Description of problem: SSH level selection is behaving very oddly on s390x. When categories are given with commas only the first is obtained (maybe a separate issue that is also seen on other platforms). When categories are given as a range (indicated by a .) the range is obtained when the range spans at least one unnamed category, however, only the first is obtained if the range only spans adjacent categories. For example, c0.c2 works but c0.c1 does not. Version-Release number of selected component (if applicable): I am not exactly sure where this problem is but here are some possible relevant package versions: kernel-2.6.18-6.el5.lspp.64 audit-1.3.1-1.el5 libselinux-1.33.4-3.el5 libselinux-1.33.4-3.el5 mcstrans-0.2.1-1.el5 openssh-4.3p2-16.el5 How reproducible: Always on s390x Steps to Reproduce: Samples of the above examples. 1) With commas doesn't work [root@rheal3a framework]# ssh testuser/user_r/s0:c0,c1@localhost Password: Password: Last login: Mon Feb 12 15:24:44 2007 from rheal3a.endicott.ibm.com -bash-3.1$ id uid=501(testuser) gid=501(testuser) groups=501(testuser) context=testuser_u:user_r:user_t:s0:c0 -bash-3.1$ exit logout Connection to localhost closed. 2) Minimal range with . doesn't work - Note on other platforms (such as ppc64) this is expanded to c0,c1 and therefore could be related to above. [root@rheal3a framework]# ssh testuser/user_r/s0:c0.c1@localhost Password: Last login: Mon Feb 12 15:58:33 2007 from rheal3a.endicott.ibm.com -bash-3.1$ level -bash: level: command not found -bash-3.1$ id uid=501(testuser) gid=501(testuser) groups=501(testuser) context=testuser_u:user_r:user_t:s0:c0 -bash-3.1$ exit logout Connection to localhost closed. 3) Wider range works as expected. [root@rheal3a framework]# ssh testuser/user_r/s0:c0.c2@localhost Password: Last login: Mon Feb 12 15:58:50 2007 from rheal3a.endicott.ibm.com -bash-3.1$ id uid=501(testuser) gid=501(testuser) groups=501(testuser) context=testuser_u:user_r:user_t:s0:c0.c2 -bash-3.1$ exit logout Connection to localhost closed.
I updated my system using the new kickstart/certification RPM and making sure I got the latest of all relevant packages from the repo and everything works. Something must have happened when I updated libselinux yesterday. Sorry for the confusion.
Created attachment 148016 [details] unittest for mcstrans Update mcstrans-0.2.3-1 on people. You need to update to the package and then you can use the test suite. If you find a translation that fails, please add to the testsuite.
I don't know if this belongs here or not. Let me know what you want me to do. I have found there is a limit to the number of categories that you ssh in with. i.e. the first example works, the second example with one more category does not. (I have update to the latest level of mctrans) [root/abat_r/SystemLow@KWUSER1 framework]# ssh testuser/user_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105@localhost Could not create directory '/root/.ssh'. The authenticity of host 'localhost (127.0.0.1)' can't be established. RSA key fingerprint is 49:f5:9f:53:f1:aa:76:cf:59:dd:7a:6f:eb:b2:b9:e9. Are you sure you want to continue connecting (yes/no)? yes Failed to add the host to the list of known hosts (/root/.ssh/known_hosts). Password: Last login: Tue Feb 13 15:17:46 2007 from kwuser1.endicott.ibm.com [testuser/user_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105@KWUSER1 ~]$ exit logout Connection to localhost closed. [root/abat_r/SystemLow@KWUSER1 framework]# ssh testuser/user_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105,c107@localhost Could not create directory '/root/.ssh'. The authenticity of host 'localhost (127.0.0.1)' can't be established. RSA key fingerprint is 49:f5:9f:53:f1:aa:76:cf:59:dd:7a:6f:eb:b2:b9:e9. Are you sure you want to continue connecting (yes/no)? yes Failed to add the host to the list of known hosts (/root/.ssh/known_hosts). Password: Last login: Tue Feb 13 15:18:02 2007 from kwuser1.endicott.ibm.com Connection to localhost closed. [root/abat_r/SystemLow@KWUSER1 framework]#
I've seen the error before: Could not create directory '/root/.ssh'. I think its because /root and its contents don't have the right context. If you do a 'restorecon -v -R /root' you might have better luck.
Actually, that doesn't explain the difference in behavior that you see but I think it explains some of the error messages.
The issue isn't about the /root/.ssh. I am not able to login with many categories. Notice that the example where the category list goes up to 105 succeeds but the list that goes up to 107 fails.
This seems wierd. Are you sure you sshd is running with the correct context. Why would a testuser be trying to update /root/.ssh? I have successfully logged in with ssh root/sysadm_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105,c107,c108,c109,c110,c111,c211,c213,c215,c217,c219,c221,c223,c225,c227,c229,c231,c233,c235,c237,c239,c241,c243,c245,c247,c249,c251,c253,c255,c257,c259,c261,c263,c265,c267,c269,c271,c273,c275,c277,c279,c281,c283,c285,c287,c289,c291,c293,c295,c297,c299,c301,c303,c305,c307,c308,c309,c310,c311,c411,c413@xxy root/sysadm_r/s5:c1,c3,c5,c7,c@xxy's password: Last login: Tue Feb 13 17:04:36 2007 from dhcp-10-12-33-199.boston.devel.redhat.com [root@xxy ~]# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:sysadm_r:sysadm_t:s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105,c107.c111,c211,c213,c215,c217,c219,c221,c223,c225,c227,c229,c231,c233,c235,c237,c239,c241,c243,c245,c247,c249,c251,c253,c255,c257,c259,c261,c263,c265,c267,c269,c271,c273,c275,c277,c279,c281,c283,c285,c287,c289,c291,c293,c295,c297,c299,c301,c303,c305,c307.c311,c411,c413 But it soon breaks after that. Of course this is an evil test. :^)
Sorry to cause the confusion with the /root/.ssh it was just a label problem. For our tests we ssh in as a user and the /bin/su - to root and run our frameworks from there. I have retested on another machine just to make sure I am not crazy. This is on an s390x installed today with the latest RC, kickstart and lspp rpm along with updating all the packages on dwalsh people page repo and the kernel to lspp.64. Here are the results I get (I can't test as root do to the lspp config): [root/abat_r/SystemLow@KWUSER3 framework]# ssh testuser/user_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105,c107,c108,c109,c110,c111,c211,c213,c215,c217,c219,c221,c223,c225,c227,c229,c231,c233,c235,c237,c239,c241,c243,c245,c247,c249,c251,c253,c255,c257,c259,c261,c263,c265,c267,c269,c271,c273,c275,c277,c279,c281,c283,c285,c287,c289,c291,c293,c295,c297,c299,c301,c303,c305,c307,c308,c309,c310,c311,c411,c413@localhost Password: Last login: Tue Feb 13 16:25:39 2007 from kwuser2.endicott.ibm.com Connection to localhost closed. [root/abat_r/SystemLow@KWUSER3 framework]# ssh testuser/user_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105,c107@localhost Password: Last login: Tue Feb 13 16:40:41 2007 from kwuser2.endicott.ibm.com Connection to localhost closed. [root/abat_r/SystemLow@KWUSER3 framework]# ssh testuser/user_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105@localhost Password: Last login: Tue Feb 13 16:41:09 2007 from kwuser2.endicott.ibm.com [testuser/user_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105@KWUSER3 ~]$ exit logout Connection to localhost closed. [root/abat_r/SystemLow@KWUSER3 framework]# ssh ealuser/staff_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105@localhost Password: Last login: Tue Feb 13 16:28:02 2007 from sig-9-76-206-16.mts.ibm.com [ealuser/staff_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105@KWUSER3 ~]$ exit logout Connection to localhost closed. [root/abat_r/SystemLow@KWUSER3 framework]# ssh ealuser/staff_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105,c107@localhost Password: Last login: Tue Feb 13 16:41:45 2007 from kwuser2.endicott.ibm.com Connection to localhost closed. [root/abat_r/SystemLow@KWUSER3 framework]# You call the test case evil but the original testcase was trying to specify all the odd categories up to 1023. This was simply pairing down to where the failure point is.
The question is whether the test case is realistic. IE We can go in and try to figure out what the problem is. or is the size of this enough to get I have run some tests on mcstrans and libselinux and it seems to handle much larger data than this, so I think this might be a openssh problem.
Basically running a test with 1024 categories works with the latest mcstrans.
I tried the ssh on another platform (ppc64) to get another data point. I had the same results as the s390x. [ealuser/staff_r/SystemLow@hvracer3 ~]$ ssh ealuser/staff_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105@localhost The authenticity of host 'localhost (127.0.0.1)' can't be established. RSA key fingerprint is 2f:7d:54:30:69:db:d1:5b:8f:68:a4:56:05:73:dd:c0. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'localhost' (RSA) to the list of known hosts. Password: Last login: Wed Feb 14 13:14:52 2007 from sig-9-65-34-127.mts.ibm.com [ealuser/staff_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105@hvracer3 ~]$ exit logout Connection to localhost closed. [ealuser/staff_r/SystemLow@hvracer3 ~]$ ssh ealuser/staff_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105,c107@localhost Password: Last login: Wed Feb 14 13:17:02 2007 from localhost.localdomain Connection to localhost closed.
the problem is the filesystem's filename size limit (polyinstantiation attacks again). With the above testcase, check /var/log/secure: Feb 15 09:12:30 zaphod sshd[2160]: pam_namespace(sshd:session): Error creating /home/home.inst/staff_u:object_r:staff_home_dir_t:s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105,c109,c111_ealuser, File name too long If I use a user which is not polyinst (add it to /etc/security/namespace.conf), I can successfully log-in with: [root@zaphod framework]# ssh abat//s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105,c107,c109,c111,c113,c115,c117,c119,c121,c123,c125,c127,c129,c131,c133,c135,c137,c139,c141,c143,c145,c147,c149,c151,c153,c155,c157,c159,c161,c163,c165,c167,c169,c171,c173,c175,c177,c179,c181,c183,c185,c187,c189,c191,c193,c195,c197,c199,c201,c203,c205,c207,c209,c211,c213,c215,c217,c219,c221,c223,c225,c227,c229,c231,c233,c235,c237,c239,c241,c243,c245,c247,c249,c251,c253,c255,c257,c259,c261,c263,c265,c267,c269,c271,c273,c275,c277,c279,c281,c283,c285,c287,c289,c291,c293,c295,c297,c299,c301,c303,c305,c307,c309,c311,c313,c315,c317,c319,c321,c323,c325,c327,c329,c331,c333,c335,c337,c339,c341,c343,c345,c347,c349,c351,c353,c355,c357,c359,c361,c363,c365,c367,c369,c371,c373,c375,c377,c379,c381,c383,c385,c387,c389,c391,c393,c395,c397,c399,c401,c403,c405,c407,c409,c411,c413,c415,c417,c419,c421,c423,c425,c427,c429,c431,c433,c435,c437,c439,c441,c443,c445,c447,c449,c451,c453,c455,c457,c459,c461,c463,c465,c467,c469,c471,c473,c475,c477,c479,c481,c483,c485,c487,c489,c491,c493,c495,c497,c499,c501,c503,c505,c507,c509,c511,c513,c515,c517,c519,c521,c523,c525,c527,c529,c531,c533,c535,c537,c539,c541,c543,c545,c547,c549,c551,c553,c555,c557,c559,c561,c563,c565,c567,c569,c571,c573,c575,c577,c579,c581,c583,c585,c587,c589,c591,c593,c595,c597,c599,c601,c603,c605,c607,c609,c611,c613,c615,c617,c619,c621,c623,c625,c627,c629,c631,c633,c635,c637,c639,c641,c643,c645,c647,c649,c651,c653,c655,c657,c659,c661,c663,c665,c667,c669,c671,c673,c675,c677,c679,c681,c683,c685,c687,c689,c691,c693,c695,c697,c699,c701,c703,c705,c707,c709,c711,c713,c715,c717,c719,c721,c723,c725,c727,c729,c731,c733,c735,c737,c739,c741,c743,c745,c747,c749,c751,c753,c755,c757,c759,c761,c763,c765,c767,c769,c771,c773,c775,c777,c779,c781,c783,c785,c787,c789,c791,c793,c795,c797,c799,c801,c803,c805,c807,c809,c811,c813,c815,c817,c819,c821,c823,c825,c827,c829,c831,c833,c835,c837,c839,c841,c843,c845,c847,c849,c851,c853,c855,c857,c859,c861,c863,c865,c867,c869,c871,c873,c875,c877,c879,c881,c883,c885,c887,c889,c891,c893,c895,c897,c899,c901,c903,c905,c907,c909,c911,c913,c915,c917,c919,c921,c923,c925,c927,c929,c931,c933,c935,c937,c939,c941,c943,c945,c947,c949,c951,c953,c955,c957,c959,c961,c963,c965,c967,c969,c971,c973,c975,c977,c979,c981,c983,c985,c987,c989,c991,c993,c995,c997,c999,c1001,c1003,c1005,c1007,c1009,c1011,c1013,c1015,c1017,c1019,c1021,c1023@localhost Password: Last login: Thu Feb 15 10:04:22 2007 from localhost.localdomain [abat@zaphod ~]$ id uid=502(abat) gid=502(abat) groups=10(wheel),502(abat) context=abat_u:abat_r:abat_t:s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105,c107,c109,c111,c113,c115,c117,c119,c121,c123,c125,c127,c129,c131,c133,c135,c137,c139,c141,c143,c145,c147,c149,c151,c153,c155,c157,c159,c161,c163,c165,c167,c169,c171,c173,c175,c177,c179,c181,c183,c185,c187,c189,c191,c193,c195,c197,c199,c201,c203,c205,c207,c209,c211,c213,c215,c217,c219,c221,c223,c225,c227,c229,c231,c233,c235,c237,c239,c241,c243,c245,c247,c249,c251,c253,c255,c257,c259,c261,c263,c265,c267,c269,c271,c273,c275,c277,c279,c281,c283,c285,c287,c289,c291,c293,c295,c297,c299,c301,c303,c305,c307,c309,c311,c313,c315,c317,c319,c321,c323,c325,c327,c329,c331,c333,c335,c337,c339,c341,c343,c345,c347,c349,c351,c353,c355,c357,c359,c361,c363,c365,c367,c369,c371,c373,c375,c377,c379,c381,c383,c385,c387,c389,c391,c393,c395,c397,c399,c401,c403,c405,c407,c409,c411,c413,c415,c417,c419,c421,c423,c425,c427,c429,c431,c433,c435,c437,c439,c441,c443,c445,c447,c449,c451,c453,c455,c457,c459,c461,c463,c465,c467,c469,c471,c473,c475,c477,c479,c481,c483,c485,c487,c489,c491,c493,c495,c497,c499,c501,c503,c505,c507,c509,c511,c513,c515,c517,c519,c521,c523,c525,c527,c529,c531,c533,c535,c537,c539,c541,c543,c545,c547,c549,c551,c553,c555,c557,c559,c561,c563,c565,c567,c569,c571,c573,c575,c577,c579,c581,c583,c585,c587,c589,c591,c593,c595,c597,c599,c601,c603,c605,c607,c609,c611,c613,c615,c617,c619,c621,c623,c625,c627,c629,c631,c633,c635,c637,c639,c641,c643,c645,c647,c649,c651,c653,c655,c657,c659,c661,c663,c665,c667,c669,c671,c673,c675,c677,c679,c681,c683,c685,c687,c689,c691,c693,c695,c697,c699,c701,c703,c705,c707,c709,c711,c713,c715,c717,c719,c721,c723,c725,c727,c729,c731,c733,c735,c737,c739,c741,c743,c745,c747,c749,c751,c753,c755,c757,c759,c761,c763,c765,c767,c769,c771,c773,c775,c777,c779,c781,c783,c785,c787,c789,c791,c793,c795,c797,c799,c801,c803,c805,c807,c809,c811,c813,c815,c817,c819,c821,c823,c825,c827,c829,c831,c833,c835,c837,c839,c841,c843,c845,c847,c849,c851,c853,c855,c857,c859,c861,c863,c865,c867,c869,c871,c873,c875,c877,c879,c881,c883,c885,c887,c889,c891,c893,c895,c897,c899,c901,c903,c905,c907,c909,c911,c913,c915,c917,c919,c921,c923,c925,c927,c929,c931,c933,c935,c937,c939,c941,c943,c945,c947,c949,c951,c953,c955,c957,c959,c961,c963,c965,c967,c969,c971,c973,c975,c977,c979,c981,c983,c985,c987,c989,c991,c993,c995,c997,c999,c1001,c1003,c1005,c1007,c1009,c1011,c1013,c1015,c1017,c1019,c1021,c1023 [abat@zaphod ~]$
What needs to happen is that both pam and sshd need to check if the basename of the file/dir is < NAME_MAX from limits.h and that the whole path is < PATH_MAX. It could possibly change to a hashed name if this limit is violated. I think the original namespace patch used hashes but this was dropped for readibility. So, maybe we should have readability until we hit the NAME_MAX limit and then switch to cryptic dir names.
The original problem was in mcstrans and should be resolved with the current LSPP packages.
I have created bug 230120 for the 'large number of categories problem'.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0542.html