Bug 692457 - MLS: under root ssh cannot create .ssh and underlying files
Summary: MLS: under root ssh cannot create .ssh and underlying files
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.1
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Miroslav Vadkerti
URL:
Whiteboard:
Depends On:
Blocks: RHEL62CCC 682670 846801 846802
TreeView+ depends on / blocked
 
Reported: 2011-03-31 12:03 UTC by Miroslav Vadkerti
Modified: 2012-08-08 18:29 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.7.19-81.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-05-19 12:27:18 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0526 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-05-19 09:37:41 UTC

Description Miroslav Vadkerti 2011-03-31 12:03:55 UTC 
Description of problem:
# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=staff_u:sysadm_r:sysadm_t:SystemLow-SystemHigh
# rm -rf ~/.ssh
# ssh eal@localhost
Could not create directory '/root/.ssh'.
== snip ==

When enabling no audit rules I see:
type=AVC msg=audit(1301572338.311:253335): avc:  denied  { rlimitinh } for  pid=12601 comm="ssh" scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=staff_u:sysadm_r:ssh_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1301572338.311:253335): avc:  denied  { siginh } for  pid=12601 comm="ssh" scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=staff_u:sysadm_r:ssh_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1301572338.311:253335): avc:  denied  { noatsecure } for  pid=12601 comm="ssh" scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=staff_u:sysadm_r:ssh_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1301572338.327:253336): avc:  denied  { search } for  pid=12601 comm="ssh" name="root" dev=dm-0 ino=15 scontext=staff_u:sysadm_r:ssh_t:s0-s15:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir


Version-Release number of selected component (if applicable):
selinux-policy-mls-3.7.19-79.el6.noarch

How reproducible:
100%

Steps to Reproduce:
see description
  
Actual results:
Cannot create .ssh and access underlying files

Expected results:
Can create .ssh and access underlying files
Comment 1 Daniel Walsh 2011-03-31 12:21:31 UTC 
Does ssh actually attempt to create the /root/.ssh directory, Or is this a bogus error message.

Miroslav lets add

userdom_search_admin_dir(ssh_t)
Comment 2 Miroslav Vadkerti 2011-03-31 12:26:57 UTC 
No it is not a bogus message. When .ssh directory does not exist it tries to create it as it will be creating known_hosts later on.

I will try
Comment 3 Daniel Walsh 2011-03-31 12:45:09 UTC 
Miroslav then we need

userdom_search_admin_dir(sshd_t)
userdom_admin_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
Comment 4 Miroslav Vadkerti 2011-03-31 14:53:31 UTC 
Seems to be workign fine with this custom module:

# cat mypol.te 
policy_module(mypol,1.0);

require {
    type sshd_t;
    type ssh_t;
    type ssh_home_t;
}

userdom_search_admin_dir(sshd_t)
userdom_admin_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
Comment 5 Miroslav Grepl 2011-04-05 19:11:31 UTC 
Fixed in selinux-policy-3.7.19-81.el6
Comment 7 Miroslav Vadkerti 2011-04-07 11:31:04 UTC 
This issue is fixed in selinux-policy-mls-3.7.19-81.el6. I could not reproduce the problem anymore on our test machine
Comment 9 errata-xmlrpc 2011-05-19 12:27:18 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html
Note You need to log in before you can comment on or make changes to this bug.