1373707 – enabling MLS policy per RHEL7 SELinux Admin's Guide denies root login via tty, serial, ssh

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1373707 - enabling MLS policy per RHEL7 SELinux Admin's Guide denies root login via tty, serial, ssh

Summary: enabling MLS policy per RHEL7 SELinux Admin's Guide denies root login via tty...

Keywords:
Status:	CLOSED DUPLICATE of bug 1353975
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	initscripts
Sub Component:
Version:	7.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	initscripts Maintenance Team
QA Contact:	qe-baseos-daemons
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-09-07 03:01 UTC by Ryan Sawhill
Modified:	2019-12-16 06:39 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-09-08 08:59:52 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
audit log with AVCs covering permissive-mode tty, ssh, ttyS logins (26.41 KB, text/plain) 2016-09-07 03:01 UTC, Ryan Sawhill	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1353975	1	None	None	None	2021-01-20 06:05:38 UTC
Red Hat Knowledge Base (Solution)	2607681	0	None	None	None	2016-09-07 17:12:31 UTC

Description Ryan Sawhill 2016-09-07 03:01:52 UTC

Created attachment 1198490 [details]
audit log with AVCs covering permissive-mode tty, ssh, ttyS logins

DESCRIPTION OF PROBLEM:

  After following the standard instructions to enable MLS on a fully up-to-date RHEL 7.2.z machine with virtually no other config changes, root cannot login via ssh, tty, or serial.

  After the relabel and second reboot, login via tty & serial each generate an AVC by comm=abrt-dbus which doesn't seem like that big of a deal. Logging in over ssh on the other hand logs what would have been a denial by comm=sshd of perm dyntransition.

  After `setenforce 1`, trying to login via tty, serial, and ssh ALL FAIL and none generate AVCs. Re-enabling dontaudit (semodule -DB) gets tons of stuff, including the unix_chkpwd command needing to do its thing.

VERSION-RELEASE NUMBER OF SELECTED COMPONENT:

  selinux-policy-mls-3.13.1-60.el7_2.7.noarch

HOW REPRODUCIBLE:

  100%

STEPS TO REPRODUCE:

  0. Follow instructions from SELinux Admin's Guide: http://red.ht/2c8k5kH

  Or ... to be explicit:
  
  0. I used a RHEL 7.2 kickstart with @base + screen, vim-enhanced, kernel-doc, sos, elinks, setools-console, policycoreutils-python, psmisc, and ntp
  1. Register with `subscription-manager` and then restrict repos to just base rhel7 server repo
  2. `yum update -y; reboot`
  3. `yum install selinux-policy-mls -y`
  4. `sed -i -e '/^SELINUX=/s/=.*/=permissive/' -e '/^SELINUXTYPE=/s/=.*/=mls/' /etc/selinux/config`
  5. `fixfiles -F onboot; reboot`
  6. After the relabel and second reboot, login and `setenforce 1`
  7. Try to login via tty, serial, or ssh and see that all fail with no AVCs.
  8. `semodule -DB`
  9. Try again and take a look at all the AVCs.
  
ACTUAL RESULTS:

  root user cannot login via any means after following standard instructions to enable MLS with latest packages.
  
EXPECTED RESULTS:

  root CAN login.
  I don't care whether this requires extra boolean-flipping or messing with `semanage`, but it clearly needs to be tested and documented.


ADDITIONAL INFO:

I created this BZ at the suggestion of Simon Sekidde in an selinux-internal-list mail thread.
I'm attaching an audit.log from this system while in permissive mode.
I basically did the above steps, then switched back to permissive, then did:

~~~
service auditd rotate
setenforce 0    # just to be explicit
auditctl -m " L O G G I N G  I N  V I A  S S H  C O M E S  N E X T "
# then I logged in via ssh
auditctl -m " L O G G I N G  I N  V I A  S E R I A L  C O M E S  N E X T "
# then I logged in via serial
auditctl -m " L O G G I N G  I N  V I A  T T Y  C O M E S  N E X T 
# then I logged in via tty
service auditd stop
~~~

I didn't log out of any consoles in order to cut down on noise.

Here you can see a little from the log:

[root@selinux72 ~]# ausearch -if audit.log -m user
----
time->Tue Sep  6 22:03:07 2016
type=USER msg=audit(1473213787.232:1479): pid=23441 uid=0 auid=0 ses=60 subj=root:sysadm_r:auditctl_t:s0 msg=' L O G G I N G  I N  V I A  S S H  C O M E S  N E X T  exe="/usr/sbin/auditctl" hostname=? addr=? terminal=pts/1 res=success'
----
time->Tue Sep  6 22:04:13 2016
type=USER msg=audit(1473213853.424:1504): pid=23542 uid=0 auid=0 ses=60 subj=root:sysadm_r:auditctl_t:s0 msg=' L O G G I N G  I N  V I A  S E R I A L  C O M E S  N E X T  exe="/usr/sbin/auditctl" hostname=? addr=? terminal=pts/1 res=success'
----
time->Tue Sep  6 22:07:23 2016
type=USER msg=audit(1473214043.986:1520): pid=23636 uid=0 auid=0 ses=60 subj=root:sysadm_r:auditctl_t:s0 msg=' L O G G I N G  I N  V I A  T T Y  C O M E S  N E X T  exe="/usr/sbin/auditctl" hostname=? addr=? terminal=pts/1 res=success'

[root@selinux72 ~]# ausearch -if audit.log -m avc | aureport -a -i 

AVC Report
========================================================
# date time comm subj syscall class permission obj event
========================================================
1. 09/06/2016 22:03:07 auditctl root:sysadm_r:sysadm_t:s0 execve process noatsecure root:sysadm_r:auditctl_t:s0 denied 1478
2. 09/06/2016 22:03:07 auditctl root:sysadm_r:sysadm_t:s0 execve process siginh root:sysadm_r:auditctl_t:s0 denied 1478
3. 09/06/2016 22:03:07 auditctl root:sysadm_r:sysadm_t:s0 execve process rlimitinh root:sysadm_r:auditctl_t:s0 denied 1478
4. 09/06/2016 22:03:10 hostname root:sysadm_r:sysadm_t:s0 execve process noatsecure root:sysadm_r:hostname_t:s0 denied 1501
5. 09/06/2016 22:03:10 hostname root:sysadm_r:sysadm_t:s0 execve process siginh root:sysadm_r:hostname_t:s0 denied 1501
6. 09/06/2016 22:03:10 hostname root:sysadm_r:sysadm_t:s0 execve process rlimitinh root:sysadm_r:hostname_t:s0 denied 1501
7. 09/06/2016 22:03:10 unix_chkpwd system_u:system_r:sshd_t:s0-s15:c0.c1023 execve process noatsecure system_u:system_r:chkpwd_t:s0-s15:c0.c1023 denied 1487
8. 09/06/2016 22:03:10 unix_chkpwd system_u:system_r:sshd_t:s0-s15:c0.c1023 execve process siginh system_u:system_r:chkpwd_t:s0-s15:c0.c1023 denied 1487
9. 09/06/2016 22:03:10 unix_chkpwd system_u:system_r:sshd_t:s0-s15:c0.c1023 execve process rlimitinh system_u:system_r:chkpwd_t:s0-s15:c0.c1023 denied 1487
10. 09/06/2016 22:03:10 abrt-dbus system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 openat dir read system_u:object_r:var_spool_t:s0 denied 1502
11. 09/06/2016 22:04:15 unix_chkpwd system_u:system_r:local_login_t:s0-s15:c0.c1023 execve process noatsecure system_u:system_r:chkpwd_t:s0-s15:c0.c1023 denied 1506
12. 09/06/2016 22:04:15 unix_chkpwd system_u:system_r:local_login_t:s0-s15:c0.c1023 execve process siginh system_u:system_r:chkpwd_t:s0-s15:c0.c1023 denied 1506
13. 09/06/2016 22:04:15 unix_chkpwd system_u:system_r:local_login_t:s0-s15:c0.c1023 execve process rlimitinh system_u:system_r:chkpwd_t:s0-s15:c0.c1023 denied 1506
14. 09/06/2016 22:04:15 unix_chkpwd system_u:system_r:chkpwd_t:s0-s15:c0.c1023 execve chr_file read write system_u:object_r:tty_device_t:s0 denied 1506
15. 09/06/2016 22:04:13 auditctl root:sysadm_r:sysadm_t:s0 execve process noatsecure root:sysadm_r:auditctl_t:s0 denied 1503
16. 09/06/2016 22:04:13 auditctl root:sysadm_r:sysadm_t:s0 execve process siginh root:sysadm_r:auditctl_t:s0 denied 1503
17. 09/06/2016 22:04:13 auditctl root:sysadm_r:sysadm_t:s0 execve process rlimitinh root:sysadm_r:auditctl_t:s0 denied 1503
18. 09/06/2016 22:04:15 login system_u:system_r:getty_t:s0-s15:c0.c1023 execve process noatsecure system_u:system_r:local_login_t:s0-s15:c0.c1023 denied 1505
19. 09/06/2016 22:04:15 login system_u:system_r:getty_t:s0-s15:c0.c1023 execve process siginh system_u:system_r:local_login_t:s0-s15:c0.c1023 denied 1505
20. 09/06/2016 22:04:15 login system_u:system_r:getty_t:s0-s15:c0.c1023 execve process rlimitinh system_u:system_r:local_login_t:s0-s15:c0.c1023 denied 1505
21. 09/06/2016 22:04:18 bash system_u:system_r:local_login_t:s0-s15:c0.c1023 execve process noatsecure root:sysadm_r:sysadm_t:s0-s15:c0.c1023 denied 1516
22. 09/06/2016 22:04:18 bash system_u:system_r:local_login_t:s0-s15:c0.c1023 execve process siginh root:sysadm_r:sysadm_t:s0-s15:c0.c1023 denied 1516
23. 09/06/2016 22:04:18 hostname root:sysadm_r:sysadm_t:s0-s15:c0.c1023 execve process noatsecure root:sysadm_r:hostname_t:s0-s15:c0.c1023 denied 1517
24. 09/06/2016 22:04:18 hostname root:sysadm_r:sysadm_t:s0-s15:c0.c1023 execve process siginh root:sysadm_r:hostname_t:s0-s15:c0.c1023 denied 1517
25. 09/06/2016 22:04:18 hostname root:sysadm_r:sysadm_t:s0-s15:c0.c1023 execve process rlimitinh root:sysadm_r:hostname_t:s0-s15:c0.c1023 denied 1517
26. 09/06/2016 22:04:18 login system_u:system_r:local_login_t:s0-s15:c0.c1023 setsockopt capability net_admin system_u:system_r:local_login_t:s0-s15:c0.c1023 denied 1512
27. 09/06/2016 22:04:18 abrt-dbus system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 openat dir read system_u:object_r:var_spool_t:s0 denied 1518
28. 09/06/2016 22:07:23 auditctl root:sysadm_r:sysadm_t:s0 execve process noatsecure root:sysadm_r:auditctl_t:s0 denied 1519
29. 09/06/2016 22:07:23 auditctl root:sysadm_r:sysadm_t:s0 execve process siginh root:sysadm_r:auditctl_t:s0 denied 1519
30. 09/06/2016 22:07:23 auditctl root:sysadm_r:sysadm_t:s0 execve process rlimitinh root:sysadm_r:auditctl_t:s0 denied 1519
31. 09/06/2016 22:07:25 login system_u:system_r:getty_t:s0-s15:c0.c1023 execve process noatsecure system_u:system_r:local_login_t:s0-s15:c0.c1023 denied 1521
32. 09/06/2016 22:07:25 login system_u:system_r:getty_t:s0-s15:c0.c1023 execve process siginh system_u:system_r:local_login_t:s0-s15:c0.c1023 denied 1521
33. 09/06/2016 22:07:25 login system_u:system_r:getty_t:s0-s15:c0.c1023 execve process rlimitinh system_u:system_r:local_login_t:s0-s15:c0.c1023 denied 1521
34. 09/06/2016 22:07:25 unix_chkpwd system_u:system_r:local_login_t:s0-s15:c0.c1023 execve process noatsecure system_u:system_r:chkpwd_t:s0-s15:c0.c1023 denied 1522
35. 09/06/2016 22:07:25 unix_chkpwd system_u:system_r:local_login_t:s0-s15:c0.c1023 execve process siginh system_u:system_r:chkpwd_t:s0-s15:c0.c1023 denied 1522
36. 09/06/2016 22:07:25 unix_chkpwd system_u:system_r:local_login_t:s0-s15:c0.c1023 execve process rlimitinh system_u:system_r:chkpwd_t:s0-s15:c0.c1023 denied 1522
37. 09/06/2016 22:07:25 unix_chkpwd system_u:system_r:chkpwd_t:s0-s15:c0.c1023 execve chr_file read write system_u:object_r:tty_device_t:s0 denied 1522
38. 09/06/2016 22:07:26 login system_u:system_r:local_login_t:s0-s15:c0.c1023 setsockopt capability net_admin system_u:system_r:local_login_t:s0-s15:c0.c1023 denied 1528
39. 09/06/2016 22:07:26 bash system_u:system_r:local_login_t:s0-s15:c0.c1023 execve process noatsecure root:sysadm_r:sysadm_t:s0-s15:c0.c1023 denied 1532
40. 09/06/2016 22:07:26 bash system_u:system_r:local_login_t:s0-s15:c0.c1023 execve process siginh root:sysadm_r:sysadm_t:s0-s15:c0.c1023 denied 1532
41. 09/06/2016 22:07:26 hostname root:sysadm_r:sysadm_t:s0-s15:c0.c1023 execve process noatsecure root:sysadm_r:hostname_t:s0-s15:c0.c1023 denied 1533
42. 09/06/2016 22:07:26 hostname root:sysadm_r:sysadm_t:s0-s15:c0.c1023 execve process siginh root:sysadm_r:hostname_t:s0-s15:c0.c1023 denied 1533
43. 09/06/2016 22:07:26 hostname root:sysadm_r:sysadm_t:s0-s15:c0.c1023 execve process rlimitinh root:sysadm_r:hostname_t:s0-s15:c0.c1023 denied 1533
44. 09/06/2016 22:07:26 abrt-dbus system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 openat dir read system_u:object_r:var_spool_t:s0 denied 1534

Comment 1 Ryan Sawhill 2016-09-07 03:07:00 UTC

One last note: at the suggestion of plautrba in the mailthread, I did `setsebool -P ssh_sysadm_login=on`, prior to capturing the audit.log. While it might have made a difference, it didn't clear everything else up.

Also, to be CRYSTAL CLEAR, my kickstart does NOTHING ELSE with semanage. No user/role nonsense. Nothing has been customized.

[root@selinux72 ~]# semanage user -l

                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

guest_u         user       s0         s0                             guest_r
root            user       s0         s0-s15:c0.c1023                auditadm_r staff_r secadm_r sysadm_r system_r
staff_u         user       s0         s0-s15:c0.c1023                auditadm_r staff_r secadm_r sysadm_r system_r
sysadm_u        user       s0         s0-s15:c0.c1023                sysadm_r
system_u        user       s0         s0-s15:c0.c1023                system_r
user_u          user       s0         s0                             user_r
xguest_u        user       s0         s0                             xguest_r
[root@selinux72 ~]# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          user_u               s0                   *
root                 root                 s0-s15:c0.c1023      *
system_u             system_u             s0-s15:c0.c1023      *

Comment 3 Petr Lautrbach 2016-09-07 08:48:34 UTC

This is an initscripts bug #1353975 which will be fixed in RHEL-7.3 and we should probably propose it for rhel-7.2.z as well.

The problem is that /etc directory is mislabeled after reboot:

# ls -ldZ /etc
drwxr-xr-x. root root system_u:object_r:etc_t:s15:c0.c1023 /etc


The fix is to add -F option to restorecon in /usr/lib/systemd/rhel-import-state:

# diff -u /usr/lib/systemd/rhel-import-state.bug /usr/lib/systemd/rhel-import-state
--- /usr/lib/systemd/rhel-import-state.bug      2016-09-07 04:44:45.413231227 -0400
+++ /usr/lib/systemd/rhel-import-state  2016-09-07 04:44:51.645274588 -0400
@@ -7,5 +7,5 @@
 
 # run restorecon on the copied files
 if [ -e /sys/fs/selinux/enforce -a -x /usr/sbin/restorecon ]; then
-    find . -mindepth 1 -print0 | { cd / && xargs --null restorecon -i; }
+    find . -mindepth 1 -print0 | { cd / && xargs --null restorecon -i -F; }
 fi

Comment 4 Ryan Sawhill 2016-09-07 16:37:24 UTC

We can close this as a duplicate to that bug #1353975 if you guys like. Up to you.

Of course I agree that there should be a 7.2.z initscripts release ASAP, since this is a total blocker, but I don't currently have any non-RH customers asking about MLS in RHEL 7.2.

Note You need to log in before you can comment on or make changes to this bug.