Bug 1264073

Summary: SELinux is preventing /usr/sbin/sshd from read access on the file nologin.
Product: Red Hat Enterprise Linux 7 Reporter: Paul Stauffer <paulds>
Component: systemdAssignee: systemd-maint
Status: CLOSED ERRATA QA Contact: Frantisek Sumsal <fsumsal>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.1CC: fsumsal, jscotka, lmiksik, lnykryn, lvrabec, mgrepl, mmalik, msekleta, plautrba, pvrabec, ssekidde, systemd-maint-list
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: systemd-219-16.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 15:09:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Paul Stauffer 2015-09-17 12:47:30 UTC 
While a shutdown process is running, ssh logins generate the following selinux denial:

setroubleshoot: SELinux is preventing /usr/sbin/sshd from read access on the file nologin. For complete SELinux messages. run sealert -l a5bd7e5c-5e3b-4b9a-9a1a-03119de80d63

(Oddly, I do not see the associated AVC denial message in /var/log/audit/audit.log*.)

# sealert -l a5bd7e5c-5e3b-4b9a-9a1a-03119de80d63
SELinux is preventing /usr/sbin/sshd from read access on the file nologin.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that sshd should be allowed read access on the nologin file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sshd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:init_var_run_t:s0
Target Objects                nologin [ file ]
Source                        sshd
Source Path                   /usr/sbin/sshd
Port                          <Unknown>
Host                          [hostname]
Source RPM Packages           openssh-server-6.6.1p1-12.el7_1.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-23.el7_1.18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     [hostname]
Platform                      Linux [hostname] 3.10.0-229.7.2.el7.x86_64 #1 SMP
                              Tue Jun 23 22:06:11 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-09-16 10:55:05 EDT
Last Seen                     2015-09-16 10:55:05 EDT
Local ID                      a5bd7e5c-5e3b-4b9a-9a1a-03119de80d63

Raw Audit Messages
type=AVC msg=audit(1442415305.449:880158): avc:  denied  { read } for  pid=14239 comm="sshd" name="nologin" dev="tmpfs" ino=34822437 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file


type=SYSCALL msg=audit(1442415305.449:880158): arch=x86_64 syscall=open success=no exit=EACCES a0=7f659c791e3a a1=0 a2=0 a3=0 items=0 ppid=1825 pid=14239 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)

Hash: sshd,sshd_t,init_var_run_t,file,read
Comment 2 Milos Malik 2015-09-17 12:58:02 UTC 
It seems that the /var/run/nologin file is mislabeled on your machine:

# matchpathcon /var/run/nologin
/var/run/nologin	system_u:object_r:systemd_logind_var_run_t:s0
#

Following command should fix it:

# restorecon -v /var/run/nologin

If it happens again then we will need to find out, what process creates that file.
Comment 3 Paul Stauffer 2015-09-17 13:11:58 UTC 
That file is created dynamically by the shutdown process.  It does not otherwise exist.  Per the shutdown(8) man page:

       If the time argument is used, 5 minutes before the system goes down the
       /run/nologin file is created to ensure that further logins shall not be
       allowed.

# ls -lZ /var/run/nologin
ls: cannot access /var/run/nologin: No such file or directory
# ls -lZ /run/nologin
ls: cannot access /run/nologin: No such file or directory

Sounds like you're saying this is a mislabeling bug, not a policy bug?  If so, this bug should perhaps be reassigned to the systemd component, since that's the package that owns /usr/sbin/shutdown.
Comment 4 Milos Malik 2015-09-17 13:36:26 UTC 
Based on following AVCs generated by a special policy module, /usr/lib/systemd/systemd-user-sessions process creates a temporary file and then renames it to /run/nologin:
----
type=PATH msg=audit(09/17/2015 15:27:43.062:123) : item=1 name=/run/.#nologin5aGJgw inode=58085 dev=00:12 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 objtype=CREATE 
type=PATH msg=audit(09/17/2015 15:27:43.062:123) : item=0 name=/run/ inode=6649 dev=00:12 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 objtype=PARENT 
type=CWD msg=audit(09/17/2015 15:27:43.062:123) :  cwd=/ 
type=SYSCALL msg=audit(09/17/2015 15:27:43.062:123) : arch=x86_64 syscall=open success=yes exit=4 a0=0x7f0a7eeb4010 a1=O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC a2=0600 a3=0x55fabfcf items=2 ppid=1 pid=2417 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-user-se exe=/usr/lib/systemd/systemd-user-sessions subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(09/17/2015 15:27:43.062:123) : avc:  granted  { create } for  pid=2417 comm=systemd-user-se name=.#nologin5aGJgw scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file 
----
type=PATH msg=audit(09/17/2015 15:27:43.071:125) : item=3 name=/run/nologin inode=58085 dev=00:12 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 objtype=CREATE 
type=PATH msg=audit(09/17/2015 15:27:43.071:125) : item=2 name=/run/.#nologin5aGJgw inode=58085 dev=00:12 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 objtype=DELETE 
type=PATH msg=audit(09/17/2015 15:27:43.071:125) : item=1 name=/run/ inode=6649 dev=00:12 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 objtype=PARENT 
type=PATH msg=audit(09/17/2015 15:27:43.071:125) : item=0 name=/run/ inode=6649 dev=00:12 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 objtype=PARENT 
type=CWD msg=audit(09/17/2015 15:27:43.071:125) :  cwd=/ 
type=SYSCALL msg=audit(09/17/2015 15:27:43.071:125) : arch=x86_64 syscall=rename success=yes exit=0 a0=0x7f0a7eeb4010 a1=0x7f0a7d407f84 a2=0x7f0a7eeb4110 a3=0x22 items=4 ppid=1 pid=2417 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-user-se exe=/usr/lib/systemd/systemd-user-sessions subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(09/17/2015 15:27:43.071:125) : avc:  granted  { rename } for  pid=2417 comm=systemd-user-se name=.#nologin5aGJgw dev="tmpfs" ino=58085 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file 
----

Because filename transition rules are not applied during a rename operation, the label on /run/nologin file stays init_var_run_t.
Comment 5 Miroslav Grepl 2015-09-21 06:14:29 UTC 
The problem is it creates random names 

.#nologin5aGJgw 

and we are now able to cover them using SELinux policy rules.
Comment 6 Michal Sekletar 2015-09-21 11:27:09 UTC 
(In reply to Miroslav Grepl from comment #5)
> The problem is it creates random names 
> 
> .#nologin5aGJgw 
> 
> and we are now able to cover them using SELinux policy rules.

I will assume this should read "... not able to ..."

I think we should preserve current semantics, i.e. creation of /run/nologin should stay an atomic operation. Thus we need to create temporary file and then rename it to /run/nologin. However just before we call rename we can query selinux policy and figure out proper label, set it and rename it after that.
Comment 7 Miroslav Grepl 2015-09-21 12:00:09 UTC 
(In reply to Michal Sekletar from comment #6)
> (In reply to Miroslav Grepl from comment #5)
> > The problem is it creates random names 
> > 
> > .#nologin5aGJgw 
> > 
> > and we are now able to cover them using SELinux policy rules.
> 
> I will assume this should read "... not able to ..."
> 
> I think we should preserve current semantics, i.e. creation of /run/nologin
> should stay an atomic operation. Thus we need to create temporary file and
> then rename it to /run/nologin. However just before we call rename we can
> query selinux policy and figure out proper label, set it and rename it after
> that.

AFAIK we already do it in systemd for another case.
Comment 9 Lukáš Nykrýn 2015-09-22 10:42:18 UTC 
https://github.com/lnykryn/systemd-rhel/commit/ca5c3dbfd843b6acd92425a6f56c4b01d1a80dde
Comment 11 Frantisek Sumsal 2015-09-29 09:15:52 UTC 
Updated 'Fixed in' due to https://github.com/lnykryn/systemd-rhel/commit/4dd0d6644c71149a0a1af89944b95325ac4d2f18
Comment 13 errata-xmlrpc 2015-11-19 15:09:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2092.html