191665 – openssh-4.7_p1 and 4.7_p1-r1 break selinux role assignment

Bug 191665 - openssh-4.7_p1 and 4.7_p1-r1 break selinux role assignment

Summary: openssh-4.7_p1 and 4.7_p1-r1 break selinux role assignment

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	x86 Linux

Importance:	High major (vote)
Assignee:	SE Linux Bugs

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2007-09-08 08:31 UTC by Arthur Hagen
Modified:	2009-04-01 05:03 UTC (History)
CC List:	5 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arthur Hagen 2007-09-08 08:31:29 UTC

After upgrading to openssh-4.7, login user/role assignment in selinux no longer works, and non-root users registered with other selinux user mappings get mapped to the default selinux user/role (normally user_u).

Reproducible: Always

Steps to Reproduce:
tree ~ # id -Z
root:sysadm_r:sysadm_t
tree ~ # rlpkg -a
[...]
tree ~ # sestatus -v | egrep '(login|ssh|newrole)'
/bin/login                      system_u:object_r:login_exec_t
/usr/sbin/sshd                  system_u:object_r:sshd_exec_t
/usr/bin/newrole                system_u:object_r:newrole_exec_t
tree ~ # sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        strict
tree ~ # semanage login -a -s staff_u arth
tree ~ # semanage login -l

Login Name                SELinux User

__default__               user_u
arth                      staff_u
root                      root
tree ~ # semanage user -l
SELinux User    SELinux Roles

root            sysadm_r staff_r
staff_u         sysadm_r staff_r
sysadm_u        sysadm_r
system_u        system_r
user_u          user_r
tree ~ # ssh arth@localhost
Password:
Last login: Sat Sep  8 04:20:31 2007 from localhost
arth@tree ~ $ 

Actual Results:  
arth@tree ~ $ id -Z
user_u:user_r:user_t
arth@tree ~ $ newrole -r sysadm_r
user_u:sysadm_r:sysadm_t is not a valid context


Expected Results:  
arth@tree ~ $ id -Z
staff_u:staff_r:staff_t
arth@tree ~ $ newrole -r sysadm_r
Authenticating arth
Password:
arth@tree ~ id -Z
staff_u:sysadm_r:sysadm_t


If downgrading to net-misc/openssh-4.6_p1-r3 and restarting sshd, problem disappears.

Due to how selinux prevents privilege escalation, this problem means that users without a console or other physical access to a box might be locked out from using root, and thus correct the problem.

Comment 1 Xake 2008-01-26 10:07:00 UTC

This is only a problem for strict profile, right?
with targeted you there is no need to change user role, or have I misunderstood something?

Comment 2 gentoo 2008-02-08 13:15:37 UTC

Any progress? i'd like to fix it because of
 GLSA 200711-02: Synopsis: A flaw has been discovered in OpenSSH which could allow a local attacker to bypass security restrictions. 
 Announced on: November 01, 2007
 Vulnerable:        <4.7
 Unaffected:        >=4.7

Comment 3 Michal Brngal 2008-02-17 10:43:23 UTC

I've tried openssh-4.7_p1-r4, and openssh still break selinux role assignment :-(

Comment 4 GNUtoo 2008-03-30 01:05:23 UTC

that is very problematic because of the new security bug in openssh:
http://bugs.gentoo.org/show_bug.cgi?id=214985

Comment 5 Arthur Hagen 2008-03-30 12:43:18 UTC

Xake:  It is a problem with targeted too.  (Targeted only limits selinux to certain packages -- you still use roles for THOSE packages).

Yes, this is becoming unbearable.  Almost seven months now, and no indication that this is even looked at.  selinux users still have to mask all newer openssh versions and use an old version (4.6p1) with known vulnerabilities.

Comment 6 Chris PeBenito (RETIRED) gentoo-dev

2008-04-01 15:41:05 UTC

fixed in -r5