| Summary: | Unexpected message avc: denied { read } for pid=1298 comm="ssh-transport-c" | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Dominik Perpeet <dperpeet> |
| Component: | libssh | Assignee: | Andreas Schneider <asn> |
| Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 24 | CC: | asn, dominick.grift, dperpeet, dwalsh, jjelen, lvrabec, mattias.ellert, mgrepl, mvollmer, negativo17, plautrba, rdieter, stefw, tmraz |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-08 14:00:56 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
*** This bug has been marked as a duplicate of bug 1242656 *** The question I have is 'ssh-transport-c'? And why should it read the /proc/net/unix file? I see nothing with the name ssh-transport-c in the file system. The /proc/net/unix file contains a list of all open unix socket connections. So how do I figure out what in the world is ssh-transport-c is doing in that file? I don't feel comfortable opening this without knowing what it is and why it's doing that. Probably a library call? This has nothing to do with openssh. As mentioned in the "duplicate", it points out to the file in cockpit src/ws/cockpitsshtransport.c (truncated thread name?), which is using libssh to connect to remote server. Maybe they will tell you more what is going on under the hood and why they need to read this file? The libssh code does not open that file. The only unix socket we connect to is the one ssh-agent exports (SSH_AUTH_SOCK). Agree with Andreas. I looked through libssh for code that might do that. In addition Cockpit does not open that file in its code. So hence the question to Mirek: How can we figure out which piece of code is accessing that file? I imagine similar issues have come up before when tracking down AVC's right? You get get more information using extended audit rules. # auditctl -D # auditctl -w /etc/shadow -p w Together with AVC record you will see SYSCALL, PATH, and other which could help. Dominik, in your opition, would it make sense to add the commands above to the end of our testing teardown logic, and run them if there are unexpected audit messages? The commands changes rules which auditd uses to filter audit events. You need to run them first and when an event occur it will be consisted of several records.
With the default auditd setting you see can see an audit events with only one AVC record:
type=AVC msg=audit(1461679232.539:924): avc: denied { open } for pid=363 comm="sshd" path="/etc/ssh/ssh_host_ecdsa_key" dev="dm-1" ino=34723961 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=0
When you change the filter using auditctl command, you will see events with multiple records:
type=AVC msg=audit(1461679330.386:932): avc: denied { open } for pid=1389 comm="sshd" path="/etc/ssh/ssh_host_ecdsa_key" dev="dm-1" ino=34723961 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1461679330.386:932): arch=c000003e syscall=2 success=no exit=-13 a0=555cf0182aa0 a1=0 a2=7ffdb125ed30 a3=555cef4a1960 items=1 ppid=1 pid=1389 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1461679330.386:932): cwd="/"
type=PATH msg=audit(1461679330.386:932): item=0 name="/etc/ssh/ssh_host_ecdsa_key" inode=34723961 dev=fd:01 mode=0100640 ouid=0 ogid=991 rdev=00:00 obj=system_u:object_r:admin_home_t:s0 nametype=NORMAL
type=PROCTITLE msg=audit(1461679330.386:932): proctitle="/usr/sbin/sshd"
I don't think it's a bad thing to increase selinux verbosity in our tests. On the other hand, we could just run this in a pull request and hammer it with CI until the error occurs again, that way we don't need to increase verbosity on master (and maybe rewrite some rules where we catch expected selinux events). I don't see a good alternative at this point, unless we want to keep guessing or give up on the error. This message is a reminder that Fedora 24 is nearing its end of life. Approximately 2 (two) weeks from now Fedora will stop maintaining and issuing updates for Fedora 24. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '24'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 24 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Fedora 24 changed to end-of-life (EOL) status on 2017-08-08. Fedora 24 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. |
Description of problem: When running the cockpit integration tests on a test machine, we see this message in the logs: audit: type=1400 audit(1458588824.652:268): avc: denied { read } for pid=1298 comm="ssh-transport-c" name="unix" dev="proc" ino=4026532021 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0 Version-Release number of selected component (if applicable): selinux-policy-targeted-3.13.1-179.fc24.noarch How reproducible: Always on the CI machines, never locally