Bug 692457 - MLS: under root ssh cannot create .ssh and underlying files
MLS: under root ssh cannot create .ssh and underlying files
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.1
All Linux
high Severity high
: rc
: ---
Assigned To: Miroslav Grepl
Miroslav Vadkerti
:
Depends On:
Blocks: 682670 RHEL62CCC 846801 846802
  Show dependency treegraph
 
Reported: 2011-03-31 08:03 EDT by Miroslav Vadkerti
Modified: 2012-08-08 14:29 EDT (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-81.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-05-19 08:27:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Miroslav Vadkerti 2011-03-31 08:03:55 EDT
Description of problem:
# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=staff_u:sysadm_r:sysadm_t:SystemLow-SystemHigh
# rm -rf ~/.ssh
# ssh eal@localhost
Could not create directory '/root/.ssh'.
== snip ==

When enabling no audit rules I see:
type=AVC msg=audit(1301572338.311:253335): avc:  denied  { rlimitinh } for  pid=12601 comm="ssh" scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=staff_u:sysadm_r:ssh_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1301572338.311:253335): avc:  denied  { siginh } for  pid=12601 comm="ssh" scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=staff_u:sysadm_r:ssh_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1301572338.311:253335): avc:  denied  { noatsecure } for  pid=12601 comm="ssh" scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=staff_u:sysadm_r:ssh_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1301572338.327:253336): avc:  denied  { search } for  pid=12601 comm="ssh" name="root" dev=dm-0 ino=15 scontext=staff_u:sysadm_r:ssh_t:s0-s15:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir


Version-Release number of selected component (if applicable):
selinux-policy-mls-3.7.19-79.el6.noarch

How reproducible:
100%

Steps to Reproduce:
see description
  
Actual results:
Cannot create .ssh and access underlying files

Expected results:
Can create .ssh and access underlying files
Comment 1 Daniel Walsh 2011-03-31 08:21:31 EDT
Does ssh actually attempt to create the /root/.ssh directory, Or is this a bogus error message.

Miroslav lets add

userdom_search_admin_dir(ssh_t)
Comment 2 Miroslav Vadkerti 2011-03-31 08:26:57 EDT
No it is not a bogus message. When .ssh directory does not exist it tries to create it as it will be creating known_hosts later on.

I will try
Comment 3 Daniel Walsh 2011-03-31 08:45:09 EDT
Miroslav then we need

userdom_search_admin_dir(sshd_t)
userdom_admin_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
Comment 4 Miroslav Vadkerti 2011-03-31 10:53:31 EDT
Seems to be workign fine with this custom module:

# cat mypol.te 
policy_module(mypol,1.0);

require {
    type sshd_t;
    type ssh_t;
    type ssh_home_t;
}

userdom_search_admin_dir(sshd_t)
userdom_admin_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
Comment 5 Miroslav Grepl 2011-04-05 15:11:31 EDT
Fixed in selinux-policy-3.7.19-81.el6
Comment 7 Miroslav Vadkerti 2011-04-07 07:31:04 EDT
This issue is fixed in selinux-policy-mls-3.7.19-81.el6. I could not reproduce the problem anymore on our test machine
Comment 9 errata-xmlrpc 2011-05-19 08:27:18 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html

Note You need to log in before you can comment on or make changes to this bug.