Bug 221608 - [LSPP] non-interactive ssh + [passwd|chsh] problems
[LSPP] non-interactive ssh + [passwd|chsh] problems
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.0
All Linux
medium Severity high
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-01-05 11:51 EST by Klaus Heinrich Kiwi
Modified: 2007-11-30 17:07 EST (History)
4 users (show)

See Also:
Fixed In Version: RC
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-02-07 21:09:13 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
IBM Linux Technology Center 30680 None None None Never

  None (edit)
Description Klaus Heinrich Kiwi 2007-01-05 11:51:17 EST
Description of problem:
ssh client hangs while trying to change the password. 

See http://comments.gmane.org/gmane.linux.redhat.security.lspp/1352

Version-Release number of selected component (if applicable):
[root@rhel5lspp LTP]# rpm -qa | egrep "policy|selinux|kernel|passwd"
policycoreutils-1.33.6-6.el5
selinux-policy-devel-2.4.6-15.el5
kernel-devel-2.6.18-1.2913.4.2.el5.lspp.59
kernel-headers-2.6.18-1.2910.el5
pam_passwdqc-1.0.2-1.2.2
libselinux-1.33.2-1.el5
libselinux-python-1.33.2-1.el5
passwd-0.73-1
selinux-policy-targeted-2.4.6-15.el5
kernel-2.6.18-1.2913.4.2.el5.lspp.59
libselinux-devel-1.33.2-1.el5
selinux-policy-mls-2.4.6-15.el5
checkpolicy-1.33.1-2.el5
selinux-policy-2.4.6-15.el5
policycoreutils-newrole-1.33.6-6.el5
[root@rhel5lspp LTP]# 


How reproducible:
always

Steps to Reproduce:
1. ssh -t user@localhost passwd

2. It doesn't matter if you actually change the password or fails to do so.
passwd hangs on the other side after the operation (ssh tilde escape char works).
  
Actual results:
passwd hangs on the remote side

Expected results:
passwd cleanly exits, $? returns 0

Additional info:
===AVCs====
type=AVC msg=audit(1168014725.476:18991): avc:  granted  { setfscreate } for 
pid=24571 comm="passwd" scontext=user_u:user_r:passwd_t:s0
tcontext=user_u:user_r:passwd_t:s0 tclass=process
type=SYSCALL msg=audit(1168014725.476:18991): arch=40000003 syscall=4
success=yes exit=27 a0=5 a1=9c36bb0 a2=1b a3=cfb768 items=0 ppid=24570 pid=24571
auid=504 uid=504 gid=509 euid=0 suid=0 fsuid=0 egid=509 sgid=509 fsgid=509
tty=pts3 comm="passwd" exe="/usr/bin/passwd" subj=user_u:user_r:passwd_t:s0
key=(null)
type=AVC msg=audit(1168014725.484:18992): avc:  granted  { setfscreate } for 
pid=24571 comm="passwd" scontext=user_u:user_r:passwd_t:s0
tcontext=user_u:user_r:passwd_t:s0 tclass=process
type=SYSCALL msg=audit(1168014725.484:18992): arch=40000003 syscall=4
success=yes exit=0 a0=5 a1=0 a2=0 a3=cfb768 items=0 ppid=24570 pid=24571
auid=504 uid=504 gid=509 euid=0 suid=0 fsuid=0 egid=509 sgid=509 fsgid=509
tty=pts3 comm="passwd" exe="/usr/bin/passwd" subj=user_u:user_r:passwd_t:s0
key=(null)
type=AVC msg=audit(1168014725.504:18993): avc:  granted  { setfscreate } for 
pid=24571 comm="passwd" scontext=user_u:user_r:passwd_t:s0
tcontext=user_u:user_r:passwd_t:s0 tclass=process
type=SYSCALL msg=audit(1168014725.504:18993): arch=40000003 syscall=4
success=yes exit=30 a0=5 a1=9c37240 a2=1e a3=cfb768 items=0 ppid=24570 pid=24571
auid=504 uid=504 gid=509 euid=0 suid=0 fsuid=0 egid=509 sgid=509 fsgid=509
tty=pts3 comm="passwd" exe="/usr/bin/passwd" subj=user_u:user_r:passwd_t:s0
key=(null)
type=AVC msg=audit(1168014725.516:18994): avc:  granted  { setfscreate } for 
pid=24571 comm="passwd" scontext=user_u:user_r:passwd_t:s0
tcontext=user_u:user_r:passwd_t:s0 tclass=process
type=SYSCALL msg=audit(1168014725.516:18994): arch=40000003 syscall=4
success=yes exit=0 a0=6 a1=0 a2=0 a3=cfb768 items=0 ppid=24570 pid=24571
auid=504 uid=504 gid=509 euid=0 suid=0 fsuid=0 egid=509 sgid=509 fsgid=509
tty=pts3 comm="passwd" exe="/usr/bin/passwd" subj=user_u:user_r:passwd_t:s0
key=(null)
type=USER_CHAUTHTOK msg=audit(1168014725.520:18995): user pid=24571 uid=504
auid=504 subj=user_u:user_r:passwd_t:s0 msg='PAM: chauthtok acct=klausk_test :
exe="/usr/bin/passwd" (hostname=?, addr=?, terminal=pts/3 res=success)'
type=USER_CHAUTHTOK msg=audit(1168014725.528:18996): user pid=24571 uid=504
auid=504 subj=user_u:user_r:passwd_t:s0 msg='op=change password id=504
exe="/usr/bin/passwd" (hostname=?, addr=?, terminal=pts/3 res=success)'
type=AVC msg=audit(1168014725.552:18997): avc:  denied  { sigchld } for 
pid=24570 comm="sshd" scontext=user_u:user_r:passwd_t:s0
tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1168014725.552:18997): arch=40000003 syscall=7 success=no
exit=-10 a0=ffffffff a1=bfaadfa8 a2=1 a3=bfaadfa8 items=0 ppid=24562 pid=24570
auid=504 uid=504 gid=509 euid=504 suid=504 fsuid=504 egid=509 sgid=509 fsgid=509
tty=(none) comm="sshd" exe="/usr/sbin/sshd"
subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 key=(null)

[root@rhel5lspp LTP]# tail -10 /var/log/audit/audit.log | audit2allow 
allow passwd_t sshd_t:process sigchld;
Comment 2 Daniel Walsh 2007-01-05 15:58:49 EST
Fixed in selinux-policy-2.4.6-23
Comment 3 Jay Turner 2007-01-08 09:36:53 EST
QE ack for RHEL5.
Comment 4 Klaus Heinrich Kiwi 2007-01-09 22:09:36 EST
Dan, 
 I'm using 2.4.6-24 now and the ssh+passwd issue is fixed...

*But* I found the *same* problem with another utility: chsh
(I wonder if there are more - can you see a pattern? besides that all of them
require you to enter your current password?)

relevant AVC + policy rule (as usual):
type=AVC msg=audit(1168396542.038:97052): avc:  denied  { sigchld } for 
pid=22213 comm="sshd" scontext=user_u:user_r:chfn_t:s0
tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1168396542.038:97052): arch=14 syscall=7 success=no
exit=-10 a0=ffffffffffffffff a1=f8f8eb4c a2=1 a3=8 items=0 ppid=22205 pid=22213
auid=502 uid=502 gid=502 euid=502 suid=502 fsuid=502 egid=502 sgid=502 fsgid=502
tty=(none) comm="sshd" exe="/usr/sbin/sshd"
subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 key=(null)

[root@zaphod databases]# tail -n 10 /var/log/audit/audit.log | audit2allow
allow chfn_t sshd_t:process sigchld;

Also changing Summary information in order to reflect this update.
Comment 6 Daniel Walsh 2007-01-15 10:56:36 EST
Fixed all that I could find.  Hopefully eventually we can work out a strategy
for these with upstream.   To make it easier.

Fixed in selinux-policy-2.4.6-27
Comment 7 Klaus Heinrich Kiwi 2007-01-15 17:48:26 EST
My tests are passing, I'll let you know if something else is failing. We should
discuss this at the mailing list, as there may be a possible more generic solution.

Please close the bug.

Comment 8 RHEL Product and Program Management 2007-02-07 21:09:13 EST
A package has been built which should help the problem described in 
this bug report. This report is therefore being closed with a resolution 
of CURRENTRELEASE. You may reopen this bug report if the solution does 
not work for you.

Note You need to log in before you can comment on or make changes to this bug.