682974 – MLS: under root ssh-keygen creates .ssh and underlying files with bad context

Bug 682974 - MLS: under root ssh-keygen creates .ssh and underlying files with bad context

Summary: MLS: under root ssh-keygen creates .ssh and underlying files with bad context

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.1
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-03-08 07:23 UTC by Miroslav Vadkerti
Modified:	2011-05-19 12:12 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-3.7.19-79.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-05-19 12:12:45 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:0526	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2011-05-19 09:37:41 UTC

Description Miroslav Vadkerti 2011-03-08 07:23:43 UTC

Description of problem:
# ssh-keygen 
(creates keys)
# ls -Zd .ssh
drwx------. root root staff_u:object_r:admin_home_t:SystemLow .ssh
# ls -Z .ssh
-rw-------. root root staff_u:object_r:admin_home_t:SystemLow id_rsa
-rw-r--r--. root root staff_u:object_r:admin_home_t:SystemLow id_rsa.pub
# restorecon -RvvF .ssh
restorecon reset /root/.ssh context staff_u:object_r:admin_home_t:s0->system_u:object_r:ssh_home_t:s0
restorecon reset /root/.ssh/id_rsa context staff_u:object_r:admin_home_t:s0->system_u:object_r:ssh_home_t:s0
restorecon reset /root/.ssh/id_rsa.pub context staff_u:object_r:admin_home_t:s0->system_u:object_r:ssh_home_t:s0

Version-Release number of selected component (if applicable):
selinux-policy-mls-3.7.19-70.el6

How reproducible:
100%

Steps to Reproduce:
1. ssh-keygen
2. ls -dZ .ssh
3. ls -Z .ssh
  
Actual results:
Created .ssh directory and underlying generated files have bad context 

Expected results:
Context correct

Additional info:
This causes denials for example when adding new entry to known_hosts by ssh command

Comment 1 Miroslav Grepl 2011-03-08 12:13:03 UTC

It looks like we are missing a transition

sysadm_t -> sshd_keygen_t -> ssh_keygen_t

We have in F15 policy

---

########################################
#
# ssh_keygen local policy
#

# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t


manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)

---

Comment 2 Miroslav Grepl 2011-03-08 12:15:46 UTC

Mirek,
could you add the following rule


userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)


to the local test policy which we created and test whether it works for you.

Comment 3 Miroslav Vadkerti 2011-03-08 12:27:44 UTC

Yes it resolved the last problem with .ssh directory context:

# ls -Zd .ssh
drwx------. root root staff_u:object_r:ssh_home_t:SystemLow .ssh
# ls -Z .ssh
-rw-------. root root staff_u:object_r:ssh_home_t:SystemLow id_rsa
-rw-r--r--. root root staff_u:object_r:ssh_home_t:SystemLow id_rsa.pub

Just for the record my custom policy:

policy_module(keygen,1.2)

require{
 type admin_home_t;
 type ssh_keygen_t;
 type ssh_keygen_exec_t;
 type sysadm_t;
 type ssh_home_t;
 role sysadm_r;
}

domtrans_pattern(sysadm_t, ssh_keygen_exec_t, ssh_keygen_t)
userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
term_use_all_ptys(ssh_keygen_t)

role sysadm_r types ssh_keygen_t;
allow ssh_keygen_t admin_home_t:dir search;

Comment 4 Miroslav Grepl 2011-03-09 15:21:42 UTC

Mirku,
I added a fix to the latest RHLE6 policy (-77 release) so you can test it then with this release without the local policy.

Comment 6 Miroslav Vadkerti 2011-03-11 07:56:12 UTC

I tested with the latest selinux-policy and it doesn't resolve the issue for me, the .ssh folder cannot be created:

# rpm -q selinux-policy-mls
selinux-policy-mls-3.7.19-78.el6.noarch
 ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Could not create directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
open /root/.ssh/id_rsa failed: No such file or directory.
Saving the key failed: /root/.ssh/id_rsa.

Comment 7 Miroslav Grepl 2011-03-11 08:43:13 UTC

Strange, I thought it was working with a local policy moodule.

Any AVC msgs?

Comment 8 Miroslav Vadkerti 2011-03-11 09:49:31 UTC

Per discussion on IRC, adding this custom moduole resolves the issue:
module mypol 1.0;

require {
        type ssh_keygen_t;
        type secadm_screen_t;
        class capability dac_override;
}

#============= secadm_screen_t ==============
allow secadm_screen_t self:capability dac_override;

#============= ssh_keygen_t ==============
allow ssh_keygen_t self:capability dac_override;

Comment 9 Miroslav Vadkerti 2011-03-11 09:49:59 UTC

Ups, please ignore the screen part :)

Comment 10 Miroslav Grepl 2011-03-11 12:22:52 UTC

Strange,
I am just trying to reproduce it, but it is working for me. 

Milos, could you try to test it?

Comment 11 Karel Srot 2011-03-14 11:01:53 UTC

Doesn't work for me either. I could reproduce the bug on -74 policy.

With -78 policy there are two cases:

1. ssh-keygen executed in the console
   - root:sysadm_r:sysadm_t:s0-s15:c0.c1023
   - ssh-keygen doesn't work at all
   - no AVC but following AVC appears after semodule -DB

time->Mon Mar 14 11:59:30 2011
type=SYSCALL msg=audit(1300100370.953:92): arch=40000003 syscall=11 success=yes exit=0 a0=865dd58 a1=865e890 a2=864bf78 a3=865e890 items=0 ppid=1289 pid=1567 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1300100370.953:92): avc:  denied  { noatsecure } for  pid=1567 comm="ssh-keygen" scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1300100370.953:92): avc:  denied  { siginh } for  pid=1567 comm="ssh-keygen" scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1300100370.953:92): avc:  denied  { rlimitinh } for  pid=1567 comm="ssh-keygen" scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1300100370.953:92): avc:  denied  { read write } for  pid=1567 comm="ssh-keygen" path="/dev/tty1" dev=devtmpfs ino=5069 scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:user_tty_device_t:s0 tclass=chr_file
type=AVC msg=audit(1300100370.953:92): avc:  denied  { read write } for  pid=1567 comm="ssh-keygen" path="/dev/tty1" dev=devtmpfs ino=5069 scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:user_tty_device_t:s0 tclass=chr_file
type=AVC msg=audit(1300100370.953:92): avc:  denied  { read write } for  pid=1567 comm="ssh-keygen" path="/dev/tty1" dev=devtmpfs ino=5069 scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:user_tty_device_t:s0 tclass=chr_file
type=AVC msg=audit(1300100370.953:92): avc:  denied  { read write } for  pid=1567 comm="ssh-keygen" name="tty1" dev=devtmpfs ino=5069 scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:user_tty_device_t:s0 tclass=chr_file


2. ssh-keygen executed in ssh terminal (connected as root + switched to sysadm_r role)
   - root:sysadm_r:sysadm_t:s0-s15:c0.c1023
   - ssh-keygen starts, bug failes lateron with

open /root/.ssh/id_rsa failed: No such file or directory.
Saving the key failed: /root/.ssh/id_rsa.

----
time->Mon Mar 14 11:54:23 2011
type=SYSCALL msg=audit(1300100063.050:45): arch=40000003 syscall=39 success=no exit=-13 a0=bfac83cc a1=1c0 a2=147b5c a3=bfac83cc items=0 ppid=1336 pid=1490 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1300100063.050:45): avc:  denied  { dac_override } for  pid=1490 comm="ssh-keygen" capability=1  scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tclass=capability

openssh-5.3p1-39.el6.i686

Comment 12 Karel Srot 2011-03-14 11:10:48 UTC

After loading the module from #c8 ssh-keygen works properly in the ssh session (context root:object_r:ssh_home_t:s0  .ssh) but still not working in the console.

Comment 13 Miroslav Grepl 2011-03-14 11:18:21 UTC

Ok, could you try to turn on the allow_daemons_use_tty boolean?

Does it work in the console then?

Comment 14 Karel Srot 2011-03-14 12:04:11 UTC

That boolean brought the console scenario to the same level as the ssh one.
Custom module is still required, otherwise I get:

type=AVC msg=audit(1300103392.125:216): avc:  denied  { dac_override } for  pid=1891 comm="ssh-keygen" capability=1  scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tclass=capability
type=SYSCALL msg=audit(1300103392.125:216): arch=40000003 syscall=39 success=yes exit=0 a0=bfc8556c a1=1c0 a2=379b5c a3=bfc8556c items=2 ppid=1289 pid=1891 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 key=(null)
type=CWD msg=audit(1300103392.125:216):  cwd="/root"
type=PATH msg=audit(1300103392.125:216): item=0 name="/root/" inode=19 dev=fc:01 mode=040550 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:admin_home_t:s0
type=PATH msg=audit(1300103392.125:216): item=1 name="/root/.ssh" inode=16050 dev=fc:01 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:ssh_home_t:s0

Comment 15 Daniel Walsh 2011-03-14 16:12:30 UTC

Why would a root process need dac_override to write to the /root directory?

ls -ld /root

Comment 16 Miroslav Grepl 2011-03-14 16:24:55 UTC

Yes, I do not understand also.

Comment 17 Eric Paris 2011-03-14 19:31:47 UTC

modes are in the syscall record.

/root is 550
/root/.ssh is 700

Comment 18 Daniel Walsh 2011-03-14 19:41:13 UTC

Why is root not allowed to write to /root?  Is the standard protection on tis dir?

Comment 19 Karel Srot 2011-03-15 10:42:16 UTC

reproduced again on fresh RHEL6.1-20110311.3 with selinux-policy-3.7.19-78.el6

[root@rhel6-64 ~]# id -Z
root:sysadm_r:sysadm_t:s0-s15:c0.c1023
[root@rhel6-64 ~]# ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Could not create directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
open /root/.ssh/id_rsa failed: No such file or directory.
Saving the key failed: /root/.ssh/id_rsa.
[root@rhel6-64 ~]# ls -ld /root
dr-xr-x---. 3 root root 4096 Mar 15 11:29 /root
[root@rhel6-64 ~]# ls -Zd /root
dr-xr-x---. root root system_u:object_r:admin_home_t:s0 /root
[root@rhel6-64 ~]# mkdir /root/mydir
[root@rhel6-64 ~]# ls -ld /root/mydir
drwxr-xr-x. 2 root root 4096 Mar 15 11:39 /root/mydir
[root@rhel6-64 ~]# ls -Zd /root/mydir
drwxr-xr-x. root root root:object_r:admin_home_t:s0    /root/mydir


type=AVC msg=audit(1300184854.426:46): avc:  denied  { dac_override } for  pid=1373 comm="ssh-keygen" capability=1  scontext=root:sysadm_r:ssh_keygen_t:s0-ss0-s15:c0.c1023 tcontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tclass=capapability
type=SYSCALL msg=audit(1300184854.426:46): arch=c000003e syscall=83 success=no exit=-13 a0=7fff8b46b910 a1=1c0 a2=ffffffffffffff88 a3=fffffffc items=0 ppid=1318 pid=1373 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:sysadm_r:ssh
:ssh_keygen_t:s0-s15:c0.c1023 key=(null)

Comment 20 Daniel Walsh 2011-03-15 12:18:28 UTC

So we either change the permissions on the /root directory to 0750 or we add dac_override?  If /root has to be 0550 we have no choice.

Comment 21 Steve Grubb 2011-03-15 13:10:09 UTC

Adding dac_override would be the answer. Shame that capabilities can't be paired with a target type. For example, dac_override on admin_home_t to limit the scope.

Comment 22 Daniel Walsh 2011-03-15 13:56:29 UTC

Miroslav lets add it.

Comment 23 Eric Paris 2011-03-15 14:26:26 UTC

Why is dac_override the answer?  Why is /root not writable by root?

Comment 24 Steve Grubb 2011-03-15 14:34:53 UTC

To protect against root processes that have no capabilities.

Comment 25 Miroslav Grepl 2011-03-17 10:27:05 UTC

Fixed in selinux-policy-3.7.19-79.el6

Comment 29 errata-xmlrpc 2011-05-19 12:12:45 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html

Note You need to log in before you can comment on or make changes to this bug.