Bug 453424 - Custom minimal priviledge user is unable to login.
Custom minimal priviledge user is unable to login.
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
9
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-30 11:13 EDT by jonathan.stott
Modified: 2008-06-30 16:21 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-06-30 13:39:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
example policy file to reproduce bug (written by domg472) (272 bytes, application/octet-stream)
2008-06-30 11:13 EDT, jonathan.stott
no flags Details

  None (edit)
Description jonathan.stott 2008-06-30 11:13:42 EDT
Description of problem:
Attemping to create an unpriviledged user who can ssh out apparently happens
without incident, but on attempting to log into the user via ssh, the message

Unable to get valid context for username

is displayed, and the user is immediately logged out.


Version-Release number of selected component (if applicable):
3.3.1.r69.fc9

How reproducible:
Has occurred on at least two systems, and on my local system with both simple
example shown here and a more complex one generated with the polgengui.

Steps to Reproduce:
1. create the te file in the attachment
2 [details]. make -f /usr/share/selinux/devel/Makefile
3. semodule -i sshout.pp
4. /usr/sbin/semanage user -a -L s0 -r s0-s0 -R sshout_r -P user sshout_u
5. /usr/sbin/useradd -Z sshout_u test
6. ssh test@localhost
 
Actual results:

ssh displays the message:

Unable to get valid context for test
Last login: Mon Jun 30 15:32:10 2008 from localhost.localdomain
Connection to localhost closed.

and /var/log/secure shows:

Jun 30 15:32:10 hostname sshd[2915]: Accepted password for test from 127.0.0.1
port 50065 ssh2
Jun 30 15:32:10 hostname sshd[2915]: pam_unix(sshd:session): session opened for
user sanjay by (uid=0)
Jun 30 15:32:10 hostname sshd[2915]: pam_selinux(sshd:session): Security context
sshout_u:sshout_r:oddjob_mkhomedir_t:s0 is not allowed for
sshout_u:sshout_r:oddjob_mkhomedir_t:s0
Jun 30 15:32:10 hostname sshd[2915]: pam_selinux(sshd:session): Unable to get
valid context for test
Jun 30 15:32:10 hostname sshd[2915]: error: PAM: pam_open_session():
Authentication failure
Jun 30 15:32:10 hostname sshd[2915]: error: ssh_selinux_setup_pty:
security_compute_relabel: Invalid argument

Expected results:

The user could be logged into remotely, and would then function as an
under-priviledged account which could ssh out.
Comment 1 jonathan.stott 2008-06-30 11:13:42 EDT
Created attachment 310592 [details]
example policy file to reproduce bug (written by domg472)
Comment 2 Daniel Walsh 2008-06-30 13:39:12 EDT
The problem is that you do not have
	
optional_policy(`
	oddjob_run_mkhomedir(sshout_t, sshout_r, { sshout_devpts_t sshout_tty_device_t })
')

Which allows the mkhomedir program to be run at login by the user.  It is
expected that the homedir was pre-created for the least priv user.

You can argue that this should be allowed ...
Comment 3 Daniel Walsh 2008-06-30 15:52:36 EDT
No never mind, this is wrong.  The problem I believe is you do not have a file
/etc/selinux/targeted/contexts/users/sshout_u
You can base it off of 

/etc/selinux/targeted/contexts/users/guest_u
Comment 4 jonathan.stott 2008-06-30 16:21:53 EDT
Yes, that did indeed fix the problem.

Thank you!

Note You need to log in before you can comment on or make changes to this bug.