Bug 1184341
Summary: | sshd_t / local_login_t denials in audit.log | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Ying Cui <ycui> | ||||
Component: | ovirt-node | Assignee: | Douglas Schilling Landgraf <dougsland> | ||||
Status: | CLOSED WORKSFORME | QA Contact: | Virtualization Bugs <virt-bugs> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 3.6.0 | CC: | cshao, dwalsh, ecohen, fdeutsch, gklein, hadong, huiwa, iheim, leiwang, lsurette, yaniwang, ycui | ||||
Target Milestone: | --- | ||||||
Target Release: | 3.6.0 | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | node | ||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2015-04-09 17:38:46 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | Node | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Ying Cui
2015-01-21 06:49:38 UTC
Created attachment 982182 [details]
audit.log
Only reproduce this bug on rhevh 6.6 for 3.5 build. For rhevh 7.0 for 3.5, I did not reproduce this bug. because it is related selinux and security, not sure whether we need to fix it on rhev 3.5.0 or rhev 3.5.0-1 or zstream. Dan, I saw bug #843631 and wonder if we should add a dontaudit or allow rule for the denial above. Do you have a suggestion? I would guess this is an allow rule, although I have no idea what the connection is between /bin/login and sshd. Petr, do you have an idea why ssh could be sending signull to login? DOes it just want the /proc and send signull to all processes? I've inspected rhel-6 sources and the only case when sshd_t somehow interacts with local_login_t would be if the option UseLogin=yes is set in sshd_conf. And I can't even see any rule which would allow sshd_t to execute login_exec_t thus it should not work anyway. From my point of view it seems to be more mis-configuration than something expected. Thanks all for the inputs. I cannot reproduce this report in an updated rhev-hypervisor image, example: rhev-hypervisor6-6.6-20150402.0. I am closing this bug for now, fell free to re-open in case you see it again. |