Bug 682974 - MLS: under root ssh-keygen creates .ssh and underlying files with bad context
MLS: under root ssh-keygen creates .ssh and underlying files with bad context
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.1
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-03-08 02:23 EST by Miroslav Vadkerti
Modified: 2011-05-19 08:12 EDT (History)
8 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-79.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-05-19 08:12:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Miroslav Vadkerti 2011-03-08 02:23:43 EST
Description of problem:
# ssh-keygen 
(creates keys)
# ls -Zd .ssh
drwx------. root root staff_u:object_r:admin_home_t:SystemLow .ssh
# ls -Z .ssh
-rw-------. root root staff_u:object_r:admin_home_t:SystemLow id_rsa
-rw-r--r--. root root staff_u:object_r:admin_home_t:SystemLow id_rsa.pub
# restorecon -RvvF .ssh
restorecon reset /root/.ssh context staff_u:object_r:admin_home_t:s0->system_u:object_r:ssh_home_t:s0
restorecon reset /root/.ssh/id_rsa context staff_u:object_r:admin_home_t:s0->system_u:object_r:ssh_home_t:s0
restorecon reset /root/.ssh/id_rsa.pub context staff_u:object_r:admin_home_t:s0->system_u:object_r:ssh_home_t:s0

Version-Release number of selected component (if applicable):
selinux-policy-mls-3.7.19-70.el6

How reproducible:
100%

Steps to Reproduce:
1. ssh-keygen
2. ls -dZ .ssh
3. ls -Z .ssh
  
Actual results:
Created .ssh directory and underlying generated files have bad context 

Expected results:
Context correct

Additional info:
This causes denials for example when adding new entry to known_hosts by ssh command
Comment 1 Miroslav Grepl 2011-03-08 07:13:03 EST
It looks like we are missing a transition

sysadm_t -> sshd_keygen_t -> ssh_keygen_t

We have in F15 policy

---

########################################
#
# ssh_keygen local policy
#

# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t


manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)

---
Comment 2 Miroslav Grepl 2011-03-08 07:15:46 EST
Mirek,
could you add the following rule


userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)


to the local test policy which we created and test whether it works for you.
Comment 3 Miroslav Vadkerti 2011-03-08 07:27:44 EST
Yes it resolved the last problem with .ssh directory context:

# ls -Zd .ssh
drwx------. root root staff_u:object_r:ssh_home_t:SystemLow .ssh
# ls -Z .ssh
-rw-------. root root staff_u:object_r:ssh_home_t:SystemLow id_rsa
-rw-r--r--. root root staff_u:object_r:ssh_home_t:SystemLow id_rsa.pub

Just for the record my custom policy:

policy_module(keygen,1.2)

require{
 type admin_home_t;
 type ssh_keygen_t;
 type ssh_keygen_exec_t;
 type sysadm_t;
 type ssh_home_t;
 role sysadm_r;
}

domtrans_pattern(sysadm_t, ssh_keygen_exec_t, ssh_keygen_t)
userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
term_use_all_ptys(ssh_keygen_t)

role sysadm_r types ssh_keygen_t;
allow ssh_keygen_t admin_home_t:dir search;
Comment 4 Miroslav Grepl 2011-03-09 10:21:42 EST
Mirku,
I added a fix to the latest RHLE6 policy (-77 release) so you can test it then with this release without the local policy.
Comment 6 Miroslav Vadkerti 2011-03-11 02:56:12 EST
I tested with the latest selinux-policy and it doesn't resolve the issue for me, the .ssh folder cannot be created:

# rpm -q selinux-policy-mls
selinux-policy-mls-3.7.19-78.el6.noarch
 ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Could not create directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
open /root/.ssh/id_rsa failed: No such file or directory.
Saving the key failed: /root/.ssh/id_rsa.
Comment 7 Miroslav Grepl 2011-03-11 03:43:13 EST
Strange, I thought it was working with a local policy moodule.

Any AVC msgs?
Comment 8 Miroslav Vadkerti 2011-03-11 04:49:31 EST
Per discussion on IRC, adding this custom moduole resolves the issue:
module mypol 1.0;

require {
        type ssh_keygen_t;
        type secadm_screen_t;
        class capability dac_override;
}

#============= secadm_screen_t ==============
allow secadm_screen_t self:capability dac_override;

#============= ssh_keygen_t ==============
allow ssh_keygen_t self:capability dac_override;
Comment 9 Miroslav Vadkerti 2011-03-11 04:49:59 EST
Ups, please ignore the screen part :)
Comment 10 Miroslav Grepl 2011-03-11 07:22:52 EST
Strange,
I am just trying to reproduce it, but it is working for me. 

Milos, could you try to test it?
Comment 11 Karel Srot 2011-03-14 07:01:53 EDT
Doesn't work for me either. I could reproduce the bug on -74 policy.

With -78 policy there are two cases:

1. ssh-keygen executed in the console
   - root:sysadm_r:sysadm_t:s0-s15:c0.c1023
   - ssh-keygen doesn't work at all
   - no AVC but following AVC appears after semodule -DB

time->Mon Mar 14 11:59:30 2011
type=SYSCALL msg=audit(1300100370.953:92): arch=40000003 syscall=11 success=yes exit=0 a0=865dd58 a1=865e890 a2=864bf78 a3=865e890 items=0 ppid=1289 pid=1567 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1300100370.953:92): avc:  denied  { noatsecure } for  pid=1567 comm="ssh-keygen" scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1300100370.953:92): avc:  denied  { siginh } for  pid=1567 comm="ssh-keygen" scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1300100370.953:92): avc:  denied  { rlimitinh } for  pid=1567 comm="ssh-keygen" scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1300100370.953:92): avc:  denied  { read write } for  pid=1567 comm="ssh-keygen" path="/dev/tty1" dev=devtmpfs ino=5069 scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:user_tty_device_t:s0 tclass=chr_file
type=AVC msg=audit(1300100370.953:92): avc:  denied  { read write } for  pid=1567 comm="ssh-keygen" path="/dev/tty1" dev=devtmpfs ino=5069 scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:user_tty_device_t:s0 tclass=chr_file
type=AVC msg=audit(1300100370.953:92): avc:  denied  { read write } for  pid=1567 comm="ssh-keygen" path="/dev/tty1" dev=devtmpfs ino=5069 scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:user_tty_device_t:s0 tclass=chr_file
type=AVC msg=audit(1300100370.953:92): avc:  denied  { read write } for  pid=1567 comm="ssh-keygen" name="tty1" dev=devtmpfs ino=5069 scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:user_tty_device_t:s0 tclass=chr_file


2. ssh-keygen executed in ssh terminal (connected as root + switched to sysadm_r role)
   - root:sysadm_r:sysadm_t:s0-s15:c0.c1023
   - ssh-keygen starts, bug failes lateron with

open /root/.ssh/id_rsa failed: No such file or directory.
Saving the key failed: /root/.ssh/id_rsa.

----
time->Mon Mar 14 11:54:23 2011
type=SYSCALL msg=audit(1300100063.050:45): arch=40000003 syscall=39 success=no exit=-13 a0=bfac83cc a1=1c0 a2=147b5c a3=bfac83cc items=0 ppid=1336 pid=1490 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1300100063.050:45): avc:  denied  { dac_override } for  pid=1490 comm="ssh-keygen" capability=1  scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tclass=capability

openssh-5.3p1-39.el6.i686
Comment 12 Karel Srot 2011-03-14 07:10:48 EDT
After loading the module from #c8 ssh-keygen works properly in the ssh session (context root:object_r:ssh_home_t:s0  .ssh) but still not working in the console.
Comment 13 Miroslav Grepl 2011-03-14 07:18:21 EDT
Ok, could you try to turn on the allow_daemons_use_tty boolean?

Does it work in the console then?
Comment 14 Karel Srot 2011-03-14 08:04:11 EDT
That boolean brought the console scenario to the same level as the ssh one.
Custom module is still required, otherwise I get:

type=AVC msg=audit(1300103392.125:216): avc:  denied  { dac_override } for  pid=1891 comm="ssh-keygen" capability=1  scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tclass=capability
type=SYSCALL msg=audit(1300103392.125:216): arch=40000003 syscall=39 success=yes exit=0 a0=bfc8556c a1=1c0 a2=379b5c a3=bfc8556c items=2 ppid=1289 pid=1891 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 key=(null)
type=CWD msg=audit(1300103392.125:216):  cwd="/root"
type=PATH msg=audit(1300103392.125:216): item=0 name="/root/" inode=19 dev=fc:01 mode=040550 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:admin_home_t:s0
type=PATH msg=audit(1300103392.125:216): item=1 name="/root/.ssh" inode=16050 dev=fc:01 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:ssh_home_t:s0
Comment 15 Daniel Walsh 2011-03-14 12:12:30 EDT
Why would a root process need dac_override to write to the /root directory?

ls -ld /root
Comment 16 Miroslav Grepl 2011-03-14 12:24:55 EDT
Yes, I do not understand also.
Comment 17 Eric Paris 2011-03-14 15:31:47 EDT
modes are in the syscall record.

/root is 550
/root/.ssh is 700
Comment 18 Daniel Walsh 2011-03-14 15:41:13 EDT
Why is root not allowed to write to /root?  Is the standard protection on tis dir?
Comment 19 Karel Srot 2011-03-15 06:42:16 EDT
reproduced again on fresh RHEL6.1-20110311.3 with selinux-policy-3.7.19-78.el6

[root@rhel6-64 ~]# id -Z
root:sysadm_r:sysadm_t:s0-s15:c0.c1023
[root@rhel6-64 ~]# ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Could not create directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
open /root/.ssh/id_rsa failed: No such file or directory.
Saving the key failed: /root/.ssh/id_rsa.
[root@rhel6-64 ~]# ls -ld /root
dr-xr-x---. 3 root root 4096 Mar 15 11:29 /root
[root@rhel6-64 ~]# ls -Zd /root
dr-xr-x---. root root system_u:object_r:admin_home_t:s0 /root
[root@rhel6-64 ~]# mkdir /root/mydir
[root@rhel6-64 ~]# ls -ld /root/mydir
drwxr-xr-x. 2 root root 4096 Mar 15 11:39 /root/mydir
[root@rhel6-64 ~]# ls -Zd /root/mydir
drwxr-xr-x. root root root:object_r:admin_home_t:s0    /root/mydir


type=AVC msg=audit(1300184854.426:46): avc:  denied  { dac_override } for  pid=1373 comm="ssh-keygen" capability=1  scontext=root:sysadm_r:ssh_keygen_t:s0-ss0-s15:c0.c1023 tcontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tclass=capapability
type=SYSCALL msg=audit(1300184854.426:46): arch=c000003e syscall=83 success=no exit=-13 a0=7fff8b46b910 a1=1c0 a2=ffffffffffffff88 a3=fffffffc items=0 ppid=1318 pid=1373 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:sysadm_r:ssh
:ssh_keygen_t:s0-s15:c0.c1023 key=(null)
Comment 20 Daniel Walsh 2011-03-15 08:18:28 EDT
So we either change the permissions on the /root directory to 0750 or we add dac_override?  If /root has to be 0550 we have no choice.
Comment 21 Steve Grubb 2011-03-15 09:10:09 EDT
Adding dac_override would be the answer. Shame that capabilities can't be paired with a target type. For example, dac_override on admin_home_t to limit the scope.
Comment 22 Daniel Walsh 2011-03-15 09:56:29 EDT
Miroslav lets add it.
Comment 23 Eric Paris 2011-03-15 10:26:26 EDT
Why is dac_override the answer?  Why is /root not writable by root?
Comment 24 Steve Grubb 2011-03-15 10:34:53 EDT
To protect against root processes that have no capabilities.
Comment 25 Miroslav Grepl 2011-03-17 06:27:05 EDT
Fixed in selinux-policy-3.7.19-79.el6
Comment 29 errata-xmlrpc 2011-05-19 08:12:45 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html

Note You need to log in before you can comment on or make changes to this bug.