[redhat-lspp] netlabelctl gets permission denied - possible role mixup

Stephen Smalley sds at tycho.nsa.gov
Wed Mar 21 11:26:49 UTC 2007 

On Tue, 2007-03-20 at 17:27 -0500, Loulwa Salem wrote:
> Hi all,
> I am seeing a strange behavior on my system. I am running with the latest and 
> greatest kernel (.69) and packages freshly installed today from Steve's repo on 
> a ppc system in Enforcing mode ofcourse.
> Note: The ssh_sysadm_login and allow_netlabel booleans are both on.
> 
> Steps to reproduce the problem:
> - ssh into system with your admin user as sysadm role
>      ssh -l ealuser/sysadm_r/s0-s15:c0.c1023 localhost
> - switch to root
>      /bin/su -
> - execute any netlabel command
>      netlabelctl cipsov4 add pass doi:1 tags:1
> 
> I am able to log in fine, and I expect the netlabel command to pass however I 
> get a permission denied. I am pasting at the bottom the relevant records I see 
> in the audit log (nothing shows up in /var/log/messages or secure).. any ideas?
> Joy and Kylie tried this and both saw the same behavior. Keep in mind this used 
> to work just fine before.
> What I find strange is the context it complains about has the role system_r and 
> not sysadm_r. Even in the records created by the ssh authentication, I see the 
> system_r, I'm not sure how that role is finding its way in there. The "id" 
> command however shows the correct sysadm_r.
> I'm not quite sure what package is the suspect.
> 
> I think this is a bug, if everyone agrees I'll open a bugzilla for it
> 
> Thanks,
> - Loulwa
> 
> Sample steps output:
> [root/abat_r/SystemLow /]# ssh -l ealuser/sysadm_r/s0-s15:c0.c1023 localhost
> Password:
> Last login: Tue Mar 20 12:31:23 2007 from localhost.localdomain
> [ealuser/sysadm_r/SystemLow ~]$ /bin/su -
> Password:
> [root/sysadm_r/SystemLow ~]# id
> uid=0(root) gid=0(root) 
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) 
> context=ealuser_u:sysadm_r:sysadm_t:SystemLow-SystemHigh
> [root/sysadm_r/SystemLow ~]# netlabelctl cipsov4 add pass doi:1 tags:1
> -bash: /sbin/netlabelctl: Permission denied
> 
> 
> ---- ssh records (records I see when I ssh into system):
> type=USER_AUTH msg=audit(1174412538.822:755): user pid=3051 uid=0 
> auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM: 
> authentication acct=ealuser : exe="/usr/sbin/sshd" 
> (hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh res=success)'
> type=USER_ACCT msg=audit(1174412538.864:756): user pid=3051 uid=0 
> auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM: 
> accounting acct=ealuser : exe="/usr/sbin/sshd" (hostname=localhost.localdomain, 
> addr=127.0.0.1, terminal=ssh res=success)'
> type=AVC msg=audit(1174412539.043:757): avc:  granted  { setexec } for  pid=3047 
> comm="sshd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 
> tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=process
> 
> ---- netlabel related records (the only 2 records I see when I get perm denied)
> type=SELINUX_ERR msg=audit(1174412941.179:771): security_compute_sid:  invalid 
> context ealuser_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 for 
> scontext=ealuser_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 
> tcontext=system_u:object_r:netlabel_mgmt_exec_t:s0 tclass=process
> type=SYSCALL msg=audit(1174412941.179:771): arch=14 syscall=11 success=no 
> exit=-13 a0=10121d98 a1=1011edd0 a2=1011ee58 a3=0 items=0 ppid=3090 pid=3123 
> auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 
> comm="bash" exe="/bin/bash" subj=ealuser_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 
> key=(null)

The security_compute_sid error above indicates that there is a
role_transition defined in policy from sysadm_r to system_r upon
executing netlabel_mgmt_exec_t as well as a type transition from
sysadm_t to netlabel_mgmt_t.  Likely netlabel_mgmt is incorrectly using
an interface in policy that adds such a role transition or some tunable
is set incorrectly.

-- 
Stephen Smalley
National Security Agency

More information about the redhat-lspp mailing list