selinux adventures/troubles

Stephen Smalley sds at tycho.nsa.gov
Wed Jan 7 20:41:55 UTC 2009 

On Wed, 2009-01-07 at 15:19 -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Michal Jaegermann wrote:
> > On Sun, Jan 04, 2009 at 02:29:44PM -0500, Daniel J Walsh wrote:
> >> If you execute service sshd restart from the unconfined_t user does it
> >> still start as system_crond_t?
> > 
> > # /etc/init.d/sshd restart
> > Stopping sshd:                                             [  OK  ]
> > Starting sshd:                                             [  OK  ]
> > # ps -eZ | grep ssh
> > system_u:system_r:system_crond_t:s0 23026 ?    00:00:00 sshd
> > system_u:system_r:system_crond_t:s0 23074 ?    00:00:00 sshd
> > 
> > and the same after logging out and loging back in.
> > 
> > /usr/sbin/sshd has system_u:object_r:sshd_exec_t:s0 for its label.
> > 
> >> I actually just upgraded my Fathers machine from F8 to F10 and had a
> >> problem with the root account not being setup to login correctly.  But I
> >> saw no problems with sshd?
> > 
> > Other problems may show up yet.  I do not know.
> > 
> > I do not think that this happens consistently across installations
> > and so far I do not see any rhyme or reason.  On another box you may
> > not even notice that something is amiss.  It is not hard to imagine
> > that you _think_ that you have a selinux protection after an upgrade
> > while in reality everything is totally out-of-whack.
> > 
> > The other machine which went through F8->F10 upgrade, and which I
> > was using for comparisons, does not give me any grief but I am not
> > sure if it really looks like it should.
> > 
> >    Michal
> > 
> Adding Steven Smalley for a fresh set of eyes.

An earlier posting showed that his shell was running in system_crond_t,
so it isn't surprising then that restarting sshd from that shell would
leave it in system_crond_t (domain transitions are defined on the caller
domain and the executable type, and there isn't any such transition
defined from system cron jobs on executing sshd).

Then any subsequent login attempt via ssh would be similarly botched,
because sshd is running in system_crond_t, and thus the starting domain
isn't what the system expects and when we ask the system what user
contexts are reachable from that starting domain, it gets rather
puzzled.

Reboot the system, then login and look at pstree -Z output.

As to the original cause, I assume that this is due to:
1) The rather major changes that took place in the policy across these
versions (in particular the merging of targeted and strict policies and
the change to using unconfined_u and unconfined_r for unconfined
processes), and
2) The (mis)use of semanage by the selinux-policy package to manage the
seuser definitions rather than shipping one in the base policy package
as originally intended and only using semanage for local customizations,
thereby breaking the ability to cleanly upgrade (or at least making it
rather fragile).

-- 
Stephen Smalley
National Security Agency

More information about the fedora-test-list mailing list