708986 – enforcing MLS: root (sysadm_r or secadm_r) cannot run ssh-keygen

Bug 708986 - enforcing MLS: root (sysadm_r or secadm_r) cannot run ssh-keygen

Summary: enforcing MLS: root (sysadm_r or secadm_r) cannot run ssh-keygen

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	5.7
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	693723
TreeView+	depends on / blocked

Reported:	2011-05-30 10:31 UTC by Milos Malik
Modified:	2012-10-15 13:58 UTC (History)
CC List:	1 user (show)
Fixed In Version:	selinux-policy-2.4.6-311.el5
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-07-21 09:19:06 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:1069	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2011-07-21 09:18:27 UTC

Description Milos Malik 2011-05-30 10:31:04 UTC

Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-306.el5
selinux-policy-targeted-2.4.6-306.el5
selinux-policy-minimum-2.4.6-306.el5
selinux-policy-strict-2.4.6-306.el5
selinux-policy-mls-2.4.6-306.el5
selinux-policy-devel-2.4.6-306.el5

How reproducible:
always

Steps to Reproduce:
(get a RHEL-5.7 machine with active MLS policy, log in as root via console)
# id -Z
root:sysadm_r:sysadm_t:SystemLow-SystemHigh
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        mls
# getsebool -a | grep ssh
allow_ssh_keysign --> on
run_ssh_inetd --> off
ssh_sysadm_login --> on
# /usr/bin/ssh-keygen
-bash: /usr/bin/ssh-keygen: Permission denied
# echo $?
126
# 
  
Actual results:
root (sysadm_r or secadm_r) cannot run ssh-keygen in MLS

Expected results:
root (sysadm_r or secadm_r) can run ssh-keygen in MLS

Comment 1 Milos Malik 2011-05-30 10:45:58 UTC

I had to disable dontaudit rules to find out what is going on:
----
time->Mon May 30 06:05:45 2011
type=SYSCALL msg=audit(1306749945.721:223): arch=c000003e syscall=21 success=no 
exit=-13 a0=1a074590 a1=1 a2=0 a3=6f746b7365642d65 items=0 ppid=2155 pid=2262 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="bash" exe="/bin/bash" subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1306749945.721:223): avc:  denied  { execute } for  pid=2262 comm="bash" name="ssh-keygen" dev=dm-0 ino=2596603 scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:ssh_keygen_exec_t:s0 tclass=file
----
time->Mon May 30 06:30:01 2011
type=SYSCALL msg=audit(1306751401.009:338): arch=c000003e syscall=21 success=no 
exit=-13 a0=630f0f0 a1=4 a2=d a3=6f746b7365642d65 items=0 ppid=13286 pid=13289 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=7 comm="bash" exe="/bin/bash" subj=root:secadm_r:secadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1306751401.009:338): avc:  denied  { read } for  pid=13289 comm="bash" name="ssh-keygen" dev=dm-0 ino=2596603 scontext=root:secadm_r:secadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:ssh_keygen_exec_t:s0 tclass=file
----
time->Mon May 30 06:30:02 2011
type=SYSCALL msg=audit(1306751402.833:339): arch=c000003e syscall=59 success=no 
exit=-13 a0=63107d0 a1=630e1c0 a2=631bc40 a3=8 items=0 ppid=13289 pid=13317 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=7 comm="bash" exe="/bin/bash" subj=root:secadm_r:secadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1306751402.833:339): avc:  denied  { execute } for  pid=13317 comm="bash" name="ssh-keygen" dev=dm-0 ino=2596603 scontext=root:secadm_r:secadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:ssh_keygen_exec_t:s0 tclass=file
----

Comment 2 Miroslav Grepl 2011-05-30 11:00:16 UTC

I guess we had the same issue on rhel6, right?

Comment 3 Milos Malik 2011-05-30 12:36:10 UTC

No, we don't. The same scenario works on RHEL-6 where are following packages installed:
selinux-policy-3.7.19-96.el6.noarch
selinux-policy-targeted-3.7.19-96.el6.noarch
selinux-policy-mls-3.7.19-96.el6.noarch
selinux-policy-doc-3.7.19-96.el6.noarch
selinux-policy-minimum-3.7.19-96.el6.noarch

Comment 4 Miroslav Grepl 2011-05-30 13:18:39 UTC

We have on RHEL6

    optional_policy(`
        ssh_run_keygen($3,$2)
    ')

in

ssh_role_template()

Comment 5 Miroslav Grepl 2011-05-31 13:00:44 UTC

Milos,
if you add a local policy which will contain


policy_module(mykeygen,1.0)

require{
 type sysadm_t;
 role sysadm_r;
}

role sysadm_r types ssh_keygen_t;
ssh_domtrans_keygen(sysadm_t)


does it work?

Comment 6 Milos Malik 2011-05-31 13:43:54 UTC

Before "restorecon -Rv /root ; semodule -DB" ssh-keygen did not work and I saw following AVC:
----
time->Tue May 31 09:30:00 2011
type=SYSCALL msg=audit(1306848600.329:50): arch=c000003e syscall=4 success=no exit=-13 a0=2ae0cd25b900 a1=7ffff0875df0 a2=7ffff0875df0 a3=0 items=0 ppid=2844 pid=2931 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1306848600.329:50): avc:  denied  { search } for  pid=2931 comm="ssh-keygen" name=".ssh" dev=dm-0 ino=17268750 scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=dir
----
time->Tue May 31 09:30:00 2011
type=SYSCALL msg=audit(1306848600.329:49): arch=c000003e syscall=4 success=no exit=-13 a0=7ffff087cec0 a1=7ffff0875df0 a2=7ffff0875df0 a3=0 items=0 ppid=2844 pid=2931 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1306848600.329:49): avc:  denied  { getattr } for  pid=2931 comm="ssh-keygen" path="/root/.ssh" dev=dm-0 ino=17268750 scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=dir
----

After "restorecon -Rv /root ; semodule -DB" ssh-keygen did not work and I saw following AVC:
----
time->Tue May 31 09:34:26 2011
type=SYSCALL msg=audit(1306848866.374:60): arch=c000003e syscall=4 success=no exit=-13 a0=2b7b6044d900 a1=7fff0cd596f0 a2=7fff0cd596f0 a3=0 items=0 ppid=2844 pid=2959 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1306848866.374:60): avc:  denied  { search } for  pid=2959 comm="ssh-keygen" name="root" dev=dm-0 ino=17268737 scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_dir_t:s0-s15:c0.c1023 tclass=dir
----

Comment 7 Miroslav Grepl 2011-05-31 14:27:44 UTC

Try to add

userdom_sysadm_home_dir_filetrans(ssh_keygen_t, sshd_key_t, { dir file })
allow ssh_keygen_t sysadm_home_dir_t:dir search;

to local policy.

Comment 8 Milos Malik 2011-05-31 14:46:07 UTC

Following module fixed it. Now ssh-keygen works as expected for root user with sysadm_r role.

policy_module(mykeygen,1.0)

require{
 type sshd_key_t;
 type sysadm_t;
 role sysadm_r;
}

role sysadm_r types ssh_keygen_t;
ssh_domtrans_keygen(sysadm_t)
userdom_sysadm_home_dir_filetrans(ssh_keygen_t, sshd_key_t, { dir file })
allow ssh_keygen_t sysadm_home_dir_t:dir search;

Comment 9 Miroslav Grepl 2011-05-31 14:48:49 UTC

Could you also check the label is correct

# matchpathcon /root/.ssh

# ls -dZ /root/.ssh

Comment 10 Milos Malik 2011-05-31 14:56:44 UTC

Good catch. There is a difference:

# rm -rf /root/.ssh
# ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
e6:4a:32:15:4b:e9:62:7b:e6:2f:8e:61:50:6d:1e:55 root.eng.rdu.redhat.com
# matchpathcon /root/.ssh
/root/.ssh	root:object_r:sysadm_home_ssh_t:SystemLow
# ls -dZ /root/.ssh
drwx------  root root root:object_r:sshd_key_t:SystemLow /root/.ssh
#

Comment 11 Miroslav Grepl 2011-05-31 15:31:23 UTC

Well, this is a fix for targeted policy.

Comment 12 Miroslav Grepl 2011-05-31 18:39:27 UTC

I like RHEL5 handling with users.

---

interface(`ssh_run_keygen',`
    gen_require(`
        type ssh_keygen_t;
        type sshd_key_t;
    ')

    role $2 types ssh_keygen_t;
    ssh_domtrans_keygen($1)

    ifdef(`targeted_policy',`
        userdom_sysadm_home_dir_filetrans(ssh_keygen_t, sshd_key_t, dir )
    ',`
        allow ssh_keygen_t $4:dir rw_dir_perms;
        type_transition ssh_keygen_t $4:dir $3;
    ')
')

and

    optional_policy(`
        ssh_run_keygen($1_t, $1_r, $1_home_ssh_t, $1_home_dir_t)
    ')

in ssh_per_role_template() should fix the issue.

Comment 13 Daniel Walsh 2011-05-31 18:41:51 UTC

FIne with me.

Comment 14 Miroslav Grepl 2011-06-01 12:56:42 UTC

Fixed in selinux-policy-2.4.6-308.el5

Comment 17 Miroslav Grepl 2011-06-06 08:32:17 UTC

Ok, I need to fix the interface.

Comment 18 Miroslav Grepl 2011-06-06 15:16:33 UTC

Milos,
could you try it with

selinux-policy-2.4.6-309.el5

Comment 19 Milos Malik 2011-06-07 13:17:44 UTC

# id -Z
root:sysadm_r:sysadm_t:SystemLow-SystemHigh
# cd /root
# rm -rf .ssh
# setenforce 0
# ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
ec:ca:a7:a2:81:78:13:6c:ba:60:ae:26:ab:32:39:54 root.eng.bos.redhat.com
# ausearch -m avc -m user_avc -ts recent
----
time->Tue Jun  7 09:13:44 2011
type=SYSCALL msg=audit(1307452424.875:88): arch=c0000032 syscall=1212 success=yes exit=0 a0=3 a1=60000fffff9d2ff0 a2=0 a3=0 items=0 ppid=3318 pid=3584 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS1 ses=1 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1307452424.875:88): avc:  denied  { getattr } for  pid=3584 comm="ssh-keygen" path="/root/.ssh/id_rsa" dev=dm-0 ino=8413173 scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_ssh_t:s0 tclass=file
----
time->Tue Jun  7 09:13:44 2011
type=SYSCALL msg=audit(1307452424.875:87): arch=c0000032 syscall=1028 success=yes exit=3 a0=200000080004bf48 a1=241 a2=180 a3=0 items=0 ppid=3318 pid=3584 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS1 ses=1 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1307452424.875:87): avc:  denied  { create } for  pid=3584 comm="ssh-keygen" name="id_rsa" scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_ssh_t:s0 tclass=file
type=AVC msg=audit(1307452424.875:87): avc:  denied  { add_name } for  pid=3584 comm="ssh-keygen" name="id_rsa" scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_ssh_t:s0 tclass=dir
type=AVC msg=audit(1307452424.875:87): avc:  denied  { write } for  pid=3584 comm="ssh-keygen" name=".ssh" dev=dm-0 ino=8413169 scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_ssh_t:s0 tclass=dir
----
time->Tue Jun  7 09:13:44 2011
type=SYSCALL msg=audit(1307452424.876:89): arch=c0000032 syscall=1027 success=yes exit=1675 a0=3 a1=2000000800f10000 a2=68b a3=0 items=0 ppid=3318 pid=3584 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS1 ses=1 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1307452424.876:89): avc:  denied  { write } for  pid=3584 comm="ssh-keygen" path="/root/.ssh/id_rsa" dev=dm-0 ino=8413173 scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_ssh_t:s0 tclass=file
----

Comment 20 Miroslav Grepl 2011-06-08 04:15:01 UTC

Fixed in selinux-policy-2.4.6-311.el5

Comment 22 errata-xmlrpc 2011-07-21 09:19:06 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html

Comment 23 errata-xmlrpc 2011-07-21 11:57:08 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html

Note You need to log in before you can comment on or make changes to this bug.