Description of problem: Version-Release number of selected component (if applicable): selinux-policy-2.4.6-306.el5 selinux-policy-targeted-2.4.6-306.el5 selinux-policy-minimum-2.4.6-306.el5 selinux-policy-strict-2.4.6-306.el5 selinux-policy-mls-2.4.6-306.el5 selinux-policy-devel-2.4.6-306.el5 How reproducible: always Steps to Reproduce: (get a RHEL-5.7 machine with active MLS policy, log in as root via console) # id -Z root:sysadm_r:sysadm_t:SystemLow-SystemHigh # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: mls # getsebool -a | grep ssh allow_ssh_keysign --> on run_ssh_inetd --> off ssh_sysadm_login --> on # /usr/bin/ssh-keygen -bash: /usr/bin/ssh-keygen: Permission denied # echo $? 126 # Actual results: root (sysadm_r or secadm_r) cannot run ssh-keygen in MLS Expected results: root (sysadm_r or secadm_r) can run ssh-keygen in MLS
I had to disable dontaudit rules to find out what is going on: ---- time->Mon May 30 06:05:45 2011 type=SYSCALL msg=audit(1306749945.721:223): arch=c000003e syscall=21 success=no exit=-13 a0=1a074590 a1=1 a2=0 a3=6f746b7365642d65 items=0 ppid=2155 pid=2262 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="bash" exe="/bin/bash" subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1306749945.721:223): avc: denied { execute } for pid=2262 comm="bash" name="ssh-keygen" dev=dm-0 ino=2596603 scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:ssh_keygen_exec_t:s0 tclass=file ---- time->Mon May 30 06:30:01 2011 type=SYSCALL msg=audit(1306751401.009:338): arch=c000003e syscall=21 success=no exit=-13 a0=630f0f0 a1=4 a2=d a3=6f746b7365642d65 items=0 ppid=13286 pid=13289 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=7 comm="bash" exe="/bin/bash" subj=root:secadm_r:secadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1306751401.009:338): avc: denied { read } for pid=13289 comm="bash" name="ssh-keygen" dev=dm-0 ino=2596603 scontext=root:secadm_r:secadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:ssh_keygen_exec_t:s0 tclass=file ---- time->Mon May 30 06:30:02 2011 type=SYSCALL msg=audit(1306751402.833:339): arch=c000003e syscall=59 success=no exit=-13 a0=63107d0 a1=630e1c0 a2=631bc40 a3=8 items=0 ppid=13289 pid=13317 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=7 comm="bash" exe="/bin/bash" subj=root:secadm_r:secadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1306751402.833:339): avc: denied { execute } for pid=13317 comm="bash" name="ssh-keygen" dev=dm-0 ino=2596603 scontext=root:secadm_r:secadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:ssh_keygen_exec_t:s0 tclass=file ----
I guess we had the same issue on rhel6, right?
No, we don't. The same scenario works on RHEL-6 where are following packages installed: selinux-policy-3.7.19-96.el6.noarch selinux-policy-targeted-3.7.19-96.el6.noarch selinux-policy-mls-3.7.19-96.el6.noarch selinux-policy-doc-3.7.19-96.el6.noarch selinux-policy-minimum-3.7.19-96.el6.noarch
We have on RHEL6 optional_policy(` ssh_run_keygen($3,$2) ') in ssh_role_template()
Milos, if you add a local policy which will contain policy_module(mykeygen,1.0) require{ type sysadm_t; role sysadm_r; } role sysadm_r types ssh_keygen_t; ssh_domtrans_keygen(sysadm_t) does it work?
Before "restorecon -Rv /root ; semodule -DB" ssh-keygen did not work and I saw following AVC: ---- time->Tue May 31 09:30:00 2011 type=SYSCALL msg=audit(1306848600.329:50): arch=c000003e syscall=4 success=no exit=-13 a0=2ae0cd25b900 a1=7ffff0875df0 a2=7ffff0875df0 a3=0 items=0 ppid=2844 pid=2931 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1306848600.329:50): avc: denied { search } for pid=2931 comm="ssh-keygen" name=".ssh" dev=dm-0 ino=17268750 scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=dir ---- time->Tue May 31 09:30:00 2011 type=SYSCALL msg=audit(1306848600.329:49): arch=c000003e syscall=4 success=no exit=-13 a0=7ffff087cec0 a1=7ffff0875df0 a2=7ffff0875df0 a3=0 items=0 ppid=2844 pid=2931 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1306848600.329:49): avc: denied { getattr } for pid=2931 comm="ssh-keygen" path="/root/.ssh" dev=dm-0 ino=17268750 scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=dir ---- After "restorecon -Rv /root ; semodule -DB" ssh-keygen did not work and I saw following AVC: ---- time->Tue May 31 09:34:26 2011 type=SYSCALL msg=audit(1306848866.374:60): arch=c000003e syscall=4 success=no exit=-13 a0=2b7b6044d900 a1=7fff0cd596f0 a2=7fff0cd596f0 a3=0 items=0 ppid=2844 pid=2959 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1306848866.374:60): avc: denied { search } for pid=2959 comm="ssh-keygen" name="root" dev=dm-0 ino=17268737 scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_dir_t:s0-s15:c0.c1023 tclass=dir ----
Try to add userdom_sysadm_home_dir_filetrans(ssh_keygen_t, sshd_key_t, { dir file }) allow ssh_keygen_t sysadm_home_dir_t:dir search; to local policy.
Following module fixed it. Now ssh-keygen works as expected for root user with sysadm_r role. policy_module(mykeygen,1.0) require{ type sshd_key_t; type sysadm_t; role sysadm_r; } role sysadm_r types ssh_keygen_t; ssh_domtrans_keygen(sysadm_t) userdom_sysadm_home_dir_filetrans(ssh_keygen_t, sshd_key_t, { dir file }) allow ssh_keygen_t sysadm_home_dir_t:dir search;
Could you also check the label is correct # matchpathcon /root/.ssh # ls -dZ /root/.ssh
Good catch. There is a difference: # rm -rf /root/.ssh # ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: e6:4a:32:15:4b:e9:62:7b:e6:2f:8e:61:50:6d:1e:55 root.eng.rdu.redhat.com # matchpathcon /root/.ssh /root/.ssh root:object_r:sysadm_home_ssh_t:SystemLow # ls -dZ /root/.ssh drwx------ root root root:object_r:sshd_key_t:SystemLow /root/.ssh #
Well, this is a fix for targeted policy.
I like RHEL5 handling with users. --- interface(`ssh_run_keygen',` gen_require(` type ssh_keygen_t; type sshd_key_t; ') role $2 types ssh_keygen_t; ssh_domtrans_keygen($1) ifdef(`targeted_policy',` userdom_sysadm_home_dir_filetrans(ssh_keygen_t, sshd_key_t, dir ) ',` allow ssh_keygen_t $4:dir rw_dir_perms; type_transition ssh_keygen_t $4:dir $3; ') ') and optional_policy(` ssh_run_keygen($1_t, $1_r, $1_home_ssh_t, $1_home_dir_t) ') in ssh_per_role_template() should fix the issue.
FIne with me.
Fixed in selinux-policy-2.4.6-308.el5
Ok, I need to fix the interface.
Milos, could you try it with selinux-policy-2.4.6-309.el5
# id -Z root:sysadm_r:sysadm_t:SystemLow-SystemHigh # cd /root # rm -rf .ssh # setenforce 0 # ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: ec:ca:a7:a2:81:78:13:6c:ba:60:ae:26:ab:32:39:54 root.eng.bos.redhat.com # ausearch -m avc -m user_avc -ts recent ---- time->Tue Jun 7 09:13:44 2011 type=SYSCALL msg=audit(1307452424.875:88): arch=c0000032 syscall=1212 success=yes exit=0 a0=3 a1=60000fffff9d2ff0 a2=0 a3=0 items=0 ppid=3318 pid=3584 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS1 ses=1 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1307452424.875:88): avc: denied { getattr } for pid=3584 comm="ssh-keygen" path="/root/.ssh/id_rsa" dev=dm-0 ino=8413173 scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_ssh_t:s0 tclass=file ---- time->Tue Jun 7 09:13:44 2011 type=SYSCALL msg=audit(1307452424.875:87): arch=c0000032 syscall=1028 success=yes exit=3 a0=200000080004bf48 a1=241 a2=180 a3=0 items=0 ppid=3318 pid=3584 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS1 ses=1 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1307452424.875:87): avc: denied { create } for pid=3584 comm="ssh-keygen" name="id_rsa" scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_ssh_t:s0 tclass=file type=AVC msg=audit(1307452424.875:87): avc: denied { add_name } for pid=3584 comm="ssh-keygen" name="id_rsa" scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_ssh_t:s0 tclass=dir type=AVC msg=audit(1307452424.875:87): avc: denied { write } for pid=3584 comm="ssh-keygen" name=".ssh" dev=dm-0 ino=8413169 scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_ssh_t:s0 tclass=dir ---- time->Tue Jun 7 09:13:44 2011 type=SYSCALL msg=audit(1307452424.876:89): arch=c0000032 syscall=1027 success=yes exit=1675 a0=3 a1=2000000800f10000 a2=68b a3=0 items=0 ppid=3318 pid=3584 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS1 ses=1 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1307452424.876:89): avc: denied { write } for pid=3584 comm="ssh-keygen" path="/root/.ssh/id_rsa" dev=dm-0 ino=8413173 scontext=root:sysadm_r:ssh_keygen_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_ssh_t:s0 tclass=file ----
Fixed in selinux-policy-2.4.6-311.el5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1069.html