Bug 665838 - Logging in on ajaxterm throws some AVCs
Summary: Logging in on ajaxterm throws some AVCs
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 14
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-12-27 11:08 UTC by Klaus Lichtenwalder
Modified: 2011-03-22 18:51 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.9.7-37.fc14
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-03-22 18:51:52 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
AVCs from three tests (15.36 KB, application/octet-stream)
2010-12-27 11:08 UTC, Klaus Lichtenwalder
no flags Details
raw text of denials (13.74 KB, text/plain)
2011-02-22 16:49 UTC, Klaus Lichtenwalder
no flags Details

Description Klaus Lichtenwalder 2010-12-27 11:08:27 UTC
Created attachment 470833 [details]
AVCs from three tests

Description of problem:
Using ajaxterm throws some avcs, obviously though everything works

Version-Release number of selected component (if applicable):
Ajaxterm-0.10-13.fc14.noarch
selinux-policy-targeted-3.9.7-18.fc14.noarch
selinux-policy-3.9.7-18.fc14.noarch



How reproducible:
Just connect to ajaxterm

Actual results:
See attachment

Expected results:
no avcs

Additional info:

Comment 1 Ruben Kerkhof 2011-02-11 17:23:28 UTC
I can reproduce this.

When running as user ajaxterm, which is the default, Ajaxterm uses ssh to connect to localhost, so (I think) ajaxterm_t needs to be able to use ssh_exec_t.

Reassigning to selinux-policy.

Comment 2 Daniel Walsh 2011-02-11 19:55:23 UTC
Miroslav can you back port the ajaxterm from Rawhide into F13,F14.

Comment 3 Miroslav Grepl 2011-02-14 13:58:06 UTC
Fixed in selinux-policy-3.9.7-30.fc14

Comment 4 Fedora Update System 2011-02-21 20:28:07 UTC
selinux-policy-3.9.7-31.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-31.fc14

Comment 5 Fedora Update System 2011-02-22 04:53:42 UTC
selinux-policy-3.9.7-31.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-31.fc14

Comment 6 Klaus Lichtenwalder 2011-02-22 16:48:32 UTC
Hmm, now I get lots more of denials (or were these dontaudit in the earlier version?) I'm running in Enforcing, and everything works:

#============= ajaxterm_t ==============
allow ajaxterm_t cert_t:dir search;
allow ajaxterm_t cert_t:file { read getattr open };
allow ajaxterm_t default_context_t:dir search;
allow ajaxterm_t file_context_t:dir search;
allow ajaxterm_t file_context_t:file { read getattr open };
allow ajaxterm_t security_t:file write;
allow ajaxterm_t security_t:security check_context;
allow ajaxterm_t self:process setfscreate;
allow ajaxterm_t ssh_exec_t:file { read execute open execute_no_trans };
allow ajaxterm_t ssh_port_t:tcp_socket name_connect;

Denials raw text is in the attachment.

Comment 7 Klaus Lichtenwalder 2011-02-22 16:49:07 UTC
Created attachment 480178 [details]
raw text of denials

Comment 8 Miroslav Grepl 2011-02-22 17:43:54 UTC
Klaus,
could you try to test the following local policy

# cat myajax.te 
policy_module(myajax, 1.0)

require{
 type ajaxterm_t;
 role system_r;
}

ssh_basic_client_template(ajaxterm, ajaxterm_t, system_r)




Compile and install it using

# make -f /usr/share/selinux/devel/Makefile
# semodule -i myajax.pp

Comment 9 Klaus Lichtenwalder 2011-02-22 19:12:15 UTC
Looks like it cleans up most of the avcs, but still the following avcs pop up, and I can't login:

time->Tue Feb 22 20:06:49 2011
type=SYSCALL msg=audit(1298401609.650:65164): arch=c000003e syscall=59 success=yes exit=0 a0=7f13c8000ce0 a1=7f13c8017000 a2=7f13c8016da0 a3=69746e6568747541 items=0 ppid=3645 pid=3745 auid=500 uid=485 gid=0 euid=485 suid=485 fsuid=485 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ssh" exe="/usr/bin/ssh" subj=unconfined_u:system_r:ajaxterm_ssh_t:s0 key=(null)
type=AVC msg=audit(1298401609.650:65164): avc:  denied  { read write } for  pid=3745 comm="ssh" path="/dev/pts/14" dev=devpts ino=17 scontext=unconfined_u:system_r:ajaxterm_ssh_t:s0 tcontext=unconfined_u:object_r:ajaxterm_devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1298401609.650:65164): avc:  denied  { read write } for  pid=3745 comm="ssh" path="/dev/pts/14" dev=devpts ino=17 scontext=unconfined_u:system_r:ajaxterm_ssh_t:s0 tcontext=unconfined_u:object_r:ajaxterm_devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1298401609.650:65164): avc:  denied  { read write } for  pid=3745 comm="ssh" path="/dev/pts/14" dev=devpts ino=17 scontext=unconfined_u:system_r:ajaxterm_ssh_t:s0 tcontext=unconfined_u:object_r:ajaxterm_devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1298401609.650:65164): avc:  denied  { read write } for  pid=3745 comm="ssh" name="14" dev=devpts ino=17 scontext=unconfined_u:system_r:ajaxterm_ssh_t:s0 tcontext=unconfined_u:object_r:ajaxterm_devpts_t:s0 tclass=chr_file


Which is:
COMMAND  PID     USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
python  3799 ajaxterm    0u   CHR 136,14      0t0   17 /dev/pts/14
python  3799 ajaxterm    1u   CHR 136,14      0t0   17 /dev/pts/14
python  3799 ajaxterm    2u   CHR 136,14      0t0   17 /dev/pts/14

[root@nepomuk ~]# ps -efZ |grep 3799
unconfined_u:system_r:ajaxterm_t:s0 ajaxterm 3799 3645  0 20:09 pts/14 00:00:00 python /usr/share/ajaxterm/ajaxterm.py --daemon --port=8022 --uid=ajaxterm --pidfile=/var/run/ajaxterm.pid --serverport=22

Comment 10 Miroslav Grepl 2011-02-22 20:39:50 UTC
Ok, so if you execute

# grep ajaxterm_devpts_t /var/log/audit/audit.log | audit2allow -R >> myajax.te
# make -f /usr/share/selinux/devel
# semodule -i myajax.pp

does it work then?

Comment 11 Klaus Lichtenwalder 2011-02-23 19:26:21 UTC
Miroslav,

well, works way better...

Two things, though:

- One avc still happens, but it looks like it's not causing too much harm:

time->Wed Feb 23 20:21:41 2011
type=SYSCALL msg=audit(1298488901.106:66795): arch=c000003e syscall=16 success=no exit=-13 a0=0 a1=5413 a2=7fffc954c760 a3=1 items=0 ppid=27217 pid=27233 auid=500 uid=485 gid=0 euid=485 suid=485 fsuid=485 egid=0 sgid=0 fsgid=0 tty=pts14 ses=1 comm="ssh" exe="/usr/bin/ssh" subj=unconfined_u:system_r:ajaxterm_ssh_t:s0 key=(null)
type=AVC msg=audit(1298488901.106:66795): avc:  denied  { ioctl } for  pid=27233 comm="ssh" path="/dev/pts/14" dev=devpts ino=17 scontext=unconfined_u:system_r:ajaxterm_ssh_t:s0 tcontext=unconfined_u:object_r:ajaxterm_devpts_t:s0 tclass=chr_file

#============= ajaxterm_ssh_t ==============
allow ajaxterm_ssh_t ajaxterm_devpts_t:chr_file ioctl;


- I had to manipulate the ajaxterm.py command. Ssh was complaining that no terminal will be acquired, so the shell did not work as expected (no PS1, e.g.). I had to add 
  cmd+=['-t']
twice to force tty allocation (line 433). Then PS1 was back again.

Klaus

Comment 12 Fedora Update System 2011-02-24 20:53:04 UTC
selinux-policy-3.9.7-31.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Miroslav Grepl 2011-02-25 11:00:05 UTC
Fixed in selinux-policy-3.9.7-32.fc14

Comment 14 Fedora Update System 2011-03-18 15:06:48 UTC
selinux-policy-3.9.7-34.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-34.fc14

Comment 15 Fedora Update System 2011-03-21 08:44:50 UTC
selinux-policy-3.9.7-37.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-37.fc14

Comment 16 Fedora Update System 2011-03-22 18:50:23 UTC
selinux-policy-3.9.7-37.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.