and `setenforce 1`
  7. Try to login via tty, serial, or ssh and see that all fail with no AVCs.
  8. `semodule -DB`
  9. Try again and take a look at all the AVCs.
  
ACTUAL RESULTS:

  root user cannot login via any means after following standard instructions to enable MLS with latest packages.
  
EXPECTED RESULTS:

  root CAN login.
  I don't care whether this requires extra boolean-flipping or messing with `semanage`, but it clearly needs to be tested and documented.


ADDITIONAL INFO:

I created this BZ at the suggestion of Simon Sekidde in an selinux-internal-list mail thread.
I'm attaching an audit.log from this system while in permissive mode.
I basically did the above steps, then switched back to permissive, then did:

~~~
service auditd rotate
setenforce 0    # just to be explicit
auditctl -m " L O G G I N G  I N  V I A  S S H  C O M E S  N E X T "
# then I logged in via ssh
auditctl -m " L O G G I N G  I N  V I A  S E R I A L  C O M E S  N E X T "
# then I logged in via serial
auditctl -m " L O G G I N G  I N  V I A  T T Y  C O M E S  N E X T 
# then I logged in via tty
service auditd stop
~~~

I didn't log out of any consoles in order to cut down on noise.

Here you can see a little from the log:

[root@selinux72 ~]# ausearch -if audit.log -m user
----
time->Tue Sep  6 22:03:07 2016
type=USER msg=audit(1473213787.232:1479): pid=23441 uid=0 auid=0 ses=60 subj=root:sysadm_r:auditctl_t:s0 msg=' L O G G I N G  I N  V I A  S S H  C O M E S  N E X T  exe="/usr/sbin/auditctl" hostname=? addr=? terminal=pts/1 res=success'
----
time->Tue Sep  6 22:04:13 2016
type=USER msg=audit(1473213853.424:1504): pid=23542 uid=0 auid=0 ses=60 subj=root:sysadm_r:auditctl_t:s0 msg=' L O G G I N G  I N  V I A  S E R I A L  C O M E S  N E X T  exe="/usr/sbin/auditctl" hostname=? addr=? terminal=pts/1 res=success'
----
time->Tue Sep  6 22:07:23 2016
type=USER msg=audit(1473214043.986:1520): pid=23636 uid=0 auid=0 ses=60 subj=root:sysadm_r:auditctl_t:s0 msg=' L O G G I N G  I N  V I A  T T Y  C O M E S  N E X T  exe="/usr/sbin/auditctl" hostname=? addr=? terminal=pts/1 res=success'

[root@selinux72 ~]# ausearch -if audit.log -m avc | aureport -a -i 

AVC Report
========================================================
# date time comm subj syscall class permission obj event
========================================================
1. 09/06/2016 22:03:07 auditctl root:sysadm_r:sysadm_t:s0 execve process noatsecure root:sysadm_r:auditctl_t:s0 denied 1478
2. 09/06/2016 22:03:07 auditctl root:sysadm_r:sysadm_t:s0 execve process siginh root:sysadm_r:auditctl_t:s0 denied 1478
3. 09/06/2016 22:03:07 auditctl root:sysadm_r:sysadm_t:s0 execve process rlimitinh root:sysadm_r:auditctl_t:s0 denied 1478
4. 09/06/2016 22:03:10 hostname root:sysadm_r:sysadm_t:s0 execve process noatsecure root:sysadm_r:hostname_t:s0 denied 1501
5. 09/06/2016 22:03:10 hostname root:sysadm_r:sysadm_t:s0 execve process siginh root:sysadm_r:hostname_t:s0 denied 1501
6. 09/06/2016 22:03:10 hostname root:sysadm_r:sysadm_t:s0 execve process rlimitinh root:sysadm_r:hostname_t:s0 denied 1501
7. 09/06/2016 22:03:10 unix_chkpwd system_u:system_r:sshd_t:s0-s15:c0.c1023 execve process noatsecure system_u:system_r:chkpwd_t:s0-s15:c0.c1023 denied 1487
8. 09/06/2016 22:03:10 unix_chkpwd system_u:system_r:sshd_t:s0-s15:c0.c1023 execve process siginh system_u:system_r:chkpwd_t:s0-s15:c0.c1023 denied 1487
9. 09/06/2016 22:03:10 unix_chkpwd system_u:system_r:sshd_t:s0-s15:c0.c1023 execve process rlimitinh system_u:system_r:chkpwd_t:s0-s15:c0.c1023 denied 1487
10. 09/06/2016 22:03:10 abrt-dbus system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 openat dir read system_u:object_r:var_spool_t:s0 denied 1502
11. 09/06/2016 22:04:15 unix_chkpwd system_u:system_r:local_login_t:s0-s15:c0.c1023 execve process noatsecure system_u:system_r:chkpwd_t:s0-s15:c0.c1023 denied 1506
12. 09/06/2016 22:04:15 unix_chkpwd system_u:system_r:local_login_t:s0-s15:c0.c1023 execve process siginh system_u:system_r:chkpwd_t:s0-s15:c0.c1023 denied 1506
13. 09/06/2016 22:04:15 unix_chkpwd system_u:system_r:local_login_t:s0-s15:c0.c1023 execve process rlimitinh system_u:system_r:chkpwd_t:s0-s15:c0.c1023 denied 1506
14. 09/06/2016 22:04:15 unix_chkpwd system_u:system_r:chkpwd_t:s0-s15:c0.c1023 execve chr_file read write system_u:object_r:tty_device_t:s0 denied 1506
15. 09/06/2016 22:04:13 auditctl root:sysadm_r:sysadm_t:s0 execve process noatsecure root:sysadm_r:auditctl_t:s0 denied 1503
16. 09/06/2016 22:04:13 auditctl root:sysadm_r:sysadm_t:s0 execve process siginh root:sysadm_r:auditctl_t:s0 denied 1503
17. 09/06/2016 22:04:13 auditctl root:sysadm_r:sysadm_t:s0 execve process rlimitinh root:sysadm_r:auditctl_t:s0 denied 1503
18. 09/06/2016 22:04:15 login system_u:system_r:getty_t:s0-s15:c0.c1023 execve process noatsecure system_u:system_r:local_login_t:s0-s15:c0.c1023 denied 1505
19. 09/06/2016 22:04:15 login system_u:system_r:getty_t:s0-s15:c0.c1023 execve process siginh system_u:system_r:local_login_t:s0-s15:c0.c1023 denied 1505
20. 09/06/2016 22:04:15 login system_u:system_r:getty_t:s0-s15:c0.c1023 execve process rlimitinh system_u:system_r:local_login_t:s0-s15:c0.c1023 denied 1505
21. 09/06/2016 22:04:18 bash system_u:system_r:local_login_t:s0-s15:c0.c1023 execve process noatsecure root:sysadm_r:sysadm_t:s0-s15:c0.c1023 denied 1516
22. 09/06/2016 22:04:18 bash system_u:system_r:local_login_t:s0-s15:c0.c1023 execve process siginh root:sysadm_r:sysadm_t:s0-s15:c0.c1023 denied 1516
23. 09/06/2016 22:04:18 hostname root:sysadm_r:sysadm_t:s0-s15:c0.c1023 execve process noatsecure root:sysadm_r:hostname_t:s0-s15:c0.c1023 denied 1517
24. 09/06/2016 22:04:18 hostname root:sysadm_r:sysadm_t:s0-s15:c0.c1023 execve process siginh root:sysadm_r:hostname_t:s0-s15:c0.c1023 denied 1517
25. 09/06/2016 22:04:18 hostname root:sysadm_r:sysadm_t:s0-s15:c0.c1023 execve process rlimitinh root:sysadm_r:hostname_t:s0-s15:c0.c1023 denied 1517
26. 09/06/2016 22:04:18 login system_u:system_r:local_login_t:s0-s15:c0.c1023 setsockopt capability net_admin system_u:system_r:local_login_t:s0-s15:c0.c1023 denied 1512
27. 09/06/2016 22:04:18 abrt-dbus system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 openat dir read system_u:object_r:var_spool_t:s0 denied 1518
28. 09/06/2016 22:07:23 auditctl root:sysadm_r:sysadm_t:s0 execve process noatsecure root:sysadm_r:auditctl_t:s0 denied 1519
29. 09/06/2016 22:07:23 auditctl root:sysadm_r:sysadm_t:s0 execve process siginh root:sysadm_r:auditctl_t:s0 denied 1519
30. 09/06/2016 22:07:23 auditctl root:sysadm_r:sysadm_t:s0 execve process rlimitinh root:sysadm_r:auditctl_t:s0 denied 1519
31. 09/06/2016 22:07:25 login system_u:system_r:getty_t:s0-s15:c0.c1023 execve process noatsecure system_u:system_r:local_login_t:s0-s15:c0.c1023 denied 1521
32. 09/06/2016 22:07:25 login system_u:system_r:getty_t:s0-s15:c0.c1023 execve process siginh system_u:system_r:local_login_t:s0-s15:c0.c1023 denied 1521
33. 09/06/2016 22:07:25 login system_u:system_r:getty_t:s0-s15:c0.c1023 execve process rlimitinh system_u:system_r:local_login_t:s0-s15:c0.c1023 denied 1521
34. 09/06/2016 22:07:25 unix_chkpwd system_u:system_r:local_login_t:s0-s15:c0.c1023 execve process noatsecure system_u:system_r:chkpwd_t:s0-s15:c0.c1023 denied 1522
35. 09/06/2016 22:07:25 unix_chkpwd system_u:system_r:local_login_t:s0-s15:c0.c1023 execve process siginh system_u:system_r:chkpwd_t:s0-s15:c0.c1023 denied 1522
36. 09/06/2016 22:07:25 unix_chkpwd system_u:system_r:local_login_t:s0-s15:c0.c1023 execve process rlimitinh system_u:system_r:chkpwd_t:s0-s15:c0.c1023 denied 1522
37. 09/06/2016 22:07:25 unix_chkpwd system_u:system_r:chkpwd_t:s0-s15:c0.c1023 execve chr_file read write system_u:object_r:tty_device_t:s0 denied 1522
38. 09/06/2016 22:07:26 login system_u:system_r:local_login_t:s0-s15:c0.c1023 setsockopt capability net_admin system_u:system_r:local_login_t:s0-s15:c0.c1023 denied 1528
39. 09/06/2016 22:07:26 bash system_u:system_r:local_login_t:s0-s15:c0.c1023 execve process noatsecure root:sysadm_r:sysadm_t:s0-s15:c0.c1023 denied 1532
40. 09/06/2016 22:07:26 bash system_u:system_r:local_login_t:s0-s15:c0.c1023 execve process siginh root:sysadm_r:sysadm_t:s0-s15:c0.c1023 denied 1532
41. 09/06/2016 22:07:26 hostname root:sysadm_r:sysadm_t:s0-s15:c0.c1023 execve process noatsecure root:sysadm_r:hostname_t:s0-s15:c0.c1023 denied 1533
42. 09/06/2016 22:07:26 hostname root:sysadm_r:sysadm_t:s0-s15:c0.c1023 execve process siginh root:sysadm_r:hostname_t:s0-s15:c0.c1023 denied 1533
43. 09/06/2016 22:07:26 hostname root:sysadm_r:sysadm_t:s0-s15:c0.c1023 execve process rlimitinh root:sysadm_r:hostname_t:s0-s15:c0.c1023 denied 1533
44. 09/06/2016 22:07:26 abrt-dbus system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 openat dir read system_u:object_r:var_spool_t:s0 denied 1534

Comment 1 Ryan Sawhill 2016-09-07 03:07:00 UTC

One last note: at the suggestion of plautrba in the mailthread, I did `setsebool -P ssh_sysadm_login=on`, prior to capturing the audit.log. While it might have made a difference, it didn't clear everything else up.

Also, to be CRYSTAL CLEAR, my kickstart does NOTHING ELSE with semanage. No user/role nonsense. Nothing has been customized.

[root@selinux72 ~]# semanage user -l

                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

guest_u         user       s0         s0                             guest_r
root            user       s0         s0-s15:c0.c1023                auditadm_r staff_r secadm_r sysadm_r system_r
staff_u         user       s0         s0-s15:c0.c1023                auditadm_r staff_r secadm_r sysadm_r system_r
sysadm_u        user       s0         s0-s15:c0.c1023                sysadm_r
system_u        user       s0         s0-s15:c0.c1023                system_r
user_u          user       s0         s0                             user_r
xguest_u        user       s0         s0                             xguest_r
[root@selinux72 ~]# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          user_u               s0                   *
root                 root                 s0-s15:c0.c1023      *
system_u             system_u             s0-s15:c0.c1023      *

Comment 3 Petr Lautrbach 2016-09-07 08:48:34 UTC

This is an initscripts bug #1353975 which will be fixed in RHEL-7.3 and we should probably propose it for rhel-7.2.z as well.

The problem is that /etc directory is mislabeled after reboot:

# ls -ldZ /etc
drwxr-xr-x. root root system_u:object_r:etc_t:s15:c0.c1023 /etc


The fix is to add -F option to restorecon in /usr/lib/systemd/rhel-import-state:

# diff -u /usr/lib/systemd/rhel-import-state.bug /usr/lib/systemd/rhel-import-state
--- /usr/lib/systemd/rhel-import-state.bug      2016-09-07 04:44:45.413231227 -0400
+++ /usr/lib/systemd/rhel-import-state  2016-09-07 04:44:51.645274588 -0400
@@ -7,5 +7,5 @@
 
 # run restorecon on the copied files
 if [ -e /sys/fs/selinux/enforce -a -x /usr/sbin/restorecon ]; then
-    find . -mindepth 1 -print0 | { cd / && xargs --null restorecon -i; }
+    find . -mindepth 1 -print0 | { cd / && xargs --null restorecon -i -F; }
 fi

Comment 4 Ryan Sawhill 2016-09-07 16:37:24 UTC

We can close this as a duplicate to that bug #1353975 if you guys like. Up to you.

Of course I agree that there should be a 7.2.z initscripts release ASAP, since this is a total blocker, but I don't currently have any non-RH customers asking about MLS in RHEL 7.2.

Note You need to log in before you can comment on or make changes to this bug.