35680 – sshd cannot execute sftp-server on SElinux system

Bug 35680 - sshd cannot execute sftp-server on SElinux system

Summary: sshd cannot execute sftp-server on SElinux system

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Core system (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Chris PeBenito (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2003-12-12 13:19 UTC by Tad Glines
Modified:	2003-12-21 21:31 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
ssh.fc diff (ssh.fc.diff,351 bytes, patch) 2003-12-12 13:20 UTC, Tad Glines	Details \| Diff
ssh.te diff (ssh.te.diff,849 bytes, patch) 2003-12-12 13:21 UTC, Tad Glines	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tad Glines 2003-12-12 13:19:38 UTC

When trying to access a SElinux system with sftp it fails.
A look at the logs show that sshd is not allowed to getattr for /usr/lib/misc/sftp-server.

I have included patches to ssh.fc and ssh.te that fix this problem. I label sftp-server with sftp_exec_t and grant only those permissions needed in order to execute it. I've tested it and it seems to work fine.

Reproducible: Always
Steps to Reproduce:
1. try and sftp into a SElinux system. "sftp localhost" on an SElinux system will also exibit the same behavior.

Comment 1 Tad Glines 2003-12-12 13:20:27 UTC

Created attachment 22099 [details, diff]
ssh.fc diff

Comment 2 Tad Glines 2003-12-12 13:21:03 UTC

Created attachment 22100 [details, diff]
ssh.te diff

Comment 3 Chris PeBenito (RETIRED) gentoo-dev

2003-12-21 21:31:37 UTC

Fixed in policy cvs, however sftp-server is labeled as bin_t, plus the getattr on bin_t for sshd_t.