Bug 826632 - in.telnetd has an SELinux policy problem
in.telnetd has an SELinux policy problem
Product: Fedora
Classification: Fedora
Component: xinetd (Show other bugs)
x86_64 Linux
unspecified Severity high
: ---
: ---
Assigned To: Jan Synacek
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2012-05-30 12:12 EDT by Gordon Russell
Modified: 2012-06-05 01:07 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-06-05 01:07:00 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Gordon Russell 2012-05-30 12:12:18 EDT
Description of problem:

When you attempt to log in with telnet using xinetd and in.telnetd, you get an SELinux error. I believe the problem is that /bin/login has been moved to /usr/bin, and /bin is a softlink. To traverse a softlink in.telnetd needs lnk_file read permissions in the SELinux policy, or /bin/login in the in.telnetd source replaced with "/usr/bin/login" (probably the better solution and thus the reason for not raising this with SELinux).

Version-Release number of selected component (if applicable):

How reproducible:
Every time

Steps to Reproduce:
1. Install xinetd and telnet-server
2. Enable telnet server with appropriate firewall rules then telnet to the machine
3. Error appears in /var/log/messages
Actual results:
sealart reads:
Additional Information:
Source Context                system_u:system_r:telnetd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:bin_t:s0
Target Objects                bin [ lnk_file ]
Source                        in.telnetd
Source Path                   /usr/sbin/in.telnetd
Port                          <Unknown>
Host                          host-19-17.linuxzoo.net
Source RPM Packages           telnet-server-0.17-52.fc17.x86_64
Target RPM Packages           filesystem-3-2.fc17.x86_64
Policy RPM                    selinux-policy-3.10.0-125.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     host-19-17.linuxzoo.net
Platform                      Linux host-19-17.linuxzoo.net 3.3.4-5.fc17.x86_64
                              #1 SMP Mon May 7 17:29:34 UTC 2012 x86_64 x86_64
Alert Count                   2
First Seen                    Wed 30 May 2012 04:41:43 PM BST
Last Seen                     Wed 30 May 2012 04:42:56 PM BST
Local ID                      118784fb-1e34-45d6-adb8-9e7677121d55

Raw Audit Messages

type=AVC msg=audit(1338392576.243:120): avc:  denied  { read } for  pid=12398 comm="in.telnetd" name="bin" dev="sda2" ino=1155 scontext=system_u:system_r:telnetd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file

type=SYSCALL msg=audit(1338392576.243:120): arch=x86_64 syscall=execve success=no exit=EACCES a0=7f53fedef206 a1=7f53ff461f60 a2=7f53ff461dd0 a3=7fffec907b10 items=0 ppid=12397 pid=12398 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=4294967295 comm=in.telnetd exe=/usr/sbin/in.telnetd subj=system_u:system_r:telnetd_t:s0-s0:c0.c1023 key=(null)

Hash: in.telnetd,telnetd_t,bin_t,lnk_file,read


#============= telnetd_t ==============
allow telnetd_t bin_t:lnk_file read;

audit2allow -R

#============= telnetd_t ==============
allow telnetd_t bin_t:lnk_file read;

Expected results:
No SELinux problems

Additional info:
Of course there could be other selinux issues beyond the first one!
Comment 1 Jan Synacek 2012-06-04 04:48:44 EDT
I could not reproduce this. There is no selinux error in /var/log/messages and I can telnet (tried localhost) fine.

My selinux-policy version is 3.10.0-128 though.

Can you please update and try again?
Comment 2 Gordon Russell 2012-06-04 11:41:29 EDT
I updated the selinux-policy to -128 and I have no more problems. It all seems to be working fine now.

Thanks for investigating.

Note You need to log in before you can comment on or make changes to this bug.