Bug 453424 - Custom minimal priviledge user is unable to login.
Summary: Custom minimal priviledge user is unable to login.
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 9
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-06-30 15:13 UTC by jonathan.stott
Modified: 2008-06-30 20:21 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-06-30 17:39:12 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
example policy file to reproduce bug (written by domg472) (272 bytes, application/octet-stream)
2008-06-30 15:13 UTC, jonathan.stott 		no flags Details
View All

Description jonathan.stott 2008-06-30 15:13:42 UTC 
Description of problem:
Attemping to create an unpriviledged user who can ssh out apparently happens
without incident, but on attempting to log into the user via ssh, the message

Unable to get valid context for username

is displayed, and the user is immediately logged out.


Version-Release number of selected component (if applicable):
3.3.1.r69.fc9

How reproducible:
Has occurred on at least two systems, and on my local system with both simple
example shown here and a more complex one generated with the polgengui.

Steps to Reproduce:
1. create the te file in the attachment
2 [details]. make -f /usr/share/selinux/devel/Makefile
3. semodule -i sshout.pp
4. /usr/sbin/semanage user -a -L s0 -r s0-s0 -R sshout_r -P user sshout_u
5. /usr/sbin/useradd -Z sshout_u test
6. ssh test@localhost
 
Actual results:

ssh displays the message:

Unable to get valid context for test
Last login: Mon Jun 30 15:32:10 2008 from localhost.localdomain
Connection to localhost closed.

and /var/log/secure shows:

Jun 30 15:32:10 hostname sshd[2915]: Accepted password for test from 127.0.0.1
port 50065 ssh2
Jun 30 15:32:10 hostname sshd[2915]: pam_unix(sshd:session): session opened for
user sanjay by (uid=0)
Jun 30 15:32:10 hostname sshd[2915]: pam_selinux(sshd:session): Security context
sshout_u:sshout_r:oddjob_mkhomedir_t:s0 is not allowed for
sshout_u:sshout_r:oddjob_mkhomedir_t:s0
Jun 30 15:32:10 hostname sshd[2915]: pam_selinux(sshd:session): Unable to get
valid context for test
Jun 30 15:32:10 hostname sshd[2915]: error: PAM: pam_open_session():
Authentication failure
Jun 30 15:32:10 hostname sshd[2915]: error: ssh_selinux_setup_pty:
security_compute_relabel: Invalid argument

Expected results:

The user could be logged into remotely, and would then function as an
under-priviledged account which could ssh out.
Comment 1 jonathan.stott 2008-06-30 15:13:42 UTC 
Created attachment 310592 [details]
example policy file to reproduce bug (written by domg472)
Comment 2 Daniel Walsh 2008-06-30 17:39:12 UTC 
The problem is that you do not have
	
optional_policy(`
	oddjob_run_mkhomedir(sshout_t, sshout_r, { sshout_devpts_t sshout_tty_device_t })
')

Which allows the mkhomedir program to be run at login by the user.  It is
expected that the homedir was pre-created for the least priv user.

You can argue that this should be allowed ...
Comment 3 Daniel Walsh 2008-06-30 19:52:36 UTC 
No never mind, this is wrong.  The problem I believe is you do not have a file
/etc/selinux/targeted/contexts/users/sshout_u
You can base it off of 

/etc/selinux/targeted/contexts/users/guest_u
Comment 4 jonathan.stott 2008-06-30 20:21:53 UTC 
Yes, that did indeed fix the problem.

Thank you!
Note You need to log in before you can comment on or make changes to this bug.