Bug 1316879

Summary: SELinux is preventing /usr/sbin/sshd from write access on the file sshd.pid
Product: [Fedora] Fedora Reporter: Germano Massullo <germano.massullo>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-11 13:44:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Germano Massullo 2016-03-11 11:40:37 UTC 
I manually stopped SSHd, then after some minutes I restarted SELinux and I got


SELinux is preventing /usr/sbin/sshd from write access on the file sshd.pid.

*****  Plugin catchall (100. confidence) suggests   **************************

If si crede che sshd dovrebbe avere possibilità di accesso write sui sshd.pid file in modo predefinito.
Then si dovrebbe riportare il problema come bug.
E' possibile generare un modulo di politica locale per consentire questo accesso.
Do
consentire questo accesso per il momento eseguendo:
# grep sshd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:var_run_t:s0
Target Objects                sshd.pid [ file ]
Source                        sshd
Source Path                   /usr/sbin/sshd
Port                          <Unknown>
Host                          
Source RPM Packages           openssh-server-7.1p2-4.fc23.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-158.9.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     machine
Platform                      Linux machine 4.4.3-300.fc23.x86_64 #1 SMP Fri Feb 26
                              18:45:40 UTC 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2016-03-11 12:31:31 CET
Last Seen                     2016-03-11 12:31:31 CET
Local ID                      dc8da542-2c78-4b6c-b502-156c92b8e2a1

Raw Audit Messages
type=AVC msg=audit(1457695891.944:534): avc:  denied  { write } for  pid=7975 comm="sshd" name="sshd.pid" dev="tmpfs" ino=84613 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1457695891.944:534): arch=x86_64 syscall=open success=no exit=EACCES a0=5601504e2550 a1=241 a2=1b6 a3=240 items=0 ppid=7971 pid=7975 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)

Hash: sshd,sshd_t,var_run_t,file,write
Comment 1 Daniel Walsh 2016-03-11 13:44:57 UTC 
Looks like you ran it manually and it created a pid file with the wrong label.

restorecon -R -v /run/

Will fix the label, and then sshd will work with SELinux again.