Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-1554

MLS: logging in through ssh as root ends up being "staff_t" instead of "sysadm_t"

XMLWordPrintable

    • None
    • Moderate
    • 1
    • rhel-sst-security-selinux
    • ssg_security
    • 3
    • False
    • Hide

      None

      Show
      None
    • None
    • CY24Q2
    • None
    • None
    • If docs needed, set a value
    • None

      Description of problem:

      On my freshly setup MLS system, I can see that logging in as root through ssh ends up getting "staff_t" context:
      ~~~
      -bash: /root/.bash_profile: Permission denied
      [root@vm-mls9 ~]# id -Z
      root:staff_r:staff_t:s0-s15:c0.c1023
      ~~~

      Version-Release number of selected component (if applicable):

      selinux-policy-mls-38.1.11-2.el9_2.3.noarch

      How reproducible:

      Always

      Additional info:

      Our doc [1] states the context should be sysadm_t (hence we cannot login without the boolean) but apparently there is some bug here.

      ~~~
      [1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/using_selinux/using-multi-level-security-mls_using-selinux#switching-the-selinux-policy-to-mls_using-multi-level-security-mls

      Important note:
      [...]
      Also note that in MLS, SSH logins as the root user mapped to the sysadm_r SELinux role differ from logging in as root in staff_r.
      ~~~

              rhn-support-zpytela Zdenek Pytela
              rhn-support-rmetrich Renaud Métrich
              Nikola Kňažeková Nikola Kňažeková (Inactive)
              Milos Malik Milos Malik
              Jan Fiala Jan Fiala
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: