Bug 711794 - enforcing MLS: user_u and staff_u cannot run ssh-keygen
enforcing MLS: user_u and staff_u cannot run ssh-keygen
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.7
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-06-08 09:53 EDT by Milos Malik
Modified: 2012-10-15 09:58 EDT (History)
1 user (show)

See Also:
Fixed In Version: selinux-policy-2.4.6-312.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-07-21 05:20:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Milos Malik 2011-06-08 09:53:53 EDT
Description of problem:
They cannot even delete .ssh directory in their home directories.

Version-Release number of selected component (if applicable):
selinux-policy-minimum-2.4.6-311.el5
selinux-policy-devel-2.4.6-311.el5
selinux-policy-mls-2.4.6-311.el5
selinux-policy-targeted-2.4.6-311.el5
selinux-policy-2.4.6-311.el5
selinux-policy-strict-2.4.6-311.el5

How reproducible:
always

Steps to Reproduce:
1. get a RHEL-5.7 machine where MLS policy is active and is in enforcing mode
2. create an user_u or staff_u user
3. set up a password for that user
4. log in as that user via ssh
5. delete .ssh directory if present
6. run ssh-keygen

Actual results:
* public/private key pair generation failed
* following AVCs (I had to disable dontaudit rules to see denials):
----
time->Wed Jun  8 09:48:45 2011
type=SYSCALL msg=audit(1307540925.996:384): arch=c0000032 syscall=1056 success=no exit=-13 a0=6000000000008420 a1=6000000000008420 a2=60000fffffae7598 a3=3 items=0 ppid=3400 pid=4167 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=pts1 ses=8 comm="rm" exe="/bin/rm" subj=staff_u:staff_r:staff_t:s0 key=(null)
type=AVC msg=audit(1307540925.996:384): avc:  denied  { rmdir } for  pid=4167 comm="rm" name=".ssh" dev=dm-0 ino=3801115 scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:object_r:staff_home_ssh_t:s0 tclass=dir
----
time->Wed Jun  8 09:48:49 2011
type=SYSCALL msg=audit(1307540929.404:385): arch=c0000032 syscall=1056 success=no exit=-13 a0=6000000000008420 a1=6000000000008420 a2=60000fffffcbf598 a3=3 items=0 ppid=3306 pid=4168 auid=502 uid=502 gid=502 euid=502 suid=502 fsuid=502 egid=502 sgid=502 fsgid=502 tty=pts0 ses=7 comm="rm" exe="/bin/rm" subj=user_u:user_r:user_t:s0 key=(null)
type=AVC msg=audit(1307540929.404:385): avc:  denied  { rmdir } for  pid=4168 comm="rm" name=".ssh" dev=dm-0 ino=3801118 scontext=user_u:user_r:user_t:s0 tcontext=user_u:object_r:user_home_ssh_t:s0 tclass=dir
----
time->Wed Jun  8 09:51:15 2011
type=SYSCALL msg=audit(1307541075.324:392): arch=c0000032 syscall=1033 success=yes exit=0 a0=6000000000036560 a1=600000000002bf70 a2=600000000002c740 a3=0 items=0 ppid=3306 pid=4185 auid=502 uid=502 gid=502 euid=502 suid=502 fsuid=502 egid=502 sgid=502 fsgid=502 tty=(none) ses=7 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=user_u:user_r:ssh_keygen_t:s0 key=(null)
type=AVC msg=audit(1307541075.324:392): avc:  denied  { noatsecure } for  pid=4185 comm="ssh-keygen" scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:ssh_keygen_t:s0 tclass=process
type=AVC msg=audit(1307541075.324:392): avc:  denied  { rlimitinh } for  pid=4185 comm="ssh-keygen" scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:ssh_keygen_t:s0 tclass=process
type=AVC msg=audit(1307541075.324:392): avc:  denied  { siginh } for  pid=4185 comm="ssh-keygen" scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:ssh_keygen_t:s0 tclass=process
type=AVC msg=audit(1307541075.324:392): avc:  denied  { read write } for  pid=4185 comm="ssh-keygen" path="/dev/pts/0" dev=devpts ino=2 scontext=user_u:user_r:ssh_keygen_t:s0 tcontext=user_u:object_r:user_devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1307541075.324:392): avc:  denied  { read write } for  pid=4185 comm="ssh-keygen" path="/dev/pts/0" dev=devpts ino=2 scontext=user_u:user_r:ssh_keygen_t:s0 tcontext=user_u:object_r:user_devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1307541075.324:392): avc:  denied  { read write } for  pid=4185 comm="ssh-keygen" path="/dev/pts/0" dev=devpts ino=2 scontext=user_u:user_r:ssh_keygen_t:s0 tcontext=user_u:object_r:user_devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1307541075.324:392): avc:  denied  { read write } for  pid=4185 comm="ssh-keygen" name="0" dev=devpts ino=2 scontext=user_u:user_r:ssh_keygen_t:s0 tcontext=user_u:object_r:user_devpts_t:s0 tclass=chr_file
----
time->Wed Jun  8 09:51:07 2011
type=SYSCALL msg=audit(1307541067.772:389): arch=c0000032 syscall=1033 success=yes exit=0 a0=6000000000046990 a1=60000000000365b0 a2=6000000000037ab0 a3=0 items=0 ppid=3400 pid=4184 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=8 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=staff_u:staff_r:ssh_keygen_t:s0 key=(null)
type=AVC msg=audit(1307541067.772:389): avc:  denied  { noatsecure } for  pid=4184 comm="ssh-keygen" scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:staff_r:ssh_keygen_t:s0 tclass=process
type=AVC msg=audit(1307541067.772:389): avc:  denied  { rlimitinh } for  pid=4184 comm="ssh-keygen" scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:staff_r:ssh_keygen_t:s0 tclass=process
type=AVC msg=audit(1307541067.772:389): avc:  denied  { siginh } for  pid=4184 comm="ssh-keygen" scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:staff_r:ssh_keygen_t:s0 tclass=process
type=AVC msg=audit(1307541067.772:389): avc:  denied  { read write } for  pid=4184 comm="ssh-keygen" path="/dev/pts/1" dev=devpts ino=3 scontext=staff_u:staff_r:ssh_keygen_t:s0 tcontext=staff_u:object_r:staff_devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1307541067.772:389): avc:  denied  { read write } for  pid=4184 comm="ssh-keygen" path="/dev/pts/1" dev=devpts ino=3 scontext=staff_u:staff_r:ssh_keygen_t:s0 tcontext=staff_u:object_r:staff_devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1307541067.772:389): avc:  denied  { read write } for  pid=4184 comm="ssh-keygen" path="/dev/pts/1" dev=devpts ino=3 scontext=staff_u:staff_r:ssh_keygen_t:s0 tcontext=staff_u:object_r:staff_devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1307541067.772:389): avc:  denied  { read write } for  pid=4184 comm="ssh-keygen" name="1" dev=devpts ino=3 scontext=staff_u:staff_r:ssh_keygen_t:s0 tcontext=staff_u:object_r:staff_devpts_t:s0 tclass=chr_file
----

Expected results:
* no AVCs
* public/private key pair is generated successfully
Comment 1 Milos Malik 2011-06-08 09:56:12 EDT
Following policy module fixed the problem:

module mypolicy 1.0;

require {
        type staff_t;
        type ssh_keygen_t;
        type home_root_t;
        type staff_home_ssh_t;
        type user_home_ssh_t;
        type user_t;
        type user_devpts_t;
        type staff_devpts_t;
        class chr_file { read write };
        class dir { search rmdir };
}

#============= ssh_keygen_t ==============
allow ssh_keygen_t home_root_t:dir search;
allow ssh_keygen_t staff_devpts_t:chr_file { read write };
allow ssh_keygen_t user_devpts_t:chr_file { read write };

#============= staff_t ==============
allow staff_t staff_home_ssh_t:dir rmdir;

#============= user_t ==============
allow user_t user_home_ssh_t:dir rmdir;
Comment 2 Miroslav Grepl 2011-06-20 08:34:19 EDT
Fixed in selinux-policy-2.4.6-312.el5
Comment 5 errata-xmlrpc 2011-07-21 05:20:51 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html
Comment 6 errata-xmlrpc 2011-07-21 07:57:19 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html

Note You need to log in before you can comment on or make changes to this bug.