Created attachment 470833 [details] AVCs from three tests Description of problem: Using ajaxterm throws some avcs, obviously though everything works Version-Release number of selected component (if applicable): Ajaxterm-0.10-13.fc14.noarch selinux-policy-targeted-3.9.7-18.fc14.noarch selinux-policy-3.9.7-18.fc14.noarch How reproducible: Just connect to ajaxterm Actual results: See attachment Expected results: no avcs Additional info:
I can reproduce this. When running as user ajaxterm, which is the default, Ajaxterm uses ssh to connect to localhost, so (I think) ajaxterm_t needs to be able to use ssh_exec_t. Reassigning to selinux-policy.
Miroslav can you back port the ajaxterm from Rawhide into F13,F14.
Fixed in selinux-policy-3.9.7-30.fc14
selinux-policy-3.9.7-31.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-31.fc14
selinux-policy-3.9.7-31.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-31.fc14
Hmm, now I get lots more of denials (or were these dontaudit in the earlier version?) I'm running in Enforcing, and everything works: #============= ajaxterm_t ============== allow ajaxterm_t cert_t:dir search; allow ajaxterm_t cert_t:file { read getattr open }; allow ajaxterm_t default_context_t:dir search; allow ajaxterm_t file_context_t:dir search; allow ajaxterm_t file_context_t:file { read getattr open }; allow ajaxterm_t security_t:file write; allow ajaxterm_t security_t:security check_context; allow ajaxterm_t self:process setfscreate; allow ajaxterm_t ssh_exec_t:file { read execute open execute_no_trans }; allow ajaxterm_t ssh_port_t:tcp_socket name_connect; Denials raw text is in the attachment.
Created attachment 480178 [details] raw text of denials
Klaus, could you try to test the following local policy # cat myajax.te policy_module(myajax, 1.0) require{ type ajaxterm_t; role system_r; } ssh_basic_client_template(ajaxterm, ajaxterm_t, system_r) Compile and install it using # make -f /usr/share/selinux/devel/Makefile # semodule -i myajax.pp
Looks like it cleans up most of the avcs, but still the following avcs pop up, and I can't login: time->Tue Feb 22 20:06:49 2011 type=SYSCALL msg=audit(1298401609.650:65164): arch=c000003e syscall=59 success=yes exit=0 a0=7f13c8000ce0 a1=7f13c8017000 a2=7f13c8016da0 a3=69746e6568747541 items=0 ppid=3645 pid=3745 auid=500 uid=485 gid=0 euid=485 suid=485 fsuid=485 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ssh" exe="/usr/bin/ssh" subj=unconfined_u:system_r:ajaxterm_ssh_t:s0 key=(null) type=AVC msg=audit(1298401609.650:65164): avc: denied { read write } for pid=3745 comm="ssh" path="/dev/pts/14" dev=devpts ino=17 scontext=unconfined_u:system_r:ajaxterm_ssh_t:s0 tcontext=unconfined_u:object_r:ajaxterm_devpts_t:s0 tclass=chr_file type=AVC msg=audit(1298401609.650:65164): avc: denied { read write } for pid=3745 comm="ssh" path="/dev/pts/14" dev=devpts ino=17 scontext=unconfined_u:system_r:ajaxterm_ssh_t:s0 tcontext=unconfined_u:object_r:ajaxterm_devpts_t:s0 tclass=chr_file type=AVC msg=audit(1298401609.650:65164): avc: denied { read write } for pid=3745 comm="ssh" path="/dev/pts/14" dev=devpts ino=17 scontext=unconfined_u:system_r:ajaxterm_ssh_t:s0 tcontext=unconfined_u:object_r:ajaxterm_devpts_t:s0 tclass=chr_file type=AVC msg=audit(1298401609.650:65164): avc: denied { read write } for pid=3745 comm="ssh" name="14" dev=devpts ino=17 scontext=unconfined_u:system_r:ajaxterm_ssh_t:s0 tcontext=unconfined_u:object_r:ajaxterm_devpts_t:s0 tclass=chr_file Which is: COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME python 3799 ajaxterm 0u CHR 136,14 0t0 17 /dev/pts/14 python 3799 ajaxterm 1u CHR 136,14 0t0 17 /dev/pts/14 python 3799 ajaxterm 2u CHR 136,14 0t0 17 /dev/pts/14 [root@nepomuk ~]# ps -efZ |grep 3799 unconfined_u:system_r:ajaxterm_t:s0 ajaxterm 3799 3645 0 20:09 pts/14 00:00:00 python /usr/share/ajaxterm/ajaxterm.py --daemon --port=8022 --uid=ajaxterm --pidfile=/var/run/ajaxterm.pid --serverport=22
Ok, so if you execute # grep ajaxterm_devpts_t /var/log/audit/audit.log | audit2allow -R >> myajax.te # make -f /usr/share/selinux/devel # semodule -i myajax.pp does it work then?
Miroslav, well, works way better... Two things, though: - One avc still happens, but it looks like it's not causing too much harm: time->Wed Feb 23 20:21:41 2011 type=SYSCALL msg=audit(1298488901.106:66795): arch=c000003e syscall=16 success=no exit=-13 a0=0 a1=5413 a2=7fffc954c760 a3=1 items=0 ppid=27217 pid=27233 auid=500 uid=485 gid=0 euid=485 suid=485 fsuid=485 egid=0 sgid=0 fsgid=0 tty=pts14 ses=1 comm="ssh" exe="/usr/bin/ssh" subj=unconfined_u:system_r:ajaxterm_ssh_t:s0 key=(null) type=AVC msg=audit(1298488901.106:66795): avc: denied { ioctl } for pid=27233 comm="ssh" path="/dev/pts/14" dev=devpts ino=17 scontext=unconfined_u:system_r:ajaxterm_ssh_t:s0 tcontext=unconfined_u:object_r:ajaxterm_devpts_t:s0 tclass=chr_file #============= ajaxterm_ssh_t ============== allow ajaxterm_ssh_t ajaxterm_devpts_t:chr_file ioctl; - I had to manipulate the ajaxterm.py command. Ssh was complaining that no terminal will be acquired, so the shell did not work as expected (no PS1, e.g.). I had to add cmd+=['-t'] twice to force tty allocation (line 433). Then PS1 was back again. Klaus
selinux-policy-3.9.7-31.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.
Fixed in selinux-policy-3.9.7-32.fc14
selinux-policy-3.9.7-34.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-34.fc14
selinux-policy-3.9.7-37.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-37.fc14
selinux-policy-3.9.7-37.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.