Bug 837815 - MLS user with category s8:c101 cannot ssh to the system
MLS user with category s8:c101 cannot ssh to the system
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.3
All Linux
urgent Severity urgent
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
: Regression, ZStream
Depends On:
Blocks: 840674 840699
  Show dependency treegraph
 
Reported: 2012-07-05 07:51 EDT by Niranjan Mallapadi Raghavender
Modified: 2013-02-21 03:25 EST (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-156.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 03:25:09 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Niranjan Mallapadi Raghavender 2012-07-05 07:51:03 EDT
Description of problem:

On a RHEL6.3 system with MLS policy an user created with category s8:c101 cannot login to the system through ssh 

Below messages are seen:

type=AVC msg=audit(1341466838.962:19126): avc:  denied  { rlimitinh } for  pid=3530 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1341466838.962:19126): avc:  denied  { siginh } for  pid=3530 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1341466838.962:19126): avc:  denied  { noatsecure } for  pid=3530 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1341466838.962:19126): arch=c000003e syscall=59 success=yes exit=0 a0=7fd582ec7c98 a1=7ffffa04c9f0 a2=7fd5830ce368 a3=7 items=0 ppid=3528 pid=3530 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="unix_chkpwd" exe="/sbin/unix_chkpwd" subj=system_u:system_r:chkpwd_t:s0-s15:c0.c1023 key=(null)
type=USER_AUTH msg=audit(1341466838.965:19127): user pid=3528 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='op=PAM:authentication acct="dwalsh" exe="/usr/sbin/sshd" hostname=192.168.122.1 addr=192.168.122.1 terminal=ssh res=success'
type=AVC msg=audit(1341466838.967:19128): avc:  denied  { rlimitinh } for  pid=3531 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1341466838.967:19128): avc:  denied  { siginh } for  pid=3531 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1341466838.967:19128): avc:  denied  { noatsecure } for  pid=3531 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s15:c0.c1023 tclass=process

/var/log/secure

Jul  5 10:57:33 webserver sshd[3419]: Accepted password for dwalsh from 192.168.122.1 port 35119 ssh2
Jul  5 10:57:33 webserver sshd[3419]: pam_unix(sshd:session): session opened for user dwalsh by (uid=0)
Jul  5 10:57:33 webserver sshd[3423]: fatal: Write failed: Permission denied
Jul  5 10:57:33 webserver sshd[3423]: fatal: mm_request_send: write: Permission denied
Jul  5 10:57:33 webserver sshd[3419]: pam_unix(sshd:session): session closed for user dwalsh



Version-Release number of selected component (if applicable):


selinux-policy-targeted-3.7.19-154.el6.noarch
selinux-policy-3.7.19-154.el6.noarch
selinux-policy-mls-3.7.19-154.el6.noarch


How reproducible:


Steps to Reproduce:
1. Create a user 
 useradd -Z sysadm_u joh

2. Assign category s8:c101 
semanage login -a -s sysadm_u -r s8:c101 john

3. Login through ssh 
  
Actual results:

Unable to logon through ssh

Expected results:

Should be able to logon through ssh

Additional info:
Comment 5 Miroslav Grepl 2012-07-09 08:28:09 EDT
Fixed in selinux-policy-3.7.19-156.el6
Comment 9 errata-xmlrpc 2013-02-21 03:25:09 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html

Note You need to log in before you can comment on or make changes to this bug.