Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 225355

Summary: LSPP: Label translation not reversible, causing ssh login failure
Product: Red Hat Enterprise Linux 5 Reporter: Klaus Weidner <kweidner>
Component: mcstransAssignee: Daniel Walsh <dwalsh>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5.0CC: iboverma, linda.knippers, sgrubb
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-02-05 21:25:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Klaus Weidner 2007-01-30 02:46:43 UTC
Description of problem:

When using "ssh user/role/level@host" to log in at a specified level, this fails
when using level "s2:c0,c1". It works for "s3:c0,c1" and other levels.

The problem appears to be the translations done by mcstransd. This is in the
/etc/selinux/mls/setrans.conf file:

        # Secret level with compartments
        s2=Secret
        s2:c0=A
        s2:c1=B

Commenting out these entries makes login work again.

Failed login audit log:

type=USER_ROLE_CHANGE msg=audit(1170092360.977:951): user pid=2498 uid=0
auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='sshd:
default-context=staff_u:staff_r:staff_t:s0-s15:c0.c1023
selected-context=staff_u:staff_r:staff_t:Secret:A,B: exe="/usr/sbin/sshd"
(hostname=?, addr=?, terminal=? res=failed)'

Successful login (translation commented out):

type=USER_ROLE_CHANGE msg=audit(1170092403.742:991): user pid=2553 uid=0
auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='sshd:
default-context=staff_u:staff_r:staff_t:s0-s15:c0.c1023
selected-context=staff_u:staff_r:staff_t:s2:c0,c1: exe="/usr/sbin/sshd"
(hostname=?, addr=?, terminal=? res=success)'

Is "Secret:A,B" correct syntax?

Version-Release number of selected component (if applicable):

RHEL5 snapshot7
mcstrans-0.1.10-1.el5
openssh-4.3p2-16.el5
selinux-policy-mls-2.4.6-28.el5
libselinux-1.33.4-2.el5
libsepol-1.15.2-1.el5

How reproducible:

Fails: ssh username/staff_r/s2:c0,c1@localhost 
Works: ssh username/staff_r/s3:c0,c1@localhost

Comment 1 Daniel Walsh 2007-02-05 21:25:04 UTC

*** This bug has been marked as a duplicate of 224637 ***