Bug 170557 - selinux policy blocks rexec access
selinux policy blocks rexec access
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
4
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Russell Coker
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-10-12 17:25 EDT by Gilles Detillieux
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: 1.27.1-2.7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-03-21 22:22:37 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Gilles Detillieux 2005-10-12 17:25:13 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050810 Red Hat/1.7.10-0.90.1.legacy

Description of problem:
The default SELinux policy for FC4 (updated via yum) doesn't allow rexec access.  After enabling rexec in /etc/xinetd.d and opening up port 512/tcp in iptables, rexec access to the system still fails because of a broken or missing SELinux policy for /usr/sbin/in.rexecd.  By default, in.rexecd is assigned the context system_u:object_r:inetd_child_exec_t, which doesn't allow the process to do a whole lot.  Setting this to system_u:object_r:rshd_exec_t, which is the context for in.rshd, makes rexec access work.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.27.1-2.3

How reproducible:
Always

Steps to Reproduce:
1. yum install rsh-server; chkconfig rexec enable
2. Add entries for TCP port 512 to /etc/sysconfig/iptables and /etc/sysconfig/system-config-securitylevel, then "service iptables restart".
3. Try "rexec -a rhost '/usr/X11R6/bin/xterm -display myhost:0'", where rhost is the FC4 system on which you enabled rexec access.
  

Actual Results:  The rexec client reports:

rhost: No such file or directory
rexec: Error in rexec system call,
rexec: (The following system error may itself be in error)
rexec: Illegal seek

The /var/log/messages file on rhost reports:

Oct 12 14:20:55 rhost in.rexecd[5411]: connect from myhost
Oct 12 14:20:55 rhost rexec(pam_unix)[5411]: authentication failure; logname= uid=0 euid=0 tty=rexec ruser= rhost=  user=grdetil
Oct 12 14:20:58 rhost in.rexecd[5411]: PAM audit_open() failed: Permission denied
Oct 12 14:20:58 rhost in.rexecd[5411]: PAM audit_open() failed: Permission denied

Expected Results:  Client should open xterm window with shell running on rhost.  rhost should log:

Oct 12 15:40:32 rhost in.rexecd[6219]: connect from myhost
Oct 12 15:40:32 rhost rexec(pam_unix)[6219]: session opened for user grdetil by (uid=0)
Oct 12 15:40:32 rhost rexec(pam_unix)[6219]: session closed for user grdetil
Oct 12 15:40:32 rhost in.rexecd[6219]: login from myhost as grdetil

Additional info:

A quick but temporary fix is:

chcon system_u:object_r:rshd_exec_t /usr/sbin/in.rexecd

I say temporary because I realize that the next run of fixfiles, setfiles, restorecon, or whatever is likely to reset in.rexecd back to system_u:object_r:inetd_child_exec_t.  If it makes sense to have rexecd run under rshd's policy, then in.rexecd should probably be added to /etc/selinux/targeted/src/policy/file_contexts/program/rshd.fc (and ulimately make its way into /etc/selinux/targeted/contexts/files/file_contexts) to make the change permanent.  If rexecd ought to have its own independent policy, then these should be defined appropriately in /etc/selinux/targeted/src/policy/file_contexts/program/ and /etc/selinux/targeted/src/policy/domains/program/ in the next policy update.
Comment 1 Daniel Walsh 2005-10-13 08:40:11 EDT
I added rshd_exec_t for rexecd in rshd.fc, which will be in the next policy we
update.

For now you can add a line to
/etc/selinux/targeted/contexts/files/file_contexts.local to preserve it over a
restorecon.
Comment 2 Daniel Walsh 2005-10-17 14:14:37 EDT
Fixed in selinux-policy-*-1.27.1-2.6
Comment 3 Gilles Detillieux 2005-10-18 14:06:38 EDT
I beg to differ.  I'm running selinux-policy-targeted-1.27.1-2.6 as of this
morning, and there's still no reference to rexec in any file in /etc/selinux
other than the one I added to file_contexts.local on your recommendation.  Of
the 3 FC4 systems I looked at, only the 2 where I manually changed in.rexecd's
context have it set correctly.  Did the change fail to make it into all the
update RPMs for all FC releases?
Comment 4 Daniel Walsh 2005-10-18 14:13:18 EDT
Oops that should be in 2.7 then.  Available in test tonight or via
ftp://people.redhat.com/dwalsh/SELinux/FC4

Comment 5 Gilles Detillieux 2005-10-18 14:42:15 EDT
That did the job quite nicely.  Thanks!

Note You need to log in before you can comment on or make changes to this bug.