Red Hat Bugzilla – Bug 170557
selinux policy blocks rexec access
Last modified: 2007-11-30 17:11:15 EST
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050810 Red Hat/1.7.10-0.90.1.legacy Description of problem: The default SELinux policy for FC4 (updated via yum) doesn't allow rexec access. After enabling rexec in /etc/xinetd.d and opening up port 512/tcp in iptables, rexec access to the system still fails because of a broken or missing SELinux policy for /usr/sbin/in.rexecd. By default, in.rexecd is assigned the context system_u:object_r:inetd_child_exec_t, which doesn't allow the process to do a whole lot. Setting this to system_u:object_r:rshd_exec_t, which is the context for in.rshd, makes rexec access work. Version-Release number of selected component (if applicable): selinux-policy-targeted-1.27.1-2.3 How reproducible: Always Steps to Reproduce: 1. yum install rsh-server; chkconfig rexec enable 2. Add entries for TCP port 512 to /etc/sysconfig/iptables and /etc/sysconfig/system-config-securitylevel, then "service iptables restart". 3. Try "rexec -a rhost '/usr/X11R6/bin/xterm -display myhost:0'", where rhost is the FC4 system on which you enabled rexec access. Actual Results: The rexec client reports: rhost: No such file or directory rexec: Error in rexec system call, rexec: (The following system error may itself be in error) rexec: Illegal seek The /var/log/messages file on rhost reports: Oct 12 14:20:55 rhost in.rexecd[5411]: connect from myhost Oct 12 14:20:55 rhost rexec(pam_unix)[5411]: authentication failure; logname= uid=0 euid=0 tty=rexec ruser= rhost= user=grdetil Oct 12 14:20:58 rhost in.rexecd[5411]: PAM audit_open() failed: Permission denied Oct 12 14:20:58 rhost in.rexecd[5411]: PAM audit_open() failed: Permission denied Expected Results: Client should open xterm window with shell running on rhost. rhost should log: Oct 12 15:40:32 rhost in.rexecd[6219]: connect from myhost Oct 12 15:40:32 rhost rexec(pam_unix)[6219]: session opened for user grdetil by (uid=0) Oct 12 15:40:32 rhost rexec(pam_unix)[6219]: session closed for user grdetil Oct 12 15:40:32 rhost in.rexecd[6219]: login from myhost as grdetil Additional info: A quick but temporary fix is: chcon system_u:object_r:rshd_exec_t /usr/sbin/in.rexecd I say temporary because I realize that the next run of fixfiles, setfiles, restorecon, or whatever is likely to reset in.rexecd back to system_u:object_r:inetd_child_exec_t. If it makes sense to have rexecd run under rshd's policy, then in.rexecd should probably be added to /etc/selinux/targeted/src/policy/file_contexts/program/rshd.fc (and ulimately make its way into /etc/selinux/targeted/contexts/files/file_contexts) to make the change permanent. If rexecd ought to have its own independent policy, then these should be defined appropriately in /etc/selinux/targeted/src/policy/file_contexts/program/ and /etc/selinux/targeted/src/policy/domains/program/ in the next policy update.
I added rshd_exec_t for rexecd in rshd.fc, which will be in the next policy we update. For now you can add a line to /etc/selinux/targeted/contexts/files/file_contexts.local to preserve it over a restorecon.
Fixed in selinux-policy-*-1.27.1-2.6
I beg to differ. I'm running selinux-policy-targeted-1.27.1-2.6 as of this morning, and there's still no reference to rexec in any file in /etc/selinux other than the one I added to file_contexts.local on your recommendation. Of the 3 FC4 systems I looked at, only the 2 where I manually changed in.rexecd's context have it set correctly. Did the change fail to make it into all the update RPMs for all FC releases?
Oops that should be in 2.7 then. Available in test tonight or via ftp://people.redhat.com/dwalsh/SELinux/FC4
That did the job quite nicely. Thanks!