Bug 694551 - SSH login as sysadm_r is not allowed with ssh_sysadm_login SELinux boolean set in SELinux MLS policy
Summary: SSH login as sysadm_r is not allowed with ssh_sysadm_login SELinux boolean se...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.1
Hardware: All
OS: Linux
high
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-04-07 16:02 UTC by Ramon de Carvalho Valle
Modified: 2011-05-19 12:27 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.7.19-84.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-05-19 12:27:39 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0526 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-05-19 09:37:41 UTC

Description Ramon de Carvalho Valle 2011-04-07 16:02:31 UTC 
Description of problem:
SSH login as sysadm_r is not allowed with ssh_sysadm_login SELinux boolean set in SELinux MLS Policy.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 2 RHEL Program Management 2011-04-07 16:24:24 UTC 
Since RHEL 6.1 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.
Comment 3 Daniel Walsh 2011-04-07 16:44:02 UTC 
We need this modification in RHEL6 policy, to allow sshd to transition
to admin users if the boolean is turned on.

tunable_policy(`ssh_sysadm_login',`
	# Relabel and access ptys created by sshd
	# ioctl is necessary for logout() processing for utmp entry and for w to
	# display the tty.
	# some versions of sshd on the new SE Linux require setattr
	userdom_signal_all_users(sshd_t)
	userdom_spec_domtrans_all_users(sshd_t)
')
Comment 4 Miroslav Grepl 2011-04-11 10:11:17 UTC 
Fixed in selinux-policy-3.7.19-84.el6
Comment 7 errata-xmlrpc 2011-05-19 12:27:39 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html
Note You need to log in before you can comment on or make changes to this bug.