234951 – [LSPP] openssh server fails to parse level correctly

Bug 234951 - [LSPP] openssh server fails to parse level correctly

Summary: [LSPP] openssh server fails to parse level correctly

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	openssh
Sub Component:
Version:	5.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	urgent
Target Milestone:	---
Target Release:	---
Assignee:	Tomas Mraz
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	RHEL5LSPPCertTracker
TreeView+	depends on / blocked

Reported:	2007-04-03 02:27 UTC by Klaus Kiwi (Old account no longer used)
Modified:	2007-11-30 22:07 UTC (History)
CC List:	3 users (show)
Fixed In Version:	RHSA-2007-0540
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-11-07 15:32:44 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2007:0540	0	normal	SHIPPED_LIVE	Moderate: openssh security and bug fix update	2007-11-07 16:19:19 UTC

Description Klaus Kiwi (Old account no longer used) 2007-04-03 02:27:08 UTC

Description of problem:
looks what happens when you try to log in using this:
[root/sysadm_r/SystemLow@oracer5 ~]# ssh -l 'ealuser/sysadm_r/' localhost
Password:
Last login: Mon Apr  2 14:50:44 2007 from localhost.localdomain
[ealuser/sysadm_r/@oracer5 ~]$ id
uid=500(ealuser) gid=500(ealuser) groups=10(wheel),500(ealuser)
context=staff_u:sysadm_r:sysadm_t
[ealuser/sysadm_r/@oracer5 ~]$ touch a
[ealuser/sysadm_r/@oracer5 ~]$ ls -lZ a
-rw-r--r--  ealuser ealuser staff_u:object_r:staff_home_t    a


Repare that the user has *no* clearance associated with it (!!)

I accept that this might be an openssh error, but how can everyone else (pam,
selinux itself) allow such a thing? I could even create a file that has
absolutely no info about level! Steve?

Version-Release number of selected component (if applicable):
openssh-4.3p2-20.el5
openssh-clients-4.3p2-20.el5
openssh-server-4.3p2-20.el5


How reproducible:
everytime

Steps to Reproduce:
1. log-in using 
ssh -l 'ealuser/staff_r/' localhost 
or 
ssh ealuser/sysadm_r/@localhost
(any user/role will work, given that you specify a role but no level)
2. enter password
3. check your clearance with 'id'
  
Actual results:
something like:
uid=501(testuser) gid=501(testuser) groups=501(testuser)
context=testuser_u:user_r:user_t


Expected results:
uid=501(testuser) gid=501(testuser) groups=501(testuser)
context=testuser_u:user_r:user_t:SystemLow-SystemHigh


Additional info:

----audit log by the time of log-in--------------
type=USER_AUTH msg=audit(1175543444.437:17061): user pid=7543 uid=0
auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM:
authentication acct=ealuser : exe="/usr/sbin/sshd"
(hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh res=success)'
type=USER_ACCT msg=audit(1175543444.443:17062): user pid=7543 uid=0
auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM:
accounting acct=ealuser : exe="/usr/sbin/sshd" (hostname=localhost.localdomain,
addr=127.0.0.1, terminal=ssh res=success)'
type=AVC msg=audit(1175543444.463:17063): avc:  granted  { setexec } for 
pid=7541 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1175543444.463:17063): arch=c000003e syscall=1
success=yes exit=30 a0=4 a1=55556f8702f0 a2=1e a3=55556f879bd0 items=0 ppid=2187
pid=7541 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="sshd" exe="/usr/sbin/sshd"
subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 key=(null)
type=USER_ROLE_CHANGE msg=audit(1175543444.464:17064): user pid=7541 uid=0
auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='sshd:
default-context=staff_u:staff_r:staff_t:s0-s15:c0.c1023
selected-context=staff_u:sysadm_r:sysadm_t:s15: exe="/usr/sbin/sshd"
(hostname=?, addr=?, terminal=? res=success)'
type=CRED_ACQ msg=audit(1175543444.465:17065): user pid=7541 uid=0
auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM: setcred
acct=ealuser : exe="/usr/sbin/sshd" (hostname=localhost.localdomain,
addr=127.0.0.1, terminal=ssh res=success)'
type=LOGIN msg=audit(1175543444.466:17066): login pid=7541 uid=0 old
auid=4294967295 new auid=500
type=AVC msg=audit(1175543444.469:17067): avc:  granted  { setexec } for 
pid=7546 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1175543444.469:17067): arch=c000003e syscall=1
success=yes exit=0 a0=5 a1=0 a2=0 a3=55556f879bd0 items=0 ppid=7541 pid=7546
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s15:c0.c1023
key=(null)
type=AVC msg=audit(1175543444.474:17068): avc:  granted  { setexec } for 
pid=7547 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1175543444.474:17068): arch=c000003e syscall=1
success=yes exit=0 a0=5 a1=0 a2=0 a3=55556f870320 items=0 ppid=7541 pid=7547
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s15:c0.c1023
key=(null)
type=AVC msg=audit(1175543444.480:17069): avc:  granted  { setexec } for 
pid=7548 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1175543444.480:17069): arch=c000003e syscall=1
success=yes exit=0 a0=5 a1=0 a2=0 a3=55556f8702f0 items=0 ppid=7541 pid=7548
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s15:c0.c1023
key=(null)
type=USER_START msg=audit(1175543444.484:17070): user pid=7541 uid=0 auid=500
subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM: session open
acct=ealuser : exe="/usr/sbin/sshd" (hostname=localhost.localdomain,
addr=127.0.0.1, terminal=ssh res=success)'
type=CRED_REFR msg=audit(1175543444.486:17071): user pid=7549 uid=0 auid=500
subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM: setcred acct=ealuser :
exe="/usr/sbin/sshd" (hostname=localhost.localdomain, addr=127.0.0.1,
terminal=ssh res=success)'
type=USER_LOGIN msg=audit(1175543444.490:17072): user pid=7541 uid=0 auid=500
subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='uid=500: exe="/usr/sbin/sshd"
(hostname=localhost.localdomain, addr=127.0.0.1, terminal=/dev/pts/2 res=success)'
-----------

Comment 1 Tomas Mraz 2007-04-03 08:01:31 UTC

pam_selinux is not used in openssh configuration.

The real raw context selected is staff_u:sysadm_r:sysadm_t:s15.

I found the cause of the bug, it will be fixed in the next openssh release.

Comment 2 RHEL Program Management 2007-04-03 08:04:45 UTC

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 4 Tomas Mraz 2007-04-03 15:45:04 UTC

Fixed in openssh-4.3p2-21.el5

Comment 7 errata-xmlrpc 2007-11-07 15:32:44 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0540.html

Note You need to log in before you can comment on or make changes to this bug.