trouble with ssh in today's rawhide + refpolicy

trouble with ssh in today's rawhide + refpolicy

[Eamon Walsh]

On a rawhide box updated this afternoon, running refpolicy trunk in mcs 
mode, I get the following after rebooting the box and logging in over ssh:

$ id -Z
sysadm_u:sysadm_r:system_chkpwd_t:s0

After issuing a "service sshd restart" on the box and trying again, it 
changes to:

$ id -Z
sysadm_u:sysadm_r:sysadm_t:s0

I've seen this on 2 different machines, and it persists even after a 
full filesystem relabel.  Am i missing something from the refpolicy 
merge?  I haven't changed my seusers file from when I was running strict.


-- 
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: trouble with ssh in today's rawhide + refpolicy

[Eamon Walsh]

Eamon Walsh wrote:
> On a rawhide box updated this afternoon, running refpolicy trunk in mcs 
> mode, I get the following after rebooting the box and logging in over ssh:
> 
> $ id -Z
> sysadm_u:sysadm_r:system_chkpwd_t:s0
> 
> After issuing a "service sshd restart" on the box and trying again, it 
> changes to:

Should have used run_init to restart sshd.  When I do this, it remains 
system_chkpwd_t.  Also, I'm running in permissive mode and using public 
key to authenticate.

Some searching revealed previous bug reports, most recently Sept 21:
http://archives.gentoo.org/gentoo-hardened/msg_07021.xml


-- 
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: trouble with ssh in today's rawhide + refpolicy

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Eamon Walsh wrote:
> Eamon Walsh wrote:
>> On a rawhide box updated this afternoon, running refpolicy trunk in
>> mcs mode, I get the following after rebooting the box and logging in
>> over ssh:
>>
>> $ id -Z
>> sysadm_u:sysadm_r:system_chkpwd_t:s0
>>
>> After issuing a "service sshd restart" on the box and trying again, it
>> changes to:
> 
> Should have used run_init to restart sshd.  When I do this, it remains
> system_chkpwd_t.  Also, I'm running in permissive mode and using public
> key to authenticate.
> 
> Some searching revealed previous bug reports, most recently Sept 21:
> http://archives.gentoo.org/gentoo-hardened/msg_07021.xml
> 
> 
It sounds to me like sshd is not labeled correctly.  Or perhaps the
entire machine.  What is sshd running as?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHHdNQrlYvE4MpobMRAmNRAJ9XjTkqPfN3e18y+Ofhn4vWqg6vPwCfVMOt
Wi8iSuVsdSkNvamccgS6dwc=
=ksSk
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: trouble with ssh in today's rawhide + refpolicy

[Christopher J. PeBenito]

On Mon, 2007-10-22 at 17:26 -0400, Eamon Walsh wrote:
> On a rawhide box updated this afternoon, running refpolicy trunk in mcs 
> mode, I get the following after rebooting the box and logging in over ssh:
> 
> $ id -Z
> sysadm_u:sysadm_r:system_chkpwd_t:s0

Do you have ssh_sysadm_login on?  Also, it seems odd that this would
happen, since this combination doesn't show up in default_contexts, and
the only auto transition to system_chkpwd_t from sshd_t is via
chkpwd_exec_t.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: trouble with ssh in today's rawhide + refpolicy

[Stephen Smalley]

On Tue, 2007-10-23 at 13:09 +0000, Christopher J. PeBenito wrote:
> On Mon, 2007-10-22 at 17:26 -0400, Eamon Walsh wrote:
> > On a rawhide box updated this afternoon, running refpolicy trunk in mcs 
> > mode, I get the following after rebooting the box and logging in over ssh:
> > 
> > $ id -Z
> > sysadm_u:sysadm_r:system_chkpwd_t:s0
> 
> Do you have ssh_sysadm_login on?  Also, it seems odd that this would
> happen, since this combination doesn't show up in default_contexts, and
> the only auto transition to system_chkpwd_t from sshd_t is via
> chkpwd_exec_t.

We've seen this kind of behavior before when the
get_ordered_context_list() logic fails to get any contexts from
security_compute_user() that correspond with any of the partial contexts
in default_contexts - it then falls back to just returning the entire
reachable list.

get_ordered_context_list() really needs to be overhauled and replaced
with a mostly userland solution, only consulting the kernel to get the
list of roles and the default level for the user.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: trouble with ssh in today's rawhide + refpolicy

[Christopher J. PeBenito]

On Tue, 2007-10-23 at 09:23 -0400, Stephen Smalley wrote:
> On Tue, 2007-10-23 at 13:09 +0000, Christopher J. PeBenito wrote:
> > On Mon, 2007-10-22 at 17:26 -0400, Eamon Walsh wrote:
> > > On a rawhide box updated this afternoon, running refpolicy trunk in mcs 
> > > mode, I get the following after rebooting the box and logging in over ssh:
> > > 
> > > $ id -Z
> > > sysadm_u:sysadm_r:system_chkpwd_t:s0
> > 
> > Do you have ssh_sysadm_login on?  Also, it seems odd that this would
> > happen, since this combination doesn't show up in default_contexts, and
> > the only auto transition to system_chkpwd_t from sshd_t is via
> > chkpwd_exec_t.
> 
> We've seen this kind of behavior before when the
> get_ordered_context_list() logic fails to get any contexts from
> security_compute_user() that correspond with any of the partial contexts
> in default_contexts - it then falls back to just returning the entire
> reachable list.

Ok.  For some reason I always thought it would just fail if nothing
worked from default_contexts.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: trouble with ssh in today's rawhide + refpolicy

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christopher J. PeBenito wrote:
> On Tue, 2007-10-23 at 09:23 -0400, Stephen Smalley wrote:
>> On Tue, 2007-10-23 at 13:09 +0000, Christopher J. PeBenito wrote:
>>> On Mon, 2007-10-22 at 17:26 -0400, Eamon Walsh wrote:
>>>> On a rawhide box updated this afternoon, running refpolicy trunk in mcs 
>>>> mode, I get the following after rebooting the box and logging in over ssh:
>>>>
>>>> $ id -Z
>>>> sysadm_u:sysadm_r:system_chkpwd_t:s0
>>> Do you have ssh_sysadm_login on?  Also, it seems odd that this would
>>> happen, since this combination doesn't show up in default_contexts, and
>>> the only auto transition to system_chkpwd_t from sshd_t is via
>>> chkpwd_exec_t.
>> We've seen this kind of behavior before when the
>> get_ordered_context_list() logic fails to get any contexts from
>> security_compute_user() that correspond with any of the partial contexts
>> in default_contexts - it then falls back to just returning the entire
>> reachable list.
> 
> Ok.  For some reason I always thought it would just fail if nothing
> worked from default_contexts.
> 
I think that is what should happen, but it does not.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHHfyXrlYvE4MpobMRAvQNAKCR6fWOHP0X6JWnq6eDNcgrl4soxQCgwrRr
tO7ZGg5rSyioXl4LwdJD/9U=
=KTjm
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: trouble with ssh in today's rawhide + refpolicy

[Eamon Walsh]

Christopher J. PeBenito wrote:
> On Mon, 2007-10-22 at 17:26 -0400, Eamon Walsh wrote:
>> On a rawhide box updated this afternoon, running refpolicy trunk in mcs 
>> mode, I get the following after rebooting the box and logging in over ssh:
>>
>> $ id -Z
>> sysadm_u:sysadm_r:system_chkpwd_t:s0
> 
> Do you have ssh_sysadm_login on?

Nope, didn't have this set.  That solves the problem, thanks.


-- 
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: trouble with ssh in today's rawhide + refpolicy

[Stephen Smalley]

On Tue, 2007-10-23 at 09:52 -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Christopher J. PeBenito wrote:
> > On Tue, 2007-10-23 at 09:23 -0400, Stephen Smalley wrote:
> >> On Tue, 2007-10-23 at 13:09 +0000, Christopher J. PeBenito wrote:
> >>> On Mon, 2007-10-22 at 17:26 -0400, Eamon Walsh wrote:
> >>>> On a rawhide box updated this afternoon, running refpolicy trunk in mcs 
> >>>> mode, I get the following after rebooting the box and logging in over ssh:
> >>>>
> >>>> $ id -Z
> >>>> sysadm_u:sysadm_r:system_chkpwd_t:s0
> >>> Do you have ssh_sysadm_login on?  Also, it seems odd that this would
> >>> happen, since this combination doesn't show up in default_contexts, and
> >>> the only auto transition to system_chkpwd_t from sshd_t is via
> >>> chkpwd_exec_t.
> >> We've seen this kind of behavior before when the
> >> get_ordered_context_list() logic fails to get any contexts from
> >> security_compute_user() that correspond with any of the partial contexts
> >> in default_contexts - it then falls back to just returning the entire
> >> reachable list.
> > 
> > Ok.  For some reason I always thought it would just fail if nothing
> > worked from default_contexts.
> > 
> I think that is what should happen, but it does not.

Well, two observations:
- originally default_contexts was only supposed to specify defaults, not
everything, so the system was supposed to work even if it was empty (but
we have already migrated away from that to some degree),
- if we fail entirely in that case, then we'll fail even in permissive
mode, unless the caller is also checking for permissive mode and has
some fallback behavior in that case.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: trouble with ssh in today's rawhide + refpolicy

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Eamon Walsh wrote:
> Christopher J. PeBenito wrote:
>> On Mon, 2007-10-22 at 17:26 -0400, Eamon Walsh wrote:
>>> On a rawhide box updated this afternoon, running refpolicy trunk in
>>> mcs mode, I get the following after rebooting the box and logging in
>>> over ssh:
>>>
>>> $ id -Z
>>> sysadm_u:sysadm_r:system_chkpwd_t:s0
>>
>> Do you have ssh_sysadm_login on?
> 
> Nope, didn't have this set.  That solves the problem, thanks.
> 
> 
You should never log in as root via ssh.  :^)

I think you should fail to login in enforcing mode and return anything
in permissive mode.  Allowing the user to reach a shell as a random
context is dangerous.  As system_chkpwd_t I can read the /etc/shadow
file.  Although in reality I would figure the shell would not have
access to the tty.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHHjHkrlYvE4MpobMRAnyqAJ4stfK0JgY6Fe8292atFcrUXRmsegCg5biQ
jWqGKGSVKrvvtrKzY13aec4=
=tS7D
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: trouble with ssh in today's rawhide + refpolicy

[Eamon Walsh]

Eamon Walsh wrote:
> Christopher J. PeBenito wrote:
>> On Mon, 2007-10-22 at 17:26 -0400, Eamon Walsh wrote:
>>> On a rawhide box updated this afternoon, running refpolicy trunk in mcs 
>>> mode, I get the following after rebooting the box and logging in over ssh:
>>>
>>> $ id -Z
>>> sysadm_u:sysadm_r:system_chkpwd_t:s0
>> Do you have ssh_sysadm_login on?
> 
> Nope, didn't have this set.  That solves the problem, thanks.
> 

I observed the same erroneous type today when I logged into X without 
xdm_sysadm_login set.


-- 
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.