Bug 487860 - ssh_sysadm_login unconfined_login do not work
Summary: ssh_sysadm_login unconfined_login do not work
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-02-28 12:38 UTC by Dominick Grift
Modified: 2009-03-08 11:38 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-03-05 19:34:20 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Dominick Grift 2009-02-28 12:38:14 UTC 
Description of problem:
The booleans to disallow the login of privileged domains do not work/

Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.6.6-6.fc11.noarch
selinux-policy-3.6.6-6.fc11.noarch

How reproducible:

> sh-4.0# getsebool -a | grep sysadm
> allow_sysadm_exec_content --> on
> ssh_sysadm_login --> off
> xdm_sysadm_login --> off
> 
> [dgrift@notebook1 ~]$ ssh dgrift/sysadm_r@localhost
> WARNING!!! You have accessed a private network.
> UNAUTHORIZED ACCESS IS PROHIBITED BY LAW
> Violators may be prosecuted to the full extend of the law.
> Your access to this network may be monitored and recorded for quality
> assurance, security, performance, and maintenance purposes.
> dgrift/sysadm_r@localhost's password: 
> Last login: Fri Feb 27 13:35:33 2009 from localhost.localdomain
> [dgrift@notebook1 ~]$ id -Z
> dgrift:sysadm_r:sysadm_t:SystemLow-SystemHigh
> [dgrift@notebook1 ~]$ 

Expected results:
permission denied

Additional info:
unconfined_login --> off also lets one login unconfined via ssh using ssh dgrift/unconfined_r@localhost
Comment 1 Daniel Walsh 2009-03-05 19:34:20 UTC 
Fixed in selinux-policy-3.6.8-1.fc11
Comment 2 Dominick Grift 2009-03-08 11:38:55 UTC 
unconfined_login works:

[dgrift@desktop1 ~]$ ssh dgrift/unconfined_r@localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is af:b1:ff:4f:81:98:be:9e:89:55:49:68:6d:fc:52:73.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
WARNING!!! You have accessed a private network.
UNAUTHORIZED ACCESS IS PROHIBITED BY LAW
Violators may be prosecuted to the full extend of the law.
Your access to this network may be monitored and recorded for quality
assurance, security, performance, and maintenance purposes.
dgrift/unconfined_r@localhost's password: 
Last login: Sun Mar  8 11:41:53 2009 from ip120-92-211-87.adsl2.static.versatel.nl
/bin/bash: Permission denied
Connection to localhost closed.

ssh_sysadm_login does NOT work:


[dgrift@desktop1 ~]$ ssh dgrift/sysadm_r@localhost
WARNING!!! You have accessed a private network.
UNAUTHORIZED ACCESS IS PROHIBITED BY LAW
Violators may be prosecuted to the full extend of the law.
Your access to this network may be monitored and recorded for quality
assurance, security, performance, and maintenance purposes.
dgrift/sysadm_r@localhost's password: 
Last login: Sun Mar  8 12:36:28 2009 from localhost.localdomain
[dgrift@desktop1 ~]$ id -Z
dgrift:sysadm_r:sysadm_t:SystemLow-SystemHigh

[dgrift@desktop1 ~]$ rpm -qa | grep targeted
selinux-policy-targeted-3.6.8-1.fc11.noarch
Note You need to log in before you can comment on or make changes to this bug.