Re: [redhat-lspp] Problem SSH-ing into LSPP system with multiple categories

Re: [redhat-lspp] Problem SSH-ing into LSPP system with multiple categories

[Tomas Mraz]

On Fri, 2007-01-26 at 12:11 -0800, Kylene Jo Hall wrote:
> I have been unable to ssh into an LSPP system with multiple categories.
> 
> For example the following work:
> ssh testuser/user_r/s2@localhost
> ssh testuser/user_r/s2:c0@localhost
> ssh testuser/user_r/s2:c1@localhost
> 
> But these do not:
> ssh testuser/user_r/s2:c0.c1@localhost
> ssh testuser/user_r/s2:c0,c1@localhost
> 
> Policy version: selinux-policy-mls-2.4.6-28.el5
> Kernel version: kernel-2.6.18-1.3015.2.1.el5.lspp.63
> 
> We have tested this on multiple architectures to no avail.  Any
> suggestions?
Could you modify LogLevel in /etc/ssh/sshd_config to DEBUG3 and look
into the /var/log/secure what messages are there when the login fails?

-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [redhat-lspp] Problem SSH-ing into LSPP system with multiple categories

[Tomas Mraz]

On Fri, 2007-01-26 at 12:46 -0800, Kylene Jo Hall wrote:
> I couldn't find anything in /var/log/secure but here is what was
> in /var/log/messages from the following attempts:
> ssh testuser/user_r/s2:c0.c1@localhost
> ssh testuser/user_r/s2:c0,c1@localhost
> ssh testuser/user_r/s2:c0-c1@localhost
> 
> Jan 26 14:41:40 rheal3a sshd[2646]: Postponed keyboard-interactive for
> testuser from 127.0.0.1 port 39420 ssh2
> Jan 26 14:41:44 rheal3a sshd[2646]: Postponed keyboard-interactive/pam
> for testuser from 127.0.0.1 port 39 420 ssh2
> Jan 26 14:41:44 rheal3a sshd[2645]: Accepted keyboard-interactive/pam
> for testuser from 127.0.0.1 port 394 20 ssh2
> Jan 26 14:41:44 rheal3a sshd[2645]: fatal: deny MLS level s2:c0,c1 (user
> range s0-s15:c0.c1023)
> Jan 26 14:42:11 rheal3a sshd[2653]: Connection from 127.0.0.1 port 39421
> Jan 26 14:42:11 rheal3a sshd[2654]: Postponed keyboard-interactive for
> testuser from 127.0.0.1 port 39421 ssh2
> Jan 26 14:42:15 rheal3a sshd[2654]: Postponed keyboard-interactive/pam
> for testuser from 127.0.0.1 port 39 421 ssh2
> Jan 26 14:42:15 rheal3a sshd[2653]: Accepted keyboard-interactive/pam
> for testuser from 127.0.0.1 port 394 21 ssh2
> Jan 26 14:42:15 rheal3a sshd[2653]: fatal: Failed to get default
> security context for testuser.
> Jan 26 14:43:35 rheal3a sshd[2662]: Connection from 127.0.0.1 port 39422
> Jan 26 14:43:35 rheal3a sshd[2663]: Postponed keyboard-interactive for
> testuser from 127.0.0.1 port 39422 ssh2
> Jan 26 14:43:39 rheal3a sshd[2663]: Postponed keyboard-interactive/pam
> for testuser from 127.0.0.1 port 39 422 ssh2
> Jan 26 14:43:39 rheal3a sshd[2662]: Accepted keyboard-interactive/pam
> for testuser from 127.0.0.1 port 394 22 ssh2
> Jan 26 14:43:39 rheal3a sshd[2662]: fatal: deny MLS level s2:c0.c1 (user
> range s0-s15:c0.c1023)
> Jan 26 14:44:30 rheal3a sshd[2670]: Connection from 127.0.0.1 port 39423
> Jan 26 14:44:31 rheal3a sshd[2671]: Postponed keyboard-interactive for
> testuser from 127.0.0.1 port 39423 ssh2
> Jan 26 14:44:34 rheal3a sshd[2671]: Postponed keyboard-interactive/pam
> for testuser from 127.0.0.1 port 39 423 ssh2
> Jan 26 14:44:34 rheal3a sshd[2670]: Accepted keyboard-interactive/pam
> for testuser from 127.0.0.1 port 394 23 ssh2
> Jan 26 14:44:34 rheal3a sshd[2670]: fatal: Failed to get default
> security context for testuser.

It seems that s2:c0,c1 and s2:c0.c1 logins are denied by policy. I don't
know why the s2:c0-c1 case fails on getting the default context - seems
like s2:c0-c1 is not a valid context.
-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [redhat-lspp] Problem SSH-ing into LSPP system with multiple categories

[Daniel J Walsh]

Kylene Jo Hall wrote:
> More test data:
>
>
> [root@rheal3a ~]# ssh testuser/user_r/s2:c0@localhost
> Password:
> Last login: Fri Jan 26 14:55:13 2007 from rheal3a.endicott.ibm.com
> -bash-3.1$ id
> uid=501(testuser) gid=501(testuser) groups=501(testuser)
> context=testuser_u:user_r:user_t:A
> -bash-3.1$ exit
> logout
> Connection to localhost closed.
> [root@rheal3a ~]# ssh testuser/user_r/s2:c1@localhost
> Password:
> Last login: Fri Jan 26 14:55:29 2007 from rheal3a.endicott.ibm.com
> -bash-3.1$ id
> uid=501(testuser) gid=501(testuser) groups=501(testuser)
> context=testuser_u:user_r:user_t:B
> -bash-3.1$ exit
> logout
> Connection to localhost closed.
> [root@rheal3a ~]# ssh testuser/user_r/s2:c3@localhost
> Password:
> Last login: Fri Jan 26 14:55:40 2007 from rheal3a.endicott.ibm.com
> -bash-3.1$ id
> uid=501(testuser) gid=501(testuser) groups=501(testuser)
> context=testuser_u:user_r:user_t:s2:c3
> -bash-3.1$ quit
> -bash: quit: command not found
> -bash-3.1$ exit
> logout
> Connection to localhost closed.
> [root@rheal3a ~]# ssh testuser/user_r/s2:c2@localhost
> Password:
> Last login: Fri Jan 26 14:56:05 2007 from rheal3a.endicott.ibm.com
> -bash-3.1$ ls
> -bash-3.1$ id
> uid=501(testuser) gid=501(testuser) groups=501(testuser)
> context=testuser_u:user_r:user_t:s2:c2
> -bash-3.1$ quit
> -bash: quit: command not found
> -bash-3.1$ exit
> logout
> Connection to localhost closed.
> [root@rheal3a ~]# ssh testuser/user_r/s2:c2,c3@localhost
> Password:
> Last login: Fri Jan 26 14:56:22 2007 from rheal3a.endicott.ibm.com
> -bash-3.1$ id
> uid=501(testuser) gid=501(testuser) groups=501(testuser)
> context=testuser_u:user_r:user_t:s2:c2,c3
> -bash-3.1$ exit
> logout
> Connection to localhost closed.
> [root@rheal3a ~]#
>
>
>
> On Fri, 2007-01-26 at 12:54 -0800, Kylene Jo Hall wrote:
>   
>> More test data:
>>
>> ssh testuer/user_r/s#:c0,c1@localhost works for every value of # between
>> 0 and 15 except 2.
>>
>> Thanks,
>> Kylie
>>
>> On Fri, 2007-01-26 at 21:27 +0100, Tomas Mraz wrote:
>>     
>>> On Fri, 2007-01-26 at 12:11 -0800, Kylene Jo Hall wrote:
>>>       
>>>> I have been unable to ssh into an LSPP system with multiple categories.
>>>>
>>>> For example the following work:
>>>> ssh testuser/user_r/s2@localhost
>>>> ssh testuser/user_r/s2:c0@localhost
>>>> ssh testuser/user_r/s2:c1@localhost
>>>>
>>>> But these do not:
>>>> ssh testuser/user_r/s2:c0.c1@localhost
>>>> ssh testuser/user_r/s2:c0,c1@localhost
>>>>
>>>> Policy version: selinux-policy-mls-2.4.6-28.el5
>>>> Kernel version: kernel-2.6.18-1.3015.2.1.el5.lspp.63
>>>>
>>>> We have tested this on multiple architectures to no avail.  Any
>>>> suggestions?
>>>>         
>>> Could you modify LogLevel in /etc/ssh/sshd_config to DEBUG3 and look
>>> into the /var/log/secure what messages are there when the login fails?
>>>
>>>       
>
>   



I am not able to recreate this here.

semanage user -l
semanage login -l
ps -eZ | grep ssh


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [redhat-lspp] Problem SSH-ing into LSPP system with multiple categories

[Klaus Weidner]

On Fri, Jan 26, 2007 at 12:54:44PM -0800, Kylene Jo Hall wrote:
> More test data:
> 
> ssh testuer/user_r/s#:c0,c1@localhost works for every value of # between
> 0 and 15 except 2.

I can reproduce this, and it appears to be related to label translations.

This is in the /etc/selinux/mls/setrans.conf file:

	# Secret level with compartments
	s2=Secret
	s2:c0=A
	s2:c1=B

Commenting out these entries makes login work again.

Failed login:

type=USER_ROLE_CHANGE msg=audit(1170092360.977:951): user pid=2498 uid=0 auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='sshd: default-context=staff_u:staff_r:staff_t:s0-s15:c0.c1023 selected-context=staff_u:staff_r:staff_t:Secret:A,B: exe="/usr/sbin/sshd" (hostname=?, addr=?, terminal=? res=failed)'

Successful login (translation commented out):

type=USER_ROLE_CHANGE msg=audit(1170092403.742:991): user pid=2553 uid=0 auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='sshd: default-context=staff_u:staff_r:staff_t:s0-s15:c0.c1023 selected-context=staff_u:staff_r:staff_t:s2:c0,c1: exe="/usr/sbin/sshd" (hostname=?, addr=?, terminal=? res=success)'

Is "Secret:A,B" correct syntax?

-Klaus

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [redhat-lspp] Problem SSH-ing into LSPP system with multiple categories

[Klaus Weidner]

On Mon, Jan 29, 2007 at 11:42:15AM -0600, Klaus Weidner wrote:
> On Fri, Jan 26, 2007 at 12:54:44PM -0800, Kylene Jo Hall wrote:
> > More test data:
> > 
> > ssh testuer/user_r/s#:c0,c1@localhost works for every value of # between
> > 0 and 15 except 2.
> 
> I can reproduce this, and it appears to be related to label translations.

I've posted a bug:

	https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=225355

-Klaus

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.