RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2177704 - Cannot add smartcard key to SSH agent when user is confined
Summary: Cannot add smartcard key to SSH agent when user is confined
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.7
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-03-13 12:41 UTC by Renaud Métrich
Modified: 2023-11-14 17:57 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.14.3-128.el8
Doc Type: Bug Fix
Doc Text:
Cause: policy does not allow ssh-agent execute openssh helper for pkcs#11 support Consequence: ssh-agent cannot access keys stored on a smart card Fix: required rules were added to the policy Result: ssh-agent can get a key stored on a smart card for ssh to use it
Clone Of:
Environment:
Last Closed: 2023-11-14 15:47:46 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 1818 0 None open Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t 2023-08-07 13:12:02 UTC
Github fedora-selinux selinux-policy pull 1855 0 None open Allow ssh_agent_type manage generic cache home files 2023-08-25 10:56:34 UTC
Red Hat Issue Tracker RHELPLAN-151568 0 None None None 2023-03-13 12:41:39 UTC
Red Hat Product Errata RHBA-2023:7091 0 None None None 2023-11-14 15:48:23 UTC

Description Renaud Métrich 2023-03-13 12:41:06 UTC 
Description of problem:

We have a customer trying to add the key from a smartcard to the SSH agent from a confined user (staff_u):
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
$ ssh-add -s /usr/lib64/pkcs11/opensc-pkcs11.so
Enter passphrase for PKCS#11: <Enter card PIN>
Could not add card "/usr/lib64/pkcs11/opensc-pkcs11.so": agent refused operation
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

After requesting the PIN, the request is sent to the agent but agent denies it, because of the following AVCs happening on the agent socket:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
... : proctitle=/usr/libexec/openssh/ssh-pkcs11-helper
[...]
... : avc:  denied  { read write } for  pid=423099 comm=ssh-pkcs11-help path=socket:[2348810] dev="sockfs" ino=2348810 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_ssh_agent_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
[...]
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

The root cause for this is the helper /usr/libexec/openssh/ssh-pkcs11-helper is labeled with *bin_t*, which causes a transition to *staff_t* to happen when the helper gets executed by the SSH agent, the latter running with *staff_ssh_agent_t* context:

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
423099 [staff_u:staff_r:staff_ssh_agent_t:s0-s0:c0.c1023] 07:38:36.431721 dup2(6<UNIX:[2348812->2348811]> [staff_u:staff_r:staff_ssh_agent_t:s0-s0:c0.c1023], 0</dev/null<char 1:3>> [system_u:object_r:null_device_t:s0]) = 0<UNIX:[2348812->2348811]> [staff_u:staff_r:staff_ssh_agent_t:s0-s0:c0.c1023] <0.000031>
423099 [staff_u:staff_r:staff_ssh_agent_t:s0-s0:c0.c1023] 07:38:36.432172 dup2(6<UNIX:[2348812->2348811]> [staff_u:staff_r:staff_ssh_agent_t:s0-s0:c0.c1023], 1</dev/null<char 1:3>> [system_u:object_r:null_device_t:s0] <unfinished ...>
423099 [staff_u:staff_r:staff_ssh_agent_t:s0-s0:c0.c1023] 07:38:36.432412 <... dup2 resumed>) = 1<UNIX:[2348812->2348811]> [staff_u:staff_r:staff_ssh_agent_t:s0-s0:c0.c1023] <0.000084>
 :
423099 [staff_u:staff_r:staff_ssh_agent_t:s0-s0:c0.c1023] 07:38:36.433326 execve("/usr/libexec/openssh/ssh-pkcs11-helper" [system_u:object_r:bin_t:s0], ["/usr/libexec/openssh/ssh-pkcs11-helper"], ...
423099 [staff_u:staff_r:staff_t:s0-s0:c0.c1023] 07:38:36.434977 <... execve resumed>) = 0 <0.001052>
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

See above last line, we see the context switching, due to transition below:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# sesearch -T -s staff_ssh_agent_t -t bin_t
type_transition staff_ssh_agent_t bin_t:process staff_t;
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Later, the helper reads the socket (on STDIN) but due to the AVC, doesn't read anything, causing the failure:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
423099 [staff_u:staff_r:staff_t:s0-s0:c0.c1023] 07:38:36.773758 poll([{fd=0</null> [system_u:object_r:null_device_t:s0!!system_u:object_r:default_t:s0], events=POLLIN}, {fd=1</null> [system_u:object_r:null_device_t:s0!!system_u:object_r:default_t:s0], events=0}], 2, -1) = 1 ([{fd=0, revents=POLLIN}]) <0.000024>
423099 [staff_u:staff_r:staff_t:s0-s0:c0.c1023] 07:38:36.773986 read(0</null> [system_u:object_r:null_device_t:s0!!system_u:object_r:default_t:s0], "", 16384) = 0 <0.000021>
423099 [staff_u:staff_r:staff_t:s0-s0:c0.c1023] 07:38:36.774156 exit_group(0) = ?
423099 [staff_u:staff_r:staff_t:s0-s0:c0.c1023] 07:38:36.774651 +++ exited with 0 +++
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

The issue is likely in Upstream policy as well.

The corresponding rules in the policy leading to the transition are the ones below:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
 337 template(`ssh_role_template',`
 :
 410         # transition back to normal privs upon exec
 411         corecmd_shell_domtrans($1_ssh_agent_t, $3)
 412         orecmd_bin_domtrans($1_ssh_agent_t, $3)
 :

policy/modules/roles/unprivuser.te:    ssh_role_template(user, user_r, user_t)
policy/modules/roles/unprivuser.te:        ssh_role_template(user, user_r, user_t)
policy/modules/roles/sysadm.te:    ssh_role_template(sysadm, sysadm_r, sysadm_t)
policy/modules/roles/staff.te:    ssh_role_template(staff, staff_r, staff_t)
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

There are hence 2 possibilities:

1. either the helper should continue executing in the context of the caller, staff_ssh_agent_t

2. or rules must be added for SELinux users to be able to read/write the socket, but I would consider this is a security flaw

Version-Release number of selected component (if applicable):

selinux-policy-3.14.3-108.el8_7.1.noarch
Probably Upstream as well

How reproducible:

Always, but don't have a smartcard to test
Comment 4 Zdenek Pytela 2023-08-11 16:31:06 UTC 
Commit to backport:
71086d81c (HEAD -> rawhide, upstream/rawhide) Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t
Comment 9 Zdenek Pytela 2023-08-15 07:53:44 UTC 
Ondro,

Can you help us with verification that fix for this bz is complete? It requires confined users setup and access to a smart card.
Comment 20 errata-xmlrpc 2023-11-14 15:47:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:7091
Note You need to log in before you can comment on or make changes to this bug.