Description of problem: selinux-policy-targeted denies polyinstantiated directories for sshd. Version-Release number of selected component (if applicable): 3.14.1-37 How reproducible: Always Steps to Reproduce: 1. setsebool -P polyinstantiation_enabled on 2. Add the following line to /etc/security/namespace.conf /tmp /tmp-inst/ level root,adm 3. Try to login using ssh Actual results: [untosten@localhost]$ ssh polytest@fedora-test polytest.0.1's password: PTY allocation request failed on channel 0 Connection to 127.0.0.1 closed. Expected results: SSH login should work and /tmp be polyinstantiated. Additional info: Audit log required dac_override capability for sshd_t: type=AVC msg=audit(1534510283.114:291): avc: denied { dac_override } for pid=3083 comm="sshd" capability=1 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=capability permissive=0 journalctl -u sshd shows: Aug 17 15:51:23 localhost.localdomain sshd[3083]: pam_namespace(sshd:session): Error creating or accessing instance parent /tmp-inst, Permission denied Aug 17 15:51:23 localhost.localdomain sshd[3083]: pam_unix(sshd:session): session opened for user polytest by (uid=0) Aug 17 15:51:23 localhost.localdomain sshd[3083]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session #################### I allowed dac_override. SSH login still failed: type=AVC msg=audit(1534510435.460:325): avc: denied { create } for pid=30827 comm="sshd" name="tmp-inst" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0 Aug 17 15:53:55 localhost.localdomain sshd[30827]: pam_namespace(sshd:session): Error creating or accessing instance parent /tmp-inst, Permission denied Aug 17 15:53:55 localhost.localdomain sshd[30827]: pam_unix(sshd:session): session opened for user polytest by (uid=0) Aug 17 15:53:55 localhost.localdomain sshd[30827]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session #################### So I allowed { create } too. After that SSH logins worked and /tmp was polyinstantiated. But is there any better method to get polyinstantiation working, without granting sshd_t dac_override capability?
Hi, Could you downgrade openssh package and then try to reproduce it? THanks, Lukas.
I downloaded package from Fedora Linux 27: openssh-7.6p1-5.fc27.x86_64.rpm and the dependencies. Did: rpm -Uvh --force /tmp/openssh*rpm and added missing dependency: dnf -y install tcp_wrappers-libs The older OpenSSH daemon runs fine, but I still get the denied { dac_override }. The connecting client's error message is a bit different, it does not complain about failed PTY allocation, but I guess this difference is irrelevant to our problem: [untosten@localhost]$ ssh polytest@fedora-test polytest.0.1's password: Connection to 127.0.0.1 closed.
I am not sure, but I may have possibly read from somewhere that they removed some dac_override permissions from apps on Fedora Linux lately. If that is so, this bug may be a consequence of those changes? I do not know. Just one path to investigate.
selinux-policy-3.14.1-42.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217
selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217
Hi Lukas! Thanks, your selinux-policy-3.14.1-42.fc2 indeed fixes the dac_override problem, but ssh logins still fail. The reason is that sshd_t cannot create directories in the root directory: time->Sat Sep 8 13:22:47 2018 type=AVC msg=audit(1536402167.897:200): avc: denied { create } for pid=1721 comm="sshd" name="tmp-inst" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0 Is this something that Red Hat could allow by default, or is it admin's own decision to allow this right? I am not totally sure, but personally I am inclined to think that perhaps the SELinux boolean polyinstantiation_enabled should allow this too? My rationale is the admin asked for polyinstantion_enabled after all, and it would be convenient if it all worked "out of the box" without any extra steps.
Jakub, Any idea whats going on here? Thanks, Lukas.
Hi! Lukas, I am not Jakub, and I am not totally sure what exactly are you asking, but anyway here's what I know: SSH needs this right because pam_namespace.so wants to create a mount point in the root directory. Polyinstantiated directories are based on bind mounts. For example, to hide and protect public /tmp, pam_namespace mounts /tmp-inst/whatever on top of it. This operation provides private directories for users, that is basically all there is to it. See /etc/security/namespace.conf, e.g. /tmp /tmp-inst/ level root,adm
selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Fedora Update System has marked this case as "CLOSED, but it is not resolved yet.
(In reply to Unto Sten from comment #10) > Fedora Update System has marked this case as "CLOSED, but it is not resolved > yet. Ummm. Sorry. Apparently I do not know how to use Bugzilla, did ERRATA -> NOTABUG.
Unto, Next selinux-policy update should contain fix for this issue. THanks, Lukas.
Hi Lukas! Great news, thanks!!!
selinux-policy-3.14.1-48.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-8004d37878
selinux-policy-3.14.1-48.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-8004d37878
selinux-policy-3.14.1-48.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.