[redhat-lspp] netlabelctl gets permission denied - possible role mixup
Stephen Smalley
sds at tycho.nsa.gov
Wed Mar 21 11:26:49 UTC 2007
On Tue, 2007-03-20 at 17:27 -0500, Loulwa Salem wrote:
> Hi all,
> I am seeing a strange behavior on my system. I am running with the latest and
> greatest kernel (.69) and packages freshly installed today from Steve's repo on
> a ppc system in Enforcing mode ofcourse.
> Note: The ssh_sysadm_login and allow_netlabel booleans are both on.
>
> Steps to reproduce the problem:
> - ssh into system with your admin user as sysadm role
> ssh -l ealuser/sysadm_r/s0-s15:c0.c1023 localhost
> - switch to root
> /bin/su -
> - execute any netlabel command
> netlabelctl cipsov4 add pass doi:1 tags:1
>
> I am able to log in fine, and I expect the netlabel command to pass however I
> get a permission denied. I am pasting at the bottom the relevant records I see
> in the audit log (nothing shows up in /var/log/messages or secure).. any ideas?
> Joy and Kylie tried this and both saw the same behavior. Keep in mind this used
> to work just fine before.
> What I find strange is the context it complains about has the role system_r and
> not sysadm_r. Even in the records created by the ssh authentication, I see the
> system_r, I'm not sure how that role is finding its way in there. The "id"
> command however shows the correct sysadm_r.
> I'm not quite sure what package is the suspect.
>
> I think this is a bug, if everyone agrees I'll open a bugzilla for it
>
> Thanks,
> - Loulwa
>
> Sample steps output:
> [root/abat_r/SystemLow /]# ssh -l ealuser/sysadm_r/s0-s15:c0.c1023 localhost
> Password:
> Last login: Tue Mar 20 12:31:23 2007 from localhost.localdomain
> [ealuser/sysadm_r/SystemLow ~]$ /bin/su -
> Password:
> [root/sysadm_r/SystemLow ~]# id
> uid=0(root) gid=0(root)
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
> context=ealuser_u:sysadm_r:sysadm_t:SystemLow-SystemHigh
> [root/sysadm_r/SystemLow ~]# netlabelctl cipsov4 add pass doi:1 tags:1
> -bash: /sbin/netlabelctl: Permission denied
>
>
> ---- ssh records (records I see when I ssh into system):
> type=USER_AUTH msg=audit(1174412538.822:755): user pid=3051 uid=0
> auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM:
> authentication acct=ealuser : exe="/usr/sbin/sshd"
> (hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh res=success)'
> type=USER_ACCT msg=audit(1174412538.864:756): user pid=3051 uid=0
> auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM:
> accounting acct=ealuser : exe="/usr/sbin/sshd" (hostname=localhost.localdomain,
> addr=127.0.0.1, terminal=ssh res=success)'
> type=AVC msg=audit(1174412539.043:757): avc: granted { setexec } for pid=3047
> comm="sshd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=process
>
> ---- netlabel related records (the only 2 records I see when I get perm denied)
> type=SELINUX_ERR msg=audit(1174412941.179:771): security_compute_sid: invalid
> context ealuser_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 for
> scontext=ealuser_u:sysadm_r:sysadm_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:netlabel_mgmt_exec_t:s0 tclass=process
> type=SYSCALL msg=audit(1174412941.179:771): arch=14 syscall=11 success=no
> exit=-13 a0=10121d98 a1=1011edd0 a2=1011ee58 a3=0 items=0 ppid=3090 pid=3123
> auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2
> comm="bash" exe="/bin/bash" subj=ealuser_u:sysadm_r:sysadm_t:s0-s15:c0.c1023
> key=(null)
The security_compute_sid error above indicates that there is a
role_transition defined in policy from sysadm_r to system_r upon
executing netlabel_mgmt_exec_t as well as a type transition from
sysadm_t to netlabel_mgmt_t. Likely netlabel_mgmt is incorrectly using
an interface in policy that adds such a role transition or some tunable
is set incorrectly.
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list