Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 227733 - [LSPP] unable to ssh into a system as root/auditadm_r
Summary: [LSPP] unable to ssh into a system as root/auditadm_r
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: openssh
Version: 5.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
URL:
Whiteboard:
: 227770 (view as bug list)
Depends On:
Blocks: RHEL5LSPPCertTracker
TreeView+ depends on / blocked
 
Reported: 2007-02-07 20:48 UTC by Matt Anderson
Modified: 2007-11-30 22:07 UTC (History)
5 users (show)

Fixed In Version: RHSA-2007-0540
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-11-07 15:32:29 UTC
Target Upstream Version:


Attachments (Terms of Use)
Proposed patch by Dan Walsh (deleted)
2007-02-09 14:34 UTC, Tomas Mraz
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0540 normal SHIPPED_LIVE Moderate: openssh security and bug fix update 2007-11-07 16:19:19 UTC

Description Matt Anderson 2007-02-07 20:48:54 UTC
Description of problem:
With MLS policy it is not possible to ssh into a system as the auditadm_r role.

How reproducible:
Everytime.

Steps to Reproduce:
1. Install RHEL5rc1
2. Enable MLS policy
3. From a remote host run `ssh root/auditadm_r@$HOST`
  
Actual results:
The connection is not allowed

Expected results:
You should be able to connect into the sytem with the SELinux role of auditadm_r

Additional info:

Comment 1 Klaus Heinrich Kiwi 2007-02-07 23:23:30 UTC
Make sure you have 'PermitRootLogin yes' in the /etc/ssh/sshd_config if you want
to log in as root.

For the records: ssh <user>/secadm_r@<host> isn't working either. Dan said it
would be fixed in the next policy release.

Comment 2 Daniel Walsh 2007-02-08 18:49:46 UTC
Actually we found that it would be better to update openssh to make it work.

Comment 3 Tomas Mraz 2007-02-09 14:21:43 UTC
*** Bug 227770 has been marked as a duplicate of this bug. ***

Comment 4 Tomas Mraz 2007-02-09 14:34:36 UTC
Created attachment 147769 [details]
Proposed patch by Dan Walsh

Comment 5 Tomas Mraz 2007-02-09 21:32:25 UTC
Fixed + improved auditing of role changes in openssh-4.3p2-17.el5.


Comment 6 Klaus Heinrich Kiwi 2007-02-15 13:23:29 UTC
Built a package with the above patch and upgraded in a x86_64 box.. Logins as
secadm_r and auditadm_r are working fine.

The strange thing, though, is that on I can also log-in successfully in another
similar box in which the only difference (in terms of patchlevel/package
versions) is the patch above.

In both boxes I have:
[abat@zaphod ~]$ grep sshd_t /etc/selinux/mls/contexts/default_contexts
system_r:sshd_t:s0              user_r:user_t:s0 staff_r:staff_t:s0
sysadm_r:sysadm_t:s0
[abat@zaphod ~]$ 

And can't see also any difference in the way auditing works between the two
boxes (for both login acceptance and denial). On the other hand, it seems
acceptable the way it is now.

Wonder if this was fixed in a previous ssh release or even in another updated
package (maybe mcstrans and/or libselinux)


Comment 7 Klaus Heinrich Kiwi 2007-02-15 13:37:39 UTC
My bad.. just now I saw that I was applying this same patch to the (stock) -16
release while it has already been applied and released in Dan's people page as
release -17 (which I had blindly upgraded without checking the changelog)

It's working fine and generating the additional USER_ROLE_CHANGE when
successfully logging in with non-default role, while some more info is being
reported in the USER_ERR record when the role change is denied.

I think we may close this bug. Matt? 

Comment 13 errata-xmlrpc 2007-11-07 15:32:29 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0540.html



Note You need to log in before you can comment on or make changes to this bug.