Bug 1618771 - Targeted policy denies polyinstantiated directories for sshd
Summary: Targeted policy denies polyinstantiated directories for sshd
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 28
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-08-17 14:41 UTC by Unto Sten
Modified: 2018-11-09 05:25 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-11-09 05:25:42 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Unto Sten 2018-08-17 14:41:22 UTC 
Description of problem:

selinux-policy-targeted denies polyinstantiated directories for sshd.


Version-Release number of selected component (if applicable):

3.14.1-37


How reproducible:

Always


Steps to Reproduce:
1. setsebool -P polyinstantiation_enabled on
2. Add the following line to /etc/security/namespace.conf

/tmp     /tmp-inst/         level      root,adm


3. Try to login using ssh

Actual results:

[untosten@localhost]$ ssh polytest@fedora-test
polytest.0.1's password:
PTY allocation request failed on channel 0
Connection to 127.0.0.1 closed.


Expected results:

SSH login should work and /tmp be polyinstantiated.

Additional info:

Audit log required dac_override capability for sshd_t:

type=AVC msg=audit(1534510283.114:291): avc:  denied  { dac_override } for  pid=3083 comm="sshd" capability=1  scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=capability permissive=0

journalctl -u sshd shows:

Aug 17 15:51:23 localhost.localdomain sshd[3083]: pam_namespace(sshd:session): Error creating or accessing instance parent /tmp-inst, Permission denied
Aug 17 15:51:23 localhost.localdomain sshd[3083]: pam_unix(sshd:session): session opened for user polytest by (uid=0) 
Aug 17 15:51:23 localhost.localdomain sshd[3083]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session 

####################

I allowed dac_override. SSH login still failed:

type=AVC msg=audit(1534510435.460:325): avc:  denied  { create } for  pid=30827 comm="sshd" name="tmp-inst" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0

Aug 17 15:53:55 localhost.localdomain sshd[30827]: pam_namespace(sshd:session): Error creating or accessing instance parent /tmp-inst, Permission denied
Aug 17 15:53:55 localhost.localdomain sshd[30827]: pam_unix(sshd:session): session opened for user polytest by (uid=0)
Aug 17 15:53:55 localhost.localdomain sshd[30827]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session

####################

So I allowed { create } too. After that SSH logins worked and /tmp was polyinstantiated.

But is there any better method to get polyinstantiation working, without granting sshd_t dac_override capability?
Comment 1 Lukas Vrabec 2018-08-28 18:52:30 UTC 
Hi, 

Could you downgrade openssh package and then try to reproduce it? 

THanks,
Lukas.
Comment 2 Unto Sten 2018-08-29 07:16:50 UTC 
I downloaded package from Fedora Linux 27:

 openssh-7.6p1-5.fc27.x86_64.rpm

and the dependencies. Did:

  rpm -Uvh --force /tmp/openssh*rpm

and added missing dependency:

  dnf -y install tcp_wrappers-libs


The older OpenSSH daemon runs fine, but I still get the denied { dac_override }.

The connecting client's error message is a bit different, it does not complain about failed PTY allocation, but I guess this difference is irrelevant to our problem:

[untosten@localhost]$ ssh polytest@fedora-test
polytest.0.1's password: 
Connection to 127.0.0.1 closed.
Comment 3 Unto Sten 2018-08-29 07:24:29 UTC 
I am not sure, but I may have possibly read from somewhere that they removed some dac_override permissions from apps on Fedora Linux lately. If that is so, this bug may be a consequence of those changes? I do not know. Just one path to investigate.
Comment 4 Fedora Update System 2018-09-06 21:56:25 UTC 
selinux-policy-3.14.1-42.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217
Comment 5 Fedora Update System 2018-09-07 17:11:52 UTC 
selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217
Comment 6 Unto Sten 2018-09-08 10:37:31 UTC 
Hi Lukas!


Thanks, your selinux-policy-3.14.1-42.fc2 indeed fixes the dac_override problem, but ssh logins still fail. The reason is that sshd_t cannot create directories in the root directory:


time->Sat Sep  8 13:22:47 2018
type=AVC msg=audit(1536402167.897:200): avc:  denied  { create } for  pid=1721 comm="sshd" name="tmp-inst" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0

Is this something that Red Hat could allow by default, or is it admin's own decision to allow this right?

I am not totally sure, but personally I am inclined to think that perhaps the SELinux boolean 

  polyinstantiation_enabled

should allow this too? 

My rationale is the admin asked for polyinstantion_enabled after all, and it would be convenient if it all worked "out of the box" without any extra steps.
Comment 7 Lukas Vrabec 2018-09-10 09:26:00 UTC 
Jakub,
Any idea whats going on here? 

Thanks,
Lukas.
Comment 8 Unto Sten 2018-09-10 13:06:51 UTC 
Hi!

Lukas, I am not Jakub, and I am not totally sure what exactly are you asking, but anyway here's what I know:

SSH needs this right because pam_namespace.so wants to create a mount point in the root directory. Polyinstantiated directories are based on bind mounts. 

For example, to hide and protect public /tmp, pam_namespace mounts /tmp-inst/whatever on top of it. This operation provides private directories for users, that is basically all there is to it. See /etc/security/namespace.conf, e.g.

/tmp     /tmp-inst/       	level      root,adm
Comment 9 Fedora Update System 2018-09-11 16:55:05 UTC 
selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Unto Sten 2018-09-11 17:54:21 UTC 
Fedora Update System has marked this case as "CLOSED, but it is not resolved yet.
Comment 11 Unto Sten 2018-09-11 17:56:36 UTC 
(In reply to Unto Sten from comment #10)
> Fedora Update System has marked this case as "CLOSED, but it is not resolved
> yet.

Ummm. Sorry. Apparently I do not know how to use Bugzilla, did ERRATA -> NOTABUG.
Comment 12 Lukas Vrabec 2018-09-16 20:39:23 UTC 
Unto, 

Next selinux-policy update should contain fix for this issue. 

THanks,
Lukas.
Comment 13 Unto Sten 2018-09-17 16:11:29 UTC 
Hi Lukas!

Great news, thanks!!!
Comment 14 Fedora Update System 2018-11-05 08:21:24 UTC 
selinux-policy-3.14.1-48.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-8004d37878
Comment 15 Fedora Update System 2018-11-06 23:27:31 UTC 
selinux-policy-3.14.1-48.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-8004d37878
Comment 16 Fedora Update System 2018-11-09 05:25:42 UTC 
selinux-policy-3.14.1-48.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.