Bug 1264073
Summary: | SELinux is preventing /usr/sbin/sshd from read access on the file nologin. | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Paul Stauffer <paulds> |
Component: | systemd | Assignee: | systemd-maint |
Status: | CLOSED ERRATA | QA Contact: | Frantisek Sumsal <fsumsal> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.1 | CC: | fsumsal, jscotka, lmiksik, lnykryn, lvrabec, mgrepl, mmalik, msekleta, plautrba, pvrabec, ssekidde, systemd-maint-list |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | systemd-219-16.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-11-19 15:09:28 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Paul Stauffer
2015-09-17 12:47:30 UTC
It seems that the /var/run/nologin file is mislabeled on your machine: # matchpathcon /var/run/nologin /var/run/nologin system_u:object_r:systemd_logind_var_run_t:s0 # Following command should fix it: # restorecon -v /var/run/nologin If it happens again then we will need to find out, what process creates that file. That file is created dynamically by the shutdown process. It does not otherwise exist. Per the shutdown(8) man page: If the time argument is used, 5 minutes before the system goes down the /run/nologin file is created to ensure that further logins shall not be allowed. # ls -lZ /var/run/nologin ls: cannot access /var/run/nologin: No such file or directory # ls -lZ /run/nologin ls: cannot access /run/nologin: No such file or directory Sounds like you're saying this is a mislabeling bug, not a policy bug? If so, this bug should perhaps be reassigned to the systemd component, since that's the package that owns /usr/sbin/shutdown. Based on following AVCs generated by a special policy module, /usr/lib/systemd/systemd-user-sessions process creates a temporary file and then renames it to /run/nologin: ---- type=PATH msg=audit(09/17/2015 15:27:43.062:123) : item=1 name=/run/.#nologin5aGJgw inode=58085 dev=00:12 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 objtype=CREATE type=PATH msg=audit(09/17/2015 15:27:43.062:123) : item=0 name=/run/ inode=6649 dev=00:12 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 objtype=PARENT type=CWD msg=audit(09/17/2015 15:27:43.062:123) : cwd=/ type=SYSCALL msg=audit(09/17/2015 15:27:43.062:123) : arch=x86_64 syscall=open success=yes exit=4 a0=0x7f0a7eeb4010 a1=O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC a2=0600 a3=0x55fabfcf items=2 ppid=1 pid=2417 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-user-se exe=/usr/lib/systemd/systemd-user-sessions subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(09/17/2015 15:27:43.062:123) : avc: granted { create } for pid=2417 comm=systemd-user-se name=.#nologin5aGJgw scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file ---- type=PATH msg=audit(09/17/2015 15:27:43.071:125) : item=3 name=/run/nologin inode=58085 dev=00:12 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 objtype=CREATE type=PATH msg=audit(09/17/2015 15:27:43.071:125) : item=2 name=/run/.#nologin5aGJgw inode=58085 dev=00:12 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 objtype=DELETE type=PATH msg=audit(09/17/2015 15:27:43.071:125) : item=1 name=/run/ inode=6649 dev=00:12 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 objtype=PARENT type=PATH msg=audit(09/17/2015 15:27:43.071:125) : item=0 name=/run/ inode=6649 dev=00:12 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 objtype=PARENT type=CWD msg=audit(09/17/2015 15:27:43.071:125) : cwd=/ type=SYSCALL msg=audit(09/17/2015 15:27:43.071:125) : arch=x86_64 syscall=rename success=yes exit=0 a0=0x7f0a7eeb4010 a1=0x7f0a7d407f84 a2=0x7f0a7eeb4110 a3=0x22 items=4 ppid=1 pid=2417 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-user-se exe=/usr/lib/systemd/systemd-user-sessions subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(09/17/2015 15:27:43.071:125) : avc: granted { rename } for pid=2417 comm=systemd-user-se name=.#nologin5aGJgw dev="tmpfs" ino=58085 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file ---- Because filename transition rules are not applied during a rename operation, the label on /run/nologin file stays init_var_run_t. The problem is it creates random names .#nologin5aGJgw and we are now able to cover them using SELinux policy rules. (In reply to Miroslav Grepl from comment #5) > The problem is it creates random names > > .#nologin5aGJgw > > and we are now able to cover them using SELinux policy rules. I will assume this should read "... not able to ..." I think we should preserve current semantics, i.e. creation of /run/nologin should stay an atomic operation. Thus we need to create temporary file and then rename it to /run/nologin. However just before we call rename we can query selinux policy and figure out proper label, set it and rename it after that. (In reply to Michal Sekletar from comment #6) > (In reply to Miroslav Grepl from comment #5) > > The problem is it creates random names > > > > .#nologin5aGJgw > > > > and we are now able to cover them using SELinux policy rules. > > I will assume this should read "... not able to ..." > > I think we should preserve current semantics, i.e. creation of /run/nologin > should stay an atomic operation. Thus we need to create temporary file and > then rename it to /run/nologin. However just before we call rename we can > query selinux policy and figure out proper label, set it and rename it after > that. AFAIK we already do it in systemd for another case. Updated 'Fixed in' due to https://github.com/lnykryn/systemd-rhel/commit/4dd0d6644c71149a0a1af89944b95325ac4d2f18 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2092.html |