search

aws / amazon-ssm-agent

An agent to enable remote management of your EC2 instances, on-premises servers, or virtual machines (VMs).
https://aws.amazon.com/systems-manager/
Apache License 2.0
1.06k stars 326 forks source link

SSM Session Manager fails to set correct selinux context on user's pty #498

Open duckfez opened 1 year ago

duckfez commented 1 year ago

When connecting to a SELinux enforcing host via SSM, the user's pty does not get the correct SELinux context. This causes selinux confined commands (such as chronyc) to fail to write to the user's pty.

Connect to a RHEL7 host with SSM:

$ aws ssm start-session --target <target_id>

Starting session with SessionId: myusername-014c36002c2d064c5
sh-4.2$ sudo -i

[root@ip-10-128-43-46 ~]# getenforce
Enforcing

[root@ip-10-128-43-46 ~]# ls -lZ $(tty)
crw--w----. root tty system_u:object_r:devpts_t:s0    /dev/pts/0

Observe system is in SELinux enforcing mode, and my pty device has an selinux context of devpts_t. When I attempt chronyc tracking I get no output from it:

[root@ip-10-128-43-46 ~]# chronyc tracking

If I disable SELinux then chronyc works:

[root@ip-10-128-43-46 ~]# setenforce 0

[root@ip-10-128-43-46 ~]# chronyc tracking
Reference ID    : A9FEA97B (169.254.169.123)
Stratum         : 4
Ref time (UTC)  : Fri Apr 08 18:32:20 2022
System time     : 0.000001437 seconds slow of NTP time
Last offset     : -0.000000292 seconds
RMS offset      : 0.000039443 seconds
Frequency       : 2.625 ppm fast
Residual freq   : -0.000 ppm
Skew            : 0.044 ppm
Root delay      : 0.000353114 seconds
Root dispersion : 0.000261603 seconds
Update interval : 16.3 seconds
Leap status     : Normal

If I connect to this same host via SSH:

$ ssh ec2-user@18.207.214.91
sh-4.2$ sudo -i

[root@ip-10-128-43-46 ~]# ls -lZ $( tty )
crw--w----. ec2-user tty unconfined_u:object_r:user_devpts_t:s0 /dev/pts/0

[root@ip-10-128-43-46 ~]# chronyc tracking
Reference ID    : A9FEA97B (169.254.169.123)
Stratum         : 4
Ref time (UTC)  : Fri Apr 08 18:26:24 2022
System time     : 0.000001558 seconds fast of NTP time
Last offset     : +0.000000718 seconds
RMS offset      : 0.000119167 seconds
Frequency       : 2.659 ppm fast
Residual freq   : +0.001 ppm
Skew            : 0.198 ppm
Root delay      : 0.000357058 seconds
Root dispersion : 0.000272572 seconds
Update interval : 16.2 seconds
Leap status     : Normal

First, observe that the pty has a different context - user_devpts_t. And chronyc works, even in SELinux enforcing mode.