| Summary: | RHEL7 ssh avc denials preventing proper hostkey setup | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Scott Poore <spoore> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED DUPLICATE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.0 | CC: | mgregg, mmalik |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-10-03 16:54:53 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
fyi, all AVC denials I see when I set permissive mode:
[root@qe-blade-05 ssh]# service sshd stop
Redirecting to /bin/systemctl stop sshd.service
[root@qe-blade-05 ssh]# setenforce 0
[root@qe-blade-05 ssh]# rm ssh_host_rsa_key* -f
[root@qe-blade-05 ssh]# date; service sshd start
Thu Oct 3 12:30:37 EDT 2013
Redirecting to /bin/systemctl start sshd.service
[root@qe-blade-05 ssh]# ausearch -m avc -ts 12:30:37
----
time->Thu Oct 3 12:30:37 2013
type=SYSCALL msg=audit(1380817837.919:218): arch=c000003e syscall=260 success=yes exit=0 a0=ffffffffffffff9c a1=13e73f0 a2=ffffffff a3=3e6 items=0 ppid=27710 pid=27713 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chgrp" exe="/usr/bin/chgrp" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)
type=AVC msg=audit(1380817837.919:218): avc: denied { chown } for pid=27713 comm="chgrp" capability=0 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:system_r:ssh_keygen_t:s0 tclass=capability
----
time->Thu Oct 3 12:30:37 2013
type=SYSCALL msg=audit(1380817837.920:219): arch=c000003e syscall=268 success=yes exit=0 a0=ffffffffffffff9c a1=8fc0f0 a2=1a0 a3=7fffcb249860 items=0 ppid=27710 pid=27714 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chmod" exe="/usr/bin/chmod" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)
type=AVC msg=audit(1380817837.920:219): avc: denied { fsetid } for pid=27714 comm="chmod" capability=4 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:system_r:ssh_keygen_t:s0 tclass=capability
----
time->Thu Oct 3 12:30:37 2013
type=SYSCALL msg=audit(1380817837.921:220): arch=c000003e syscall=269 success=yes exit=0 a0=ffffffffffffff9c a1=fc2d10 a2=1 a3=7fff0f7ece90 items=0 ppid=1 pid=27710 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd-keygen" exe="/usr/bin/bash" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)
type=AVC msg=audit(1380817837.921:220): avc: denied { execute } for pid=27710 comm="sshd-keygen" name="setfiles" dev="dm-1" ino=202250182 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file
----
time->Thu Oct 3 12:30:37 2013
type=SYSCALL msg=audit(1380817837.921:221): arch=c000003e syscall=59 success=yes exit=0 a0=fc2d10 a1=fc3790 a2=fc3250 a3=7fff0f7ecff0 items=0 ppid=27710 pid=27716 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)
type=AVC msg=audit(1380817837.921:221): avc: denied { execute_no_trans } for pid=27716 comm="sshd-keygen" path="/usr/sbin/setfiles" dev="dm-1" ino=202250182 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file
type=AVC msg=audit(1380817837.921:221): avc: denied { read open } for pid=27716 comm="sshd-keygen" path="/usr/sbin/setfiles" dev="dm-1" ino=202250182 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file
----
time->Thu Oct 3 12:30:37 2013
type=SYSCALL msg=audit(1380817837.922:222): arch=c000003e syscall=137 success=yes exit=0 a0=7f3a3a775299 a1=7ffffcc58ed0 a2=7f3a3a775299 a3=36393631363d7365 items=0 ppid=27710 pid=27716 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)
type=AVC msg=audit(1380817837.922:222): avc: denied { getattr } for pid=27716 comm="restorecon" name="/" dev="devtmpfs" ino=1025 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem
----
time->Thu Oct 3 12:30:37 2013
type=SYSCALL msg=audit(1380817837.922:223): arch=c000003e syscall=137 success=yes exit=0 a0=7f3a3a775296 a1=7ffffcc58ed0 a2=7f3a3a775296 a3=6975736f6e2c6c65 items=0 ppid=27710 pid=27716 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)
type=AVC msg=audit(1380817837.922:223): avc: denied { getattr } for pid=27716 comm="restorecon" name="/" dev="tmpfs" ino=1174 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
----
time->Thu Oct 3 12:30:37 2013
type=SYSCALL msg=audit(1380817837.922:224): arch=c000003e syscall=137 success=yes exit=0 a0=7f3a3a775297 a1=7ffffcc58ed0 a2=7f3a3a775297 a3=65646f6d2c353d64 items=0 ppid=27710 pid=27716 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)
type=AVC msg=audit(1380817837.922:224): avc: denied { getattr } for pid=27716 comm="restorecon" name="/" dev="devpts" ino=1 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=filesystem
----
time->Thu Oct 3 12:30:37 2013
type=SYSCALL msg=audit(1380817837.923:225): arch=c000003e syscall=137 success=yes exit=0 a0=7f3a3a7753b4 a1=7ffffcc58ed0 a2=7f3a3a7753b4 a3=7f3a37eaf000 items=0 ppid=27710 pid=27716 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)
type=AVC msg=audit(1380817837.923:225): avc: denied { getattr } for pid=27716 comm="restorecon" name="/" dev="dm-1" ino=128 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
----
time->Thu Oct 3 12:30:37 2013
type=SYSCALL msg=audit(1380817837.923:226): arch=c000003e syscall=137 success=yes exit=0 a0=7f3a3a77539a a1=7ffffcc58ed0 a2=7f3a3a77539a a3=732c777220736662 items=0 ppid=27710 pid=27716 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)
type=AVC msg=audit(1380817837.923:226): avc: denied { getattr } for pid=27716 comm="restorecon" name="/" dev="hugetlbfs" ino=15218 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=filesystem
*** This bug has been marked as a duplicate of bug 1014482 *** |
Description of problem: On RHEL7 test builds, I'm seeing the following trying to start sshd: [root@qe-blade-05 ssh]# setenforce 1 [root@qe-blade-05 ssh]# rm ssh_host_rsa_key* -f [root@qe-blade-05 ssh]# date; service sshd start Thu Oct 3 12:22:40 EDT 2013 Redirecting to /bin/systemctl start sshd.service [root@qe-blade-05 ssh]# tail /var/log/messages ... Oct 3 12:22:40 qe-blade-05 systemd: Starting OpenSSH server daemon... Oct 3 12:22:40 qe-blade-05 sshd-keygen: Generating SSH2 RSA host key: chgrp: changing group of ‘/etc/ssh/ssh_host_rsa_key’: Operation not permitted Oct 3 12:22:40 qe-blade-05 sshd-keygen: [ OK ] Oct 3 12:22:40 qe-blade-05 systemd: Started OpenSSH server daemon. Oct 3 12:22:40 qe-blade-05 sshd: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Oct 3 12:22:40 qe-blade-05 sshd: @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ Oct 3 12:22:40 qe-blade-05 sshd: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Oct 3 12:22:40 qe-blade-05 sshd: Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open. Oct 3 12:22:40 qe-blade-05 sshd: It is required that your private key files are NOT accessible by others. Oct 3 12:22:40 qe-blade-05 sshd: This private key will be ignored. Oct 3 12:22:40 qe-blade-05 sshd: bad permissions: ignore key: /etc/ssh/ssh_host_rsa_key Oct 3 12:22:40 qe-blade-05 sshd: Could not load host key: /etc/ssh/ssh_host_rsa_key Oct 3 12:22:40 qe-blade-05 sshd: Could not load host key: /etc/ssh/ssh_host_dsa_key Oct 3 12:22:40 qe-blade-05 sshd: Could not load host key: /etc/ssh/ssh_host_ecdsa_key [root@qe-blade-05 ssh]# ausearch -m avc -ts 12:22:40 ---- time->Thu Oct 3 12:22:40 2013 type=SYSCALL msg=audit(1380817360.234:208): arch=c000003e syscall=260 success=no exit=-1 a0=ffffffffffffff9c a1=86f3f0 a2=ffffffff a3=3e6 items=0 ppid=27629 pid=27632 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chgrp" exe="/usr/bin/chgrp" subj=system_u:system_r:ssh_keygen_t:s0 key=(null) type=AVC msg=audit(1380817360.234:208): avc: denied { chown } for pid=27632 comm="chgrp" capability=0 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:system_r:ssh_keygen_t:s0 tclass=capability ---- time->Thu Oct 3 12:22:40 2013 type=SYSCALL msg=audit(1380817360.236:209): arch=c000003e syscall=269 success=no exit=-13 a0=ffffffffffffff9c a1=1271d10 a2=1 a3=7fffee202910 items=0 ppid=1 pid=27629 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd-keygen" exe="/usr/bin/bash" subj=system_u:system_r:ssh_keygen_t:s0 key=(null) type=AVC msg=audit(1380817360.236:209): avc: denied { execute } for pid=27629 comm="sshd-keygen" name="setfiles" dev="dm-1" ino=202250182 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file And it appears as if the file is left with group read: [root@qe-blade-05 ssh]# ls -ld /etc/ssh/ssh_host_rsa_key* -rw-r-----. 1 root root 1679 Oct 3 12:22 /etc/ssh/ssh_host_rsa_key -rw-r--r--. 1 root root 382 Oct 3 12:22 /etc/ssh/ssh_host_rsa_key.pub Version-Release number of selected component (if applicable): [root@qe-blade-05 ssh]# rpm -q openssh selinux-policy openssh-6.2p2-8.el7.x86_64 selinux-policy-3.12.1-85.el7.noarch Note that selinux-policy was upgaded from the previous -84 release. How reproducible: Currently unknown. Issue seen on two separate test boxes in lab. Steps to Reproduce: 1. Install RHEL7 from repo with affected versions 2. service sshd stop 3. rm -f /etc/ssh/ssh_host_rsa_key* 4. date; service sshd start 5. ls -l /etc/ssh_host_rsa_key* 6. ausearch -m avc -ts <time from step 4> Actual results: above errors and unable to ssh into host Expected results: proper permissions and ownership set for sshd to function properly. Additional info: