How to make sftp work?

How to make sftp work?

[Mark Müller]

Hello,
when I want to use sftp (with a Windows-SSH client) several AVC denied 
messages come:

--------
avc:  denied  { search } for  pid=3303 exe=/usr/sbin/sshd 
path=/usr/lib/ssh dev=08:09 ino=61510 scontext=system_u:system_r:sshd_t 
tcontext=system_u:object_r:sshd_exec_t tclass=dir

avc:  denied  { search } for  pid=3452 exe=/bin/bash path=/usr/lib/ssh 
dev=08:09 ino=61510 scontext=root:user_r:user_t 
tcontext=system_u:object_r:sshd_exec_t tclass=dir

avc:  denied  { getattr } for  pid=3452 exe=/usr/lib/ssh/sftp-server 
path=/root/.bash_history dev=08:09 ino=208 scontext=root:user_r:user_t 
tcontext=system_u:object_r:sysadm_home_t tclass=lnk_file

avc:  denied  { read } for  pid=3452 exe=/usr/lib/ssh/sftp-server 
path=/root/.bash_history dev=08:09 ino=208 scontext=root:user_r:user_t 
tcontext=system_u:object_r:sysadm_home_t tclass=lnk_file
--------

The sftp-server files are on a SuSE 7.3 distro in /usr/lib/ssh. I 
labelled them with sshd_exec_t.

The first AVC message can be solved with:
allow sshd_t sshd_exec_t:dir { search };

but why is bash involved in the second AVC denied message, and how can I 
  use sftp? Am I wrong or does bash in user_t start sftp-server and thus 
sftp-server is placed in the user_t domain?

Did I miss something important in order to work with sftp-server or do I 
have to launch a normal ftp server as there is already a TE 
configuration file?

Thanks in advance,
Mark


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: How to make sftp work?

[Russell Coker]

On Sat, 27 Jul 2002 18:24, Mark Müller wrote:
> Hello,
> when I want to use sftp (with a Windows-SSH client) several AVC denied
> messages come:
>
> --------
> avc:  denied  { search } for  pid=3303 exe=/usr/sbin/sshd
> path=/usr/lib/ssh dev=08:09 ino=61510 scontext=system_u:system_r:sshd_t
> tcontext=system_u:object_r:sshd_exec_t tclass=dir

I suggest that the /usr/lib/ssh directory have type lib_t (which it has in 
the default policy file context files).  sshd_t already has search and 
getattr access to lib_t directories.

> avc:  denied  { search } for  pid=3452 exe=/bin/bash path=/usr/lib/ssh
> dev=08:09 ino=61510 scontext=root:user_r:user_t
> tcontext=system_u:object_r:sshd_exec_t tclass=dir

user_t has access to lib_t too...

> avc:  denied  { getattr } for  pid=3452 exe=/usr/lib/ssh/sftp-server
> path=/root/.bash_history dev=08:09 ino=208 scontext=root:user_r:user_t
> tcontext=system_u:object_r:sysadm_home_t tclass=lnk_file
>
> avc:  denied  { read } for  pid=3452 exe=/usr/lib/ssh/sftp-server
> path=/root/.bash_history dev=08:09 ino=208 scontext=root:user_r:user_t
> tcontext=system_u:object_r:sysadm_home_t tclass=lnk_file

It seems that the default domain for the root account on your system is 
user_t which does not have access to the root home directory.  Not much you 
can do about this.

> but why is bash involved in the second AVC denied message, and how can I
>   use sftp? Am I wrong or does bash in user_t start sftp-server and thus
> sftp-server is placed in the user_t domain?

I believe that ssh runs the user's shell and uses that for all further 
operations.  The SE Linux policy for ssh is based around domain transitions 
when running the shell...

I'm not sure why anyone wants sftp, between regular ftp, scp, and sendfile I 
think that all requirements are covered...

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: How to make sftp work?

[Mark Müller]

Russell Coker wrote:
> I suggest that the /usr/lib/ssh directory have type lib_t (which it has in 
> the default policy file context files).  sshd_t already has search and 
> getattr access to lib_t directories.
I changed that due to another AVC denied message and placed sftp in 
sshd_t through a domain transition. Now I switched back to lib_t again.

> It seems that the default domain for the root account on your system is 
> user_t which does not have access to the root home directory.  Not much you 
> can do about this.
I can change with newrole, however this doesn't help me further as you 
said before. sshd spawns bash/sftp not in the proper context concerning 
my situation.


> I believe that ssh runs the user's shell and uses that for all further 
> operations.  The SE Linux policy for ssh is based around domain transitions 
> when running the shell...
> 
> I'm not sure why anyone wants sftp, between regular ftp, scp, and sendfile I 
> think that all requirements are covered...
It is just for convenience. We got used to spawn the sftp-server 
automatically from sshd and don't run ftp. I thought I could extend the 
policy so that the sftp-server subsystem is placed in the proper domain 
when started from sshd. Otherwise we will use ftp instead.


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: How to make sftp work?

[Stephen Smalley]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: TEXT/PLAIN; charset=X-UNKNOWN, Size: 1200 bytes --]


On Sat, 27 Jul 2002, [ISO-8859-1] Mark Müller wrote:

> avc:  denied  { search } for  pid=3303 exe=/usr/sbin/sshd
> path=/usr/lib/ssh dev=08:09 ino=61510 scontext=system_u:system_r:sshd_t
> tcontext=system_u:object_r:sshd_exec_t tclass=dir

Only the sshd executable should be labeled with sshd_exec_t, since it is
the entrypoint type for the sshd_t domain.  If you want to permit sshd to
execute some helper program without changing domains, then assign a
different type (e.g. sshd_helper_exec_t) to that program and add a
'can_exec(sshd_t, sshd_helper_exec_t)' rule to the sshd.te file.

> avc:  denied  { getattr } for  pid=3452 exe=/usr/lib/ssh/sftp-server
> path=/root/.bash_history dev=08:09 ino=208 scontext=root:user_r:user_t
> tcontext=system_u:object_r:sysadm_home_t tclass=lnk_file

Unless you truly need access to /root for sftp, then I'dd suggest simply
suppressing these audit messages using dontaudit rules.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.