Bug 234951 - [LSPP] openssh server fails to parse level correctly
[LSPP] openssh server fails to parse level correctly
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: openssh (Show other bugs)
5.0
All Linux
medium Severity urgent
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
:
Depends On:
Blocks: RHEL5LSPPCertTracker
  Show dependency treegraph
 
Reported: 2007-04-02 22:27 EDT by Klaus Heinrich Kiwi
Modified: 2007-11-30 17:07 EST (History)
3 users (show)

See Also:
Fixed In Version: RHSA-2007-0540
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-07 10:32:44 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Klaus Heinrich Kiwi 2007-04-02 22:27:08 EDT
Description of problem:
looks what happens when you try to log in using this:
[root/sysadm_r/SystemLow@oracer5 ~]# ssh -l 'ealuser/sysadm_r/' localhost
Password:
Last login: Mon Apr  2 14:50:44 2007 from localhost.localdomain
[ealuser/sysadm_r/@oracer5 ~]$ id
uid=500(ealuser) gid=500(ealuser) groups=10(wheel),500(ealuser)
context=staff_u:sysadm_r:sysadm_t
[ealuser/sysadm_r/@oracer5 ~]$ touch a
[ealuser/sysadm_r/@oracer5 ~]$ ls -lZ a
-rw-r--r--  ealuser ealuser staff_u:object_r:staff_home_t    a


Repare that the user has *no* clearance associated with it (!!)

I accept that this might be an openssh error, but how can everyone else (pam,
selinux itself) allow such a thing? I could even create a file that has
absolutely no info about level! Steve?

Version-Release number of selected component (if applicable):
openssh-4.3p2-20.el5
openssh-clients-4.3p2-20.el5
openssh-server-4.3p2-20.el5


How reproducible:
everytime

Steps to Reproduce:
1. log-in using 
ssh -l 'ealuser/staff_r/' localhost 
or 
ssh ealuser/sysadm_r/@localhost
(any user/role will work, given that you specify a role but no level)
2. enter password
3. check your clearance with 'id'
  
Actual results:
something like:
uid=501(testuser) gid=501(testuser) groups=501(testuser)
context=testuser_u:user_r:user_t


Expected results:
uid=501(testuser) gid=501(testuser) groups=501(testuser)
context=testuser_u:user_r:user_t:SystemLow-SystemHigh


Additional info:

----audit log by the time of log-in--------------
type=USER_AUTH msg=audit(1175543444.437:17061): user pid=7543 uid=0
auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM:
authentication acct=ealuser : exe="/usr/sbin/sshd"
(hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh res=success)'
type=USER_ACCT msg=audit(1175543444.443:17062): user pid=7543 uid=0
auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM:
accounting acct=ealuser : exe="/usr/sbin/sshd" (hostname=localhost.localdomain,
addr=127.0.0.1, terminal=ssh res=success)'
type=AVC msg=audit(1175543444.463:17063): avc:  granted  { setexec } for 
pid=7541 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1175543444.463:17063): arch=c000003e syscall=1
success=yes exit=30 a0=4 a1=55556f8702f0 a2=1e a3=55556f879bd0 items=0 ppid=2187
pid=7541 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="sshd" exe="/usr/sbin/sshd"
subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 key=(null)
type=USER_ROLE_CHANGE msg=audit(1175543444.464:17064): user pid=7541 uid=0
auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='sshd:
default-context=staff_u:staff_r:staff_t:s0-s15:c0.c1023
selected-context=staff_u:sysadm_r:sysadm_t:s15: exe="/usr/sbin/sshd"
(hostname=?, addr=?, terminal=? res=success)'
type=CRED_ACQ msg=audit(1175543444.465:17065): user pid=7541 uid=0
auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM: setcred
acct=ealuser : exe="/usr/sbin/sshd" (hostname=localhost.localdomain,
addr=127.0.0.1, terminal=ssh res=success)'
type=LOGIN msg=audit(1175543444.466:17066): login pid=7541 uid=0 old
auid=4294967295 new auid=500
type=AVC msg=audit(1175543444.469:17067): avc:  granted  { setexec } for 
pid=7546 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1175543444.469:17067): arch=c000003e syscall=1
success=yes exit=0 a0=5 a1=0 a2=0 a3=55556f879bd0 items=0 ppid=7541 pid=7546
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s15:c0.c1023
key=(null)
type=AVC msg=audit(1175543444.474:17068): avc:  granted  { setexec } for 
pid=7547 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1175543444.474:17068): arch=c000003e syscall=1
success=yes exit=0 a0=5 a1=0 a2=0 a3=55556f870320 items=0 ppid=7541 pid=7547
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s15:c0.c1023
key=(null)
type=AVC msg=audit(1175543444.480:17069): avc:  granted  { setexec } for 
pid=7548 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1175543444.480:17069): arch=c000003e syscall=1
success=yes exit=0 a0=5 a1=0 a2=0 a3=55556f8702f0 items=0 ppid=7541 pid=7548
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s15:c0.c1023
key=(null)
type=USER_START msg=audit(1175543444.484:17070): user pid=7541 uid=0 auid=500
subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM: session open
acct=ealuser : exe="/usr/sbin/sshd" (hostname=localhost.localdomain,
addr=127.0.0.1, terminal=ssh res=success)'
type=CRED_REFR msg=audit(1175543444.486:17071): user pid=7549 uid=0 auid=500
subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM: setcred acct=ealuser :
exe="/usr/sbin/sshd" (hostname=localhost.localdomain, addr=127.0.0.1,
terminal=ssh res=success)'
type=USER_LOGIN msg=audit(1175543444.490:17072): user pid=7541 uid=0 auid=500
subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='uid=500: exe="/usr/sbin/sshd"
(hostname=localhost.localdomain, addr=127.0.0.1, terminal=/dev/pts/2 res=success)'
-----------
Comment 1 Tomas Mraz 2007-04-03 04:01:31 EDT
pam_selinux is not used in openssh configuration.

The real raw context selected is staff_u:sysadm_r:sysadm_t:s15.

I found the cause of the bug, it will be fixed in the next openssh release.
Comment 2 RHEL Product and Program Management 2007-04-03 04:04:45 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 4 Tomas Mraz 2007-04-03 11:45:04 EDT
Fixed in openssh-4.3p2-21.el5
Comment 7 errata-xmlrpc 2007-11-07 10:32:44 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0540.html

Note You need to log in before you can comment on or make changes to this bug.