Bug 987554 - ssh cannot create controlmaster socket when running as confined user
ssh cannot create controlmaster socket when running as confined user
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
19
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-23 12:03 EDT by Michael Scherer
Modified: 2017-06-29 16:27 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-10-21 12:11:55 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michael Scherer 2013-07-23 12:03:27 EDT
To speed up connexion, I am using ssh connexion multiplexing. However, after setting it up, i doscvered that selinux block that :

type=AVC msg=audit(1374595077.699:4935): avc:  denied  { create } for  pid=5793 comm="ssh" name="misc@gitolite.corp.example.com:22.wFfLJBMez5wphcDh" scontext=staff_u:staff_r:ssh_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=sock_file

My settings are ( in ~/.ssh/config ) :

Host git.corp.example.com gitolite.corp.example.com
    ControlMaster auto
    ControlPath /home/misc/tmp/%r@%h:%p


$ ls -lZd ~/tmp/
drwxrwxr-x. misc misc unconfined_u:object_r:user_home_t:s0 /home/misc/tmp/
Comment 1 Michael Scherer 2013-07-23 14:43:12 EDT
So in fact, there is 3 operations, as seen by running in permissive mode  :

type=AVC msg=audit(1374604682.020:5133): avc:  denied  { create } for  pid=13572 comm="ssh" name="misc@gitolite.corp.example.com:22.sWlPsweTDbYJoss6" scontext=staff_u:staff_r:ssh_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=sock_file
type=AVC msg=audit(1374604682.020:5134): avc:  denied  { link } for  pid=13572 comm="ssh" name="misc@gitolite.corp.example.com:22.sWlPsweTDbYJoss6" dev="dm-3" ino=3422336 scontext=staff_u:staff_r:ssh_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=sock_file
type=AVC msg=audit(1374604682.020:5135): avc:  denied  { unlink } for  pid=13572 comm="ssh" name="misc@gitolite.corp.example.com:22.sWlPsweTDbYJoss6" dev="dm-3" ino=3422336 scontext=staff_u:staff_r:ssh_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=sock_file
Comment 2 Miroslav Grepl 2013-07-24 08:11:37 EDT
What is the default value for ControlPath?
Comment 3 Daniel Walsh 2013-07-24 10:57:15 EDT
Seems like we should have a transition for this, although it would be nice if the socket was put into a subdir like .cache/ssh/  Or /run/user/UID/ssh
Comment 4 Daniel Walsh 2013-07-24 11:10:32 EDT
e506a4253b8b80ec6e0e59d5e3be4709aeba45ef fixes this in git.
Comment 5 Michael Scherer 2013-07-24 16:39:54 EDT
There is no default for Controlpath. And I would indeed recommend to place the controlSocket in a protected directory, since it can be used to connect to a remote server without password ( in fact, that's quite tricky because using controlpath even put no log on remote server )
Comment 6 Petr Lautrbach 2013-07-25 11:01:52 EDT
As stated, there's no default value for ControlPath and ssh won't prepare a multiplexing if ControlPath is not set. So it's up to an user to set and place the control socket to the right place. Also the control socekt is created using umask(0177) so it should be accesibble only to the owner.
Comment 7 Daniel Walsh 2013-07-25 17:08:59 EDT
Is this a case where we should give an example location like ~/.ssh/ControlSocket.
Comment 8 Enrico Scholz 2013-10-15 14:01:14 EDT
home directory is a bad choice because it is usually on NFS shares and '~/.ssh/%r@%h:%p' will cause conflicts when running ssh on different hosts.  You might add the local hostname %l to avoid this conflict but this can make the resulting path name too long.

A place below $XDG_RUNTIME_DIR would be an excellent place but unfortunately, ControlPath does not expand shell variables and the uid must be hardcoded.
Comment 9 Miroslav Grepl 2013-10-21 12:11:55 EDT
We have rules for HOMEDIR.

Petr,
should we make a note in sshd_config how Dan wrote?
Comment 10 Brian J. Murrell 2017-06-29 16:27:58 EDT
So what dir should the control socket go into so that it does not run afoul of selinux?

Note You need to log in before you can comment on or make changes to this bug.