search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.56k stars 1.75k forks source link

SElinux misconfiguration #19871

Open moisesmejia1200 opened 1 year ago

moisesmejia1200 commented 1 year ago

Expected behavior:

Admin would like Teleport to print out Selinux confined commands without piping them to cat or re-directing to a file.

Current behavior: Admin has encountered the following when running Selinux confined commands. For example, if they execute chronyc sources no standard output is generated, to get the output they must pipe the command using cat If we setenforcing=0 then run chronyc sources behind teleport everything works as expected.

Bug details:

Recreation steps Run any Selinux confined commands after accessing node via Teleport

duckfez commented 1 year ago

The underlying issue here is an incorrect assignment of selinux context to the user's pty device. When logging in via tssh, the selinux type of the user's pty is devpts_t. When logging in via ssh (OpenSSH on RHEL 7), the selinux type of the user's pty is user_devpts_t. The difference in the selinux types causes commands that are confined by selinux to fail to be able to open the tty for stdout/stderr.

Login via teleport:

user@host:~:$ ls -lZ $( tty )
crw-------. user tty system_u:object_r:devpts_t:s0    /dev/pts/1

Versus via ssh:

user@host:~:$ ls -lZ $( tty )
crw--w----. user tty unconfined_u:object_r:user_devpts_t:s0 /dev/pts/0

This is (probably) an issue in https://github.com/creack/pty. I've seen this issue with other software that uses his library. In openssh-portable there's quite a bit of code specific to handling pty contexts with selinux, such as https://github.com/openssh/openssh-portable/blob/4a5590a5ee47b7dfd49773e9fdba48ad3089fe64/openbsd-compat/port-linux.c#L136. The golang pty implementation does not have any specific selinux support.