Bug 1255030

Summary: unable to login using ssh while in MLS policy
Product: Red Hat Enterprise Linux 7 Reporter: Jiri Jaburek <jjaburek>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Jiri Jaburek <jjaburek>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.1CC: lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-19 14:58:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1218420    
Attachments:
Description Flags
avc log, in enforcing (login failed)
none
avc log, in permissive (login succeded) none

Description Jiri Jaburek 2015-08-19 13:08:04 UTC 
Description of problem:

Likely caused by unix_chkpwd not being able to access /etc.

type=SYSCALL msg=audit(08/19/2015 15:01:37.541:812) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7f135198a35c a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24 items=0 ppid=3046 pid=3047 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=unix_chkpwd exe=/usr/sbin/unix_chkpwd subj=system_u:system_r:chkpwd_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(08/19/2015 15:01:37.541:812) : avc:  denied  { search } for  pid=3047 comm=unix_chkpwd name=etc dev="dm-0" ino=133 scontext=system_u:system_r:chkpwd_t:s0-s15:c0.c1023 tcontext=system_u:object_r:etc_t:s15:c0.c1023 tclass=dir


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-42.el7

How reproducible:
always

Steps to Reproduce:
1. boot into enforcing=0
2. successfully log in
3. setenforce 1
4. try logging in from another terminal
Comment 1 Jiri Jaburek 2015-08-19 13:08:59 UTC 
Created attachment 1064844 [details]
avc log, in enforcing (login failed)
Comment 2 Jiri Jaburek 2015-08-19 13:09:44 UTC 
Created attachment 1064846 [details]
avc log, in permissive (login succeded)
Comment 3 Jiri Jaburek 2015-08-19 14:58:14 UTC 
The issue was incorrect /etc context,

restorecon reset /etc context system_u:object_r:etc_t:s15:c0.c1023->system_u:object_r:etc_t:s0

and while it's still unclear what gave it c0.c1023 (SystemHigh) instead of s0 (SystemLow), the issues reported in comment #0 are a result/symptom of this change, not its cause.