Bug 487860 - ssh_sysadm_login unconfined_login do not work
ssh_sysadm_login unconfined_login do not work
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-28 07:38 EST by Dominick Grift
Modified: 2009-03-08 07:38 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-03-05 14:34:20 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dominick Grift 2009-02-28 07:38:14 EST
Description of problem:
The booleans to disallow the login of privileged domains do not work/

Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.6.6-6.fc11.noarch
selinux-policy-3.6.6-6.fc11.noarch

How reproducible:

> sh-4.0# getsebool -a | grep sysadm
> allow_sysadm_exec_content --> on
> ssh_sysadm_login --> off
> xdm_sysadm_login --> off
> 
> [dgrift@notebook1 ~]$ ssh dgrift/sysadm_r@localhost
> WARNING!!! You have accessed a private network.
> UNAUTHORIZED ACCESS IS PROHIBITED BY LAW
> Violators may be prosecuted to the full extend of the law.
> Your access to this network may be monitored and recorded for quality
> assurance, security, performance, and maintenance purposes.
> dgrift/sysadm_r@localhost's password: 
> Last login: Fri Feb 27 13:35:33 2009 from localhost.localdomain
> [dgrift@notebook1 ~]$ id -Z
> dgrift:sysadm_r:sysadm_t:SystemLow-SystemHigh
> [dgrift@notebook1 ~]$ 

Expected results:
permission denied

Additional info:
unconfined_login --> off also lets one login unconfined via ssh using ssh dgrift/unconfined_r@localhost
Comment 1 Daniel Walsh 2009-03-05 14:34:20 EST
Fixed in selinux-policy-3.6.8-1.fc11
Comment 2 Dominick Grift 2009-03-08 07:38:55 EDT
unconfined_login works:

[dgrift@desktop1 ~]$ ssh dgrift/unconfined_r@localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is af:b1:ff:4f:81:98:be:9e:89:55:49:68:6d:fc:52:73.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
WARNING!!! You have accessed a private network.
UNAUTHORIZED ACCESS IS PROHIBITED BY LAW
Violators may be prosecuted to the full extend of the law.
Your access to this network may be monitored and recorded for quality
assurance, security, performance, and maintenance purposes.
dgrift/unconfined_r@localhost's password: 
Last login: Sun Mar  8 11:41:53 2009 from ip120-92-211-87.adsl2.static.versatel.nl
/bin/bash: Permission denied
Connection to localhost closed.

ssh_sysadm_login does NOT work:


[dgrift@desktop1 ~]$ ssh dgrift/sysadm_r@localhost
WARNING!!! You have accessed a private network.
UNAUTHORIZED ACCESS IS PROHIBITED BY LAW
Violators may be prosecuted to the full extend of the law.
Your access to this network may be monitored and recorded for quality
assurance, security, performance, and maintenance purposes.
dgrift/sysadm_r@localhost's password: 
Last login: Sun Mar  8 12:36:28 2009 from localhost.localdomain
[dgrift@desktop1 ~]$ id -Z
dgrift:sysadm_r:sysadm_t:SystemLow-SystemHigh

[dgrift@desktop1 ~]$ rpm -qa | grep targeted
selinux-policy-targeted-3.6.8-1.fc11.noarch

Note You need to log in before you can comment on or make changes to this bug.