After upgrading to openssh-4.7, login user/role assignment in selinux no longer works, and non-root users registered with other selinux user mappings get mapped to the default selinux user/role (normally user_u). Reproducible: Always Steps to Reproduce: tree ~ # id -Z root:sysadm_r:sysadm_t tree ~ # rlpkg -a [...] tree ~ # sestatus -v | egrep '(login|ssh|newrole)' /bin/login system_u:object_r:login_exec_t /usr/sbin/sshd system_u:object_r:sshd_exec_t /usr/bin/newrole system_u:object_r:newrole_exec_t tree ~ # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: strict tree ~ # semanage login -a -s staff_u arth tree ~ # semanage login -l Login Name SELinux User __default__ user_u arth staff_u root root tree ~ # semanage user -l SELinux User SELinux Roles root sysadm_r staff_r staff_u sysadm_r staff_r sysadm_u sysadm_r system_u system_r user_u user_r tree ~ # ssh arth@localhost Password: Last login: Sat Sep 8 04:20:31 2007 from localhost arth@tree ~ $ Actual Results: arth@tree ~ $ id -Z user_u:user_r:user_t arth@tree ~ $ newrole -r sysadm_r user_u:sysadm_r:sysadm_t is not a valid context Expected Results: arth@tree ~ $ id -Z staff_u:staff_r:staff_t arth@tree ~ $ newrole -r sysadm_r Authenticating arth Password: arth@tree ~ id -Z staff_u:sysadm_r:sysadm_t If downgrading to net-misc/openssh-4.6_p1-r3 and restarting sshd, problem disappears. Due to how selinux prevents privilege escalation, this problem means that users without a console or other physical access to a box might be locked out from using root, and thus correct the problem.
This is only a problem for strict profile, right? with targeted you there is no need to change user role, or have I misunderstood something?
Any progress? i'd like to fix it because of GLSA 200711-02: Synopsis: A flaw has been discovered in OpenSSH which could allow a local attacker to bypass security restrictions. Announced on: November 01, 2007 Vulnerable: <4.7 Unaffected: >=4.7
I've tried openssh-4.7_p1-r4, and openssh still break selinux role assignment :-(
that is very problematic because of the new security bug in openssh: http://bugs.gentoo.org/show_bug.cgi?id=214985
Xake: It is a problem with targeted too. (Targeted only limits selinux to certain packages -- you still use roles for THOSE packages). Yes, this is becoming unbearable. Almost seven months now, and no indication that this is even looked at. selinux users still have to mask all newer openssh versions and use an old version (4.6p1) with known vulnerabilities.
fixed in -r5