Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   Access to /root/.hosts (http://www.linux-archive.org/fedora-selinux-support/365009-access-root-hosts.html)

"Göran Uddeborg" 05-02-2010 06:13 PM

Access to /root/.hosts
 
I tried to set up root ssh access between a couple of (carefully
selected) hosts. For root the standard /etc/hosts.equiv and
/etc/ssh/shosts.equiv isn't recoginzed, so I created an /root/.shosts.

But it turns out that sshd isn't allowed to read this file. The
complete AVC:s below. Is this an intentional restriction? That
hostbased root access via ssh is not allowed in the standard policy?
Or is it a bug I could report in bugzilla?

time->Sun May 2 19:57:09 2010
type=SYSCALL msg=audit(1272823029.521:20484): arch=c000003e syscall=4 success=no exit=-13 a0=7fff2fb22cb0 a1=7fff2fb22c20 a2=7fff2fb22c20 a3=fffffff9 items=0 ppid=2920 pid=2922 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1272823029.521:20484): avc: denied { getattr } for pid=2922 comm="sshd" path="/root/.shosts" dev=sda2 ino=7031802 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
----
time->Sun May 2 19:57:09 2010
type=SYSCALL msg=audit(1272823029.533:20485): arch=c000003e syscall=4 success=no exit=-13 a0=7fff2fb22cb0 a1=7fff2fb22c20 a2=7fff2fb22c20 a3=fffffff9 items=0 ppid=2920 pid=2922 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1272823029.533:20485): avc: denied { getattr } for pid=2922 comm="sshd" path="/root/.shosts" dev=sda2 ino=7031802 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
----
time->Sun May 2 19:57:09 2010
type=SYSCALL msg=audit(1272823029.536:20487): arch=c000003e syscall=4 success=no exit=-13 a0=7fff2fb22cb0 a1=7fff2fb22c20 a2=7fff2fb22c20 a3=fffffff9 items=0 ppid=2920 pid=2922 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1272823029.536:20487): avc: denied { getattr } for pid=2922 comm="sshd" path="/root/.shosts" dev=sda2 ino=7031802 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
----
time->Sun May 2 19:57:09 2010
type=SYSCALL msg=audit(1272823029.539:20488): arch=c000003e syscall=4 success=no exit=-13 a0=7fff2fb22cb0 a1=7fff2fb22c20 a2=7fff2fb22c20 a3=fffffff9 items=0 ppid=2920 pid=2922 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1272823029.539:20488): avc: denied { getattr } for pid=2922 comm="sshd" path="/root/.shosts" dev=sda2 ino=7031802 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Paul Howarth 05-03-2010 12:25 PM

Access to /root/.hosts
 
On Sun, 2 May 2010 20:13:22 +0200
"Göran Uddeborg" <goeran@uddeborg.se> wrote:

> I tried to set up root ssh access between a couple of (carefully
> selected) hosts. For root the standard /etc/hosts.equiv and
> /etc/ssh/shosts.equiv isn't recoginzed, so I created an /root/.shosts.
>
> But it turns out that sshd isn't allowed to read this file. The
> complete AVC:s below. Is this an intentional restriction? That
> hostbased root access via ssh is not allowed in the standard policy?
> Or is it a bug I could report in bugzilla?

Try labelling /root/.shosts as home_ssh_t and see if that helps.

Cheers, Paul.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh 05-03-2010 01:06 PM

Access to /root/.hosts
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/02/2010 02:13 PM, Göran Uddeborg wrote:
> I tried to set up root ssh access between a couple of (carefully
> selected) hosts. For root the standard /etc/hosts.equiv and
> /etc/ssh/shosts.equiv isn't recoginzed, so I created an /root/.shosts.
>
> But it turns out that sshd isn't allowed to read this file. The
> complete AVC:s below. Is this an intentional restriction? That
> hostbased root access via ssh is not allowed in the standard policy?
> Or is it a bug I could report in bugzilla?
>
> time->Sun May 2 19:57:09 2010
> type=SYSCALL msg=audit(1272823029.521:20484): arch=c000003e syscall=4 success=no exit=-13 a0=7fff2fb22cb0 a1=7fff2fb22c20 a2=7fff2fb22c20 a3=fffffff9 items=0 ppid=2920 pid=2922 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1272823029.521:20484): avc: denied { getattr } for pid=2922 comm="sshd" path="/root/.shosts" dev=sda2 ino=7031802 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
> ----
> time->Sun May 2 19:57:09 2010
> type=SYSCALL msg=audit(1272823029.533:20485): arch=c000003e syscall=4 success=no exit=-13 a0=7fff2fb22cb0 a1=7fff2fb22c20 a2=7fff2fb22c20 a3=fffffff9 items=0 ppid=2920 pid=2922 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1272823029.533:20485): avc: denied { getattr } for pid=2922 comm="sshd" path="/root/.shosts" dev=sda2 ino=7031802 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
> ----
> time->Sun May 2 19:57:09 2010
> type=SYSCALL msg=audit(1272823029.536:20487): arch=c000003e syscall=4 success=no exit=-13 a0=7fff2fb22cb0 a1=7fff2fb22c20 a2=7fff2fb22c20 a3=fffffff9 items=0 ppid=2920 pid=2922 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1272823029.536:20487): avc: denied { getattr } for pid=2922 comm="sshd" path="/root/.shosts" dev=sda2 ino=7031802 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
> ----
> time->Sun May 2 19:57:09 2010
> type=SYSCALL msg=audit(1272823029.539:20488): arch=c000003e syscall=4 success=no exit=-13 a0=7fff2fb22cb0 a1=7fff2fb22c20 a2=7fff2fb22c20 a3=fffffff9 items=0 ppid=2920 pid=2922 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1272823029.539:20488): avc: denied { getattr } for pid=2922 comm="sshd" path="/root/.shosts" dev=sda2 ino=7031802 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>

I did not even know this file exists.

chcon -t home_ssh_t /root/.shost

Should fix the problem. I will add this as default labeling in F13 and F12.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkveymoACgkQrlYvE4MpobPllACgiW/oLW7TC5a8yrHn5AlSC0Je
/hUAnjO2W2c1GpNeKUPcLgyOdqF8F9e5
=7H0C
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

"Göran Uddeborg" 05-03-2010 02:45 PM

Access to /root/.hosts
 
Paul Howarth:
> Try labelling /root/.shosts as home_ssh_t and see if that helps.

It does indeed.

Daniel Walsh:
> I will add this as default labeling in F13 and F12.

I take it that it wasn't intended, but there is no need for me to file
a bugzilla. :-)
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh 05-03-2010 03:15 PM

Access to /root/.hosts
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/03/2010 10:45 AM, Göran Uddeborg wrote:
> Paul Howarth:
>> Try labelling /root/.shosts as home_ssh_t and see if that helps.
>
> It does indeed.
>
> Daniel Walsh:
>> I will add this as default labeling in F13 and F12.
>
> I take it that it wasn't intended, but there is no need for me to file
> a bugzilla. :-)
>
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Yes no need.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkve6J0ACgkQrlYvE4MpobNqvgCfSGZHLn77/ZGK/xwlHsuFWZD1
8yAAoL2PKInGJeqJHW+e4yRIVVPK9Dv0
=U1xF
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 09:58 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.