[DSE-Dev] Bug#690087: selinux-policy-default: sshd shell transitions are always denied

[Paul Donohue]

To work around this issue without patching and recompiling the policy:

cd /etc/selinux/ ; mkdir -p fixes ; cd fixes/

Create ssh_cat_fix.te
  module ssh_cat_fix 1.0;
  require {
    type sshd_t;
  }
  typeattribute sshd_t mcssetcats;

checkmodule -m -M -o ssh_cat_fix.mod ssh_cat_fix.te
semodule_package -m ssh_cat_fix.mod -o ssh_cat_fix.pp
rm ssh_cat_fix.mod
semodule -i ssh_cat_fix.pp

On Tue, Oct 09, 2012 at 04:12:52PM -0400, Paul Donohue wrote:
> Package: selinux-policy-default
> Version: 2:2.20110726-3
> Severity: important
> 
> When protecting sshd with this policy, the transition that occurs when running
> the user's shell is always denied, which prevents users from logging in:
> type=AVC msg=audit(1349808486.496:121): avc:  denied  { transition } for  pid=3120 comm="sshd" path="/bin/bash" dev=dm-0 ino=554 scontext=system_u:system_r:sshd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
> 
> The reason is that the daemon has no MCS categories assigned to it, so the mcs
> policy constraints prevent the addition of categories.
> 
> As best as I can tell, sshd is not supposed to have any categories, and the user
> is supposed to have categories, so this behavior should be allowed.  (Did I miss
> something here?)
> 
> Assuming this behavior should be allowed, editing
> policy/modules/system/authlogin.if and adding mcs_process_set_categories($1)
> in the auth_login_pgm_domain interface fixes this problem.