Re: SSH pubkey authentication & MLS policy

Re: SSH pubkey authentication & MLS policy

[Daniel J Walsh]

Chris, how do you want to handle this?



Michael C Thompson wrote:
> Hey Dan,
>
> We're trying to get ssh to use public key authentication to log in, 
> and it seems that sshd can't access the various home directories for 
> the contents of .ssh
>
> Is there something that we can change in the policy to permit this 
> action?
>
> For root:
>
> type=AVC msg=audit(1158784742.480:63): avc:  denied  { getattr } for 
> pid=1798 comm="sshd" name="root" dev=sda3 ino=11436033 
> scontext=system_u:system_r:sshd_t:s0-s15:c0.c255 
> tcontext=root:object_r:sysadm_home_dir_t:s0-s15:c0.c255 tclass=dir
> type=SYSCALL msg=audit(1158784742.480:63): arch=c000003e syscall=6 
> success=yes exit=0 a0=7fff8877e100 a1=7fff8877cf80 a2=7fff8877cf80 
> a3=0 items=0 ppid=1554 pid=1798 auid=4294967295 uid=0 gid=0 euid=0 
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sshd" 
> exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s15:c0.c255 
> key=(null)
> type=AVC_PATH msg=audit(1158784742.480:63):  path="/root"
>
> For non-root users:
>
> type=AVC msg=audit(1158784771.664:76): avc:  denied  { getattr } for 
> pid=1827 comm="sshd" name="mcthomps" dev=sda3 ino=9175059 
> scontext=system_u:system_r:sshd_t:s0-s15:c0.c255 
> tcontext=user_u:object_r:user_home_dir_t:s0-s15:c0.c255 tclass=dir
> type=SYSCALL msg=audit(1158784771.664:76): arch=c000003e syscall=6 
> success=yes exit=0 a0=7ffff3244bc0 a1=7ffff3243a40 a2=7ffff3243a40 
> a3=0 items=0 ppid=1554 pid=1827 auid=4294967295 uid=0 gid=0 euid=503 
> suid=0 fsuid=503 egid=503 sgid=0 fsgid=503 tty=(none) comm="sshd" 
> exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s15:c0.c255 
> key=(null)
> type=AVC_PATH msg=audit(1158784771.664:76):  path="/home/mcthomps"
>
>
> Thanks,
> Mike
>
Could you do this in permissive mode to capture all of the avc

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SSH pubkey authentication & MLS policy

[Michael C Thompson]

Daniel J Walsh wrote:
> Chris, how do you want to handle this?
> 
> 
> 
> Michael C Thompson wrote:
>> Hey Dan,
>>
>> We're trying to get ssh to use public key authentication to log in, 
>> and it seems that sshd can't access the various home directories for 
>> the contents of .ssh
>>
>> Is there something that we can change in the policy to permit this 
>> action?
>>
>> For root:
>>
>> type=AVC msg=audit(1158784742.480:63): avc:  denied  { getattr } for 
>> pid=1798 comm="sshd" name="root" dev=sda3 ino=11436033 
>> scontext=system_u:system_r:sshd_t:s0-s15:c0.c255 
>> tcontext=root:object_r:sysadm_home_dir_t:s0-s15:c0.c255 tclass=dir
>> type=SYSCALL msg=audit(1158784742.480:63): arch=c000003e syscall=6 
>> success=yes exit=0 a0=7fff8877e100 a1=7fff8877cf80 a2=7fff8877cf80 
>> a3=0 items=0 ppid=1554 pid=1798 auid=4294967295 uid=0 gid=0 euid=0 
>> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sshd" 
>> exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s15:c0.c255 
>> key=(null)
>> type=AVC_PATH msg=audit(1158784742.480:63):  path="/root"
>>
>> For non-root users:
>>
>> type=AVC msg=audit(1158784771.664:76): avc:  denied  { getattr } for 
>> pid=1827 comm="sshd" name="mcthomps" dev=sda3 ino=9175059 
>> scontext=system_u:system_r:sshd_t:s0-s15:c0.c255 
>> tcontext=user_u:object_r:user_home_dir_t:s0-s15:c0.c255 tclass=dir
>> type=SYSCALL msg=audit(1158784771.664:76): arch=c000003e syscall=6 
>> success=yes exit=0 a0=7ffff3244bc0 a1=7ffff3243a40 a2=7ffff3243a40 
>> a3=0 items=0 ppid=1554 pid=1827 auid=4294967295 uid=0 gid=0 euid=503 
>> suid=0 fsuid=503 egid=503 sgid=0 fsgid=503 tty=(none) comm="sshd" 
>> exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s15:c0.c255 
>> key=(null)
>> type=AVC_PATH msg=audit(1158784771.664:76):  path="/home/mcthomps"
>>
>>
>> Thanks,
>> Mike
>>
> Could you do this in permissive mode to capture all of the avc

I did, thats all the ones that were generated that seemed pertinant to 
sshd, I can re-do this and send you the complete transaction log if you 
want.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SSH pubkey authentication & MLS policy

[Erich Schubert]

Hi,
This is not MLS related.
Here's the Debian diff used to allow public key logins.
http://svn.debian.org/wsvn/selinux/refpolicy/branches/debian/policy/modules/services/ssh.te?op=diff&rev=0&sc=0

I believe that sshd verifies the home directory to be not
world-writeable.
The patch above adds "search", although "getattr" probably is
sufficient. But I didn't want to add another interface... yeah, I'm a
bit lazy sometimes.

best regards,
Erich Schubert
-- 
     erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C     (o_
 A man doesn't know what he knows until he knows what he doesn't know. //\
     Während das Glück dir lacht, wirst Freunde du zählen in Menge;    V_/_
       wenn sich der Himmel bewölkt, findest du dich bald allein.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SSH pubkey authentication & MLS policy

[Serge E. Hallyn]

Quoting Erich Schubert (erich@debian.org):
> Hi,
> This is not MLS related.
> Here's the Debian diff used to allow public key logins.
> http://svn.debian.org/wsvn/selinux/refpolicy/branches/debian/policy/modules/services/ssh.te?op=diff&rev=0&sc=0

Looks like the statements we need, but why do you have this
under tunable_policy(`ssh_sysadm_login')?

> I believe that sshd verifies the home directory to be not
> world-writeable.
> The patch above adds "search", although "getattr" probably is
> sufficient. But I didn't want to add another interface... yeah, I'm a
> bit lazy sometimes.

thanks,
-serge

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SSH pubkey authentication & MLS policy

[Serge E. Hallyn]

Quoting Serge E. Hallyn (serue@us.ibm.com):
> Quoting Erich Schubert (erich@debian.org):
> > Hi,
> > This is not MLS related.
> > Here's the Debian diff used to allow public key logins.
> > http://svn.debian.org/wsvn/selinux/refpolicy/branches/debian/policy/modules/services/ssh.te?op=diff&rev=0&sc=0
> 
> Looks like the statements we need, but why do you have this
> under tunable_policy(`ssh_sysadm_login')?
> 
> > I believe that sshd verifies the home directory to be not
> > world-writeable.
> > The patch above adds "search", although "getattr" probably is
> > sufficient. But I didn't want to add another interface... yeah, I'm a
> > bit lazy sometimes.

The following module allowed pubkey ssh login to work:

policy_module(sergessh,1.0.0)

gen_require(`
        type sshd_t;
')

userdom_search_all_users_home_dirs(sshd_t)
userdom_search_generic_user_home_dirs(sshd_t)
userdom_search_staff_home_dirs(sshd_t)

Which seems odd to me - i thought a loadable module should not
be able to directly address sshd_t...

-serge

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SSH pubkey authentication & MLS policy

[Erich Schubert]

Hi,
> > http://svn.debian.org/wsvn/selinux/refpolicy/branches/debian/policy/modules/services/ssh.te?op=diff&rev=0&sc=0
> 
> Looks like the statements we need, but why do you have this
> under tunable_policy(`ssh_sysadm_login')?

IIRC it was in the static vs. targeted construct, not in
ssh_sysadm_login.
Or it was because in the case of not allowing sysadm logins, I didn't
want it to be able to scan the sysadm's home directory. YMMV.

Anyway, getattr should be enough. Could you try modifying your sergessh
module to only add getattr attributes, if that is enough? If so, we
should add a new interface which includes getattr, but not full search
to home directories.

best regards,
Erich Schubert
-- 
    erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
                 Friends are those who reach out for                 //\
                   your hand but touch your heart.                   V_/_
  Es gibt wenig aufrichtige Freunde. Die Nachfrage ist auch gering.
                    --- Marie von Ebner-Eschenbach


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SSH pubkey authentication & MLS policy

[Serge E. Hallyn]

Quoting Erich Schubert (erich@debian.org):
> Hi,
> > > http://svn.debian.org/wsvn/selinux/refpolicy/branches/debian/policy/modules/services/ssh.te?op=diff&rev=0&sc=0
> > 
> > Looks like the statements we need, but why do you have this
> > under tunable_policy(`ssh_sysadm_login')?
> 
> IIRC it was in the static vs. targeted construct, not in
> ssh_sysadm_login.
> Or it was because in the case of not allowing sysadm logins, I didn't
> want it to be able to scan the sysadm's home directory. YMMV.
> 
> Anyway, getattr should be enough. Could you try modifying your sergessh
> module to only add getattr attributes, if that is enough? If so, we
> should add a new interface which includes getattr, but not full search
> to home directories.

Yup, the following module also works:

policy_module(sergessh,1.0.0)

gen_require(`
        type sshd_t;
	type abat_home_dir_t;
')

allow sshd_t abat_home_dir_t:dir { getattr };

thanks,
-serge

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SSH pubkey authentication & MLS policy

[Christopher J. PeBenito]

On Thu, 2006-09-21 at 09:41 -0400, Daniel J Walsh wrote:
> Chris, how do you want to handle this?
[cut]
> > type=AVC msg=audit(1158784742.480:63): avc:  denied  { getattr } for 
> > pid=1798 comm="sshd" name="root" dev=sda3 ino=11436033 
> > scontext=system_u:system_r:sshd_t:s0-s15:c0.c255 
> > tcontext=root:object_r:sysadm_home_dir_t:s0-s15:c0.c255 tclass=dir
>
> > type=AVC msg=audit(1158784771.664:76): avc:  denied  { getattr } for 
> > pid=1827 comm="sshd" name="mcthomps" dev=sda3 ino=9175059 
> > scontext=system_u:system_r:sshd_t:s0-s15:c0.c255 
> > tcontext=user_u:object_r:user_home_dir_t:s0-s15:c0.c255 tclass=dir

Ok, I did two things.  I fixed userdom_search_all_users_home_content()
to use search_dir_perms instead of just search, and I changed the ssh
server template to use userdom_search_all_users_home_dirs() instead of
the above interface, since it only needs to search the top home dir to
get to $HOME/.ssh.  Searching subdirs of $HOME wouldn't be needed.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.