From: guido@trentalancia.com (Guido Trentalancia)
Date: Mon, 01 Feb 2010 14:03:28 +0100
Subject: [refpolicy] Allowing MLS->non-MLS and vice versa upon policy reload
Message-ID: <201002011303.o11D3TQR030787@vivaldi36.register.it>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello !

When switching at runtime from the standard reference policy and the MLS/MCS reference policy (2.20091117), the ssh server on a Debian Lenny system does not accept new connections until it is restarted.

The following denials are generated:

type=1400 audit(1265028026.079:19): avc:  denied  { transition } for  pid=8973 comm="sshd" path="/bin/bash" dev=dm-1 ino=146597 scontext=system_u:system_r:sshd_t:s0 tcontext=root:staff_r:staff_t:s0-s0:c0.c1023 tclass=process

Unfortunately, simply adding a custom module such as the following:

require {
        type staff_t;
        type sshd_t;
        class process transition;
}

#============= sshd_t ==============
allow sshd_t staff_t:process transition;

does not help.

I believe the problem arises as soon as the ssh server opens a shell for the user as I get "/bin/bash: Permission denied" after the initial /etc/motd banner (and the connection is dropped at that point).

Does anybody have an idea on how to sort out this issue ?

I believe the server is OpenSSH version 5.1p1, while bash is version 3.2.39(1). I have not had time to test other distributions.

Kind regards,

Guido Trentalancia