Bug 708986 - enforcing MLS: root (sysadm_r or secadm_r) cannot run ssh-keygen
enforcing MLS: root (sysadm_r or secadm_r) cannot run ssh-keygen
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.7
All Linux
high Severity high
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks: 693723
  Show dependency treegraph
 
Reported: 2011-05-30 06:31 EDT by Milos Malik
Modified: 2012-10-15 09:58 EDT (History)
1 user (show)

See Also:
Fixed In Version: selinux-policy-2.4.6-311.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-07-21 05:19:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Milos Malik 2011-05-30 06:31:04 EDT
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-306.el5
selinux-policy-targeted-2.4.6-306.el5
selinux-policy-minimum-2.4.6-306.el5
selinux-policy-strict-2.4.6-306.el5
selinux-policy-mls-2.4.6-306.el5
selinux-policy-devel-2.4.6-306.el5

How reproducible:
always

Steps to Reproduce:
(get a RHEL-5.7 machine with active MLS policy, log in as root via console)
# id -Z
root:sysadm_r:sysadm_t:SystemLow-SystemHigh
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        mls
# getsebool -a | grep ssh
allow_ssh_keysign --> on
run_ssh_inetd --> off
ssh_sysadm_login --> on
# /usr/bin/ssh-keygen
-bash: /usr/bin/ssh-keygen: Permission denied
# echo $?
126
# 
  
Actual results:
root (sysadm_r or secadm_r) cannot run ssh-keygen in MLS

Expected results:
root (sysadm_r or secadm_r) can run ssh-keygen in MLS
Comment 1 Milos Malik 2011-05-30 06:45:58 EDT
I had to disable dontaudit rules to find out what is going on:
----
time->Mon May 30 06:05:45 2011
type=SYSCALL msg=audit(1306749945.721:223): arch=c000003e syscall=21 success=no 
exit=-13 a0=1a074590 a1=1 a2=0 a3=6f746b7365642d65 items=0 ppid=2155 pid=2262 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="bash" exe="/bin/bash" subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1306749945.721:223): avc:  denied  { execute } for  pid=2262 comm="bash" name="ssh-keygen" dev=dm-0 ino=2596603 scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:ssh_keygen_exec_t:s0 tclass=file
----
time->Mon May 30 06:30:01 2011
type=SYSCALL msg=audit(1306751401.009:338): arch=c000003e syscall=21 success=no 
exit=-13 a0=630f0f0 a1=4 a2=d a3=6f746b7365642d65 items=0 ppid=13286 pid=13289 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=7 comm="bash" exe="/bin/bash" subj=root:secadm_r:secadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1306751401.009:338): avc:  denied  { read } for  pid=13289 comm="bash" name="ssh-keygen" dev=dm-0 ino=2596603 scontext=root:secadm_r:secadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:ssh_keygen_exec_t:s0 tclass=file
----
time->Mon May 30 06:30:02 2011
type=SYSCALL msg=audit(1306751402.833:339): arch=c000003e syscall=59 success=no 
exit=-13 a0=63107d0 a1=630e1c0 a2=631bc40 a3=8 items=0 ppid=13289 pid=13317 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=7 comm="bash" exe="/bin/bash" subj=root:secadm_r:secadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1306751402.833:339): avc:  denied  { execute } for  pid=13317 comm="bash" name="ssh-keygen" dev=dm-0 ino=2596603 scontext=root:secadm_r:secadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:ssh_keygen_exec_t:s0 tclass=file
----
Comment 2 Miroslav Grepl 2011-05-30 07:00:16 EDT
I guess we had the same issue on rhel6, right?
Comment 3 Milos Malik 2011-05-30 08:36:10 EDT
No, we don't. The same scenario works on RHEL-6 where are following packages installed:
selinux-policy-3.7.19-96.el6.noarch
selinux-policy-targeted-3.7.19-96.el6.noarch
selinux-policy-mls-3.7.19-96.el6.noarch
selinux-policy-doc-3.7.19-96.el6.noarch
selinux-policy-minimum-3.7.19-96.el6.noarch
Comment 4 Miroslav Grepl 2011-05-30 09:18:39 EDT
We have on RHEL6

    optional_policy(`
        ssh_run_keygen($3,$2)
    ')

in

ssh_role_template()
Comment 5 Miroslav Grepl 2011-05-31 09:00:44 EDT
Milos,
if you add a local policy which will contain


policy_module(mykeygen,1.0)

require{
 type sysadm_t;
 role sysadm_r;
}

role sysadm_r types ssh_keygen_t;
ssh_domtrans_keygen(sysadm_t)


does it work?
Comment 6 Milos Malik 2011-05-31 09:43:54 EDT
Before "restorecon -Rv /root ; semodule -DB" ssh-keygen did not work and I saw following AVC:
----
time->Tue May 31 09:30:00 2011
type=SYSCALL msg=audit(1306848600.329:50): arch=c000003e syscall=4 success=no exit=-13 a0=2ae0cd25b900 a1=7ffff0875df0 a2=7ffff0875df0 a3=0 items=0 ppid=2844 pid=2931 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1306848600.329:50): avc:  denied  { search } for  pid=2931 comm="ssh-keygen" name=".ssh" dev=dm-0 ino=17268750 scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=dir
----
time->Tue May 31 09:30:00 2011
type=SYSCALL msg=audit(1306848600.329:49): arch=c000003e syscall=4 success=no exit=-13 a0=7ffff087cec0 a1=7ffff0875df0 a2=7ffff0875df0 a3=0 items=0 ppid=2844 pid=2931 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1306848600.329:49): avc:  denied  { getattr } for  pid=2931 comm="ssh-keygen" path="/root/.ssh" dev=dm-0 ino=17268750 scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=dir
----

After "restorecon -Rv /root ; semodule -DB" ssh-keygen did not work and I saw following AVC:
----
time->Tue May 31 09:34:26 2011
type=SYSCALL msg=audit(1306848866.374:60): arch=c000003e syscall=4 success=no exit=-13 a0=2b7b6044d900 a1=7fff0cd596f0 a2=7fff0cd596f0 a3=0 items=0 ppid=2844 pid=2959 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1306848866.374:60): avc:  denied  { search } for  pid=2959 comm="ssh-keygen" name="root" dev=dm-0 ino=17268737 scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_dir_t:s0-s15:c0.c1023 tclass=dir
----
Comment 7 Miroslav Grepl 2011-05-31 10:27:44 EDT
Try to add

userdom_sysadm_home_dir_filetrans(ssh_keygen_t, sshd_key_t, { dir file })
allow ssh_keygen_t sysadm_home_dir_t:dir search;

to local policy.
Comment 8 Milos Malik 2011-05-31 10:46:07 EDT
Following module fixed it. Now ssh-keygen works as expected for root user with sysadm_r role.

policy_module(mykeygen,1.0)

require{
 type sshd_key_t;
 type sysadm_t;
 role sysadm_r;
}

role sysadm_r types ssh_keygen_t;
ssh_domtrans_keygen(sysadm_t)
userdom_sysadm_home_dir_filetrans(ssh_keygen_t, sshd_key_t, { dir file })
allow ssh_keygen_t sysadm_home_dir_t:dir search;
Comment 9 Miroslav Grepl 2011-05-31 10:48:49 EDT
Could you also check the label is correct

# matchpathcon /root/.ssh

# ls -dZ /root/.ssh
Comment 10 Milos Malik 2011-05-31 10:56:44 EDT
Good catch. There is a difference:

# rm -rf /root/.ssh
# ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
e6:4a:32:15:4b:e9:62:7b:e6:2f:8e:61:50:6d:1e:55 root@hp-dl140g2-01.rhts.eng.rdu.redhat.com
# matchpathcon /root/.ssh
/root/.ssh	root:object_r:sysadm_home_ssh_t:SystemLow
# ls -dZ /root/.ssh
drwx------  root root root:object_r:sshd_key_t:SystemLow /root/.ssh
#
Comment 11 Miroslav Grepl 2011-05-31 11:31:23 EDT
Well, this is a fix for targeted policy.
Comment 12 Miroslav Grepl 2011-05-31 14:39:27 EDT
I like RHEL5 handling with users.

---

interface(`ssh_run_keygen',`
    gen_require(`
        type ssh_keygen_t;
        type sshd_key_t;
    ')

    role $2 types ssh_keygen_t;
    ssh_domtrans_keygen($1)

    ifdef(`targeted_policy',`
        userdom_sysadm_home_dir_filetrans(ssh_keygen_t, sshd_key_t, dir )
    ',`
        allow ssh_keygen_t $4:dir rw_dir_perms;
        type_transition ssh_keygen_t $4:dir $3;
    ')
')

and

    optional_policy(`
        ssh_run_keygen($1_t, $1_r, $1_home_ssh_t, $1_home_dir_t)
    ')

in ssh_per_role_template() should fix the issue.
Comment 13 Daniel Walsh 2011-05-31 14:41:51 EDT
FIne with me.
Comment 14 Miroslav Grepl 2011-06-01 08:56:42 EDT
Fixed in selinux-policy-2.4.6-308.el5
Comment 17 Miroslav Grepl 2011-06-06 04:32:17 EDT
Ok, I need to fix the interface.
Comment 18 Miroslav Grepl 2011-06-06 11:16:33 EDT
Milos,
could you try it with

selinux-policy-2.4.6-309.el5
Comment 19 Milos Malik 2011-06-07 09:17:44 EDT
# id -Z
root:sysadm_r:sysadm_t:SystemLow-SystemHigh
# cd /root
# rm -rf .ssh
# setenforce 0
# ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
ec:ca:a7:a2:81:78:13:6c:ba:60:ae:26:ab:32:39:54 root@hp-bl870c-02.rhts.eng.bos.redhat.com
# ausearch -m avc -m user_avc -ts recent
----
time->Tue Jun  7 09:13:44 2011
type=SYSCALL msg=audit(1307452424.875:88): arch=c0000032 syscall=1212 success=yes exit=0 a0=3 a1=60000fffff9d2ff0 a2=0 a3=0 items=0 ppid=3318 pid=3584 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS1 ses=1 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1307452424.875:88): avc:  denied  { getattr } for  pid=3584 comm="ssh-keygen" path="/root/.ssh/id_rsa" dev=dm-0 ino=8413173 scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_ssh_t:s0 tclass=file
----
time->Tue Jun  7 09:13:44 2011
type=SYSCALL msg=audit(1307452424.875:87): arch=c0000032 syscall=1028 success=yes exit=3 a0=200000080004bf48 a1=241 a2=180 a3=0 items=0 ppid=3318 pid=3584 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS1 ses=1 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1307452424.875:87): avc:  denied  { create } for  pid=3584 comm="ssh-keygen" name="id_rsa" scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_ssh_t:s0 tclass=file
type=AVC msg=audit(1307452424.875:87): avc:  denied  { add_name } for  pid=3584 comm="ssh-keygen" name="id_rsa" scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_ssh_t:s0 tclass=dir
type=AVC msg=audit(1307452424.875:87): avc:  denied  { write } for  pid=3584 comm="ssh-keygen" name=".ssh" dev=dm-0 ino=8413169 scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_ssh_t:s0 tclass=dir
----
time->Tue Jun  7 09:13:44 2011
type=SYSCALL msg=audit(1307452424.876:89): arch=c0000032 syscall=1027 success=yes exit=1675 a0=3 a1=2000000800f10000 a2=68b a3=0 items=0 ppid=3318 pid=3584 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS1 ses=1 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1307452424.876:89): avc:  denied  { write } for  pid=3584 comm="ssh-keygen" path="/root/.ssh/id_rsa" dev=dm-0 ino=8413173 scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_ssh_t:s0 tclass=file
----
Comment 20 Miroslav Grepl 2011-06-08 00:15:01 EDT
Fixed in selinux-policy-2.4.6-311.el5
Comment 22 errata-xmlrpc 2011-07-21 05:19:06 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html
Comment 23 errata-xmlrpc 2011-07-21 07:57:08 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html

Note You need to log in before you can comment on or make changes to this bug.