Bug 1353207

Summary: usepasswd=true in semanage.conf breaks ssh logins - add /var/empty to ignoredirs
Product: [Fedora] Fedora Reporter: Edgar Hoch <edgar.hoch>
Component: libsemanageAssignee: Petr Lautrbach <plautrba>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: 24CC: dwalsh, mgrepl, plautrba
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: libsemanage-2.5-8.fc25 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-10 17:43:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Edgar Hoch 2016-07-06 14:08:58 UTC 
Description of problem:
When changing the default entry usepasswd=False in /etc/selinux/semanage.conf to usepasswd=true, and genhomedircon was run (manual or automatically), and restorecon -r /var was run, then /var/empty and /var/empty/sshd has the wrong selinux labels, and ssh login fails with "Connection closed by ...".

We run dnf-automatic, this night there was some updates that seems to run some of the command above (I changed /etc/selinux/semanage.conf before), that prevents us to log in via ssh.

Journal contains message like
sshd[...]: fatal: chroot("/var/empty/sshd"): Permission denied [preauth]

Right selinux labels:
drwxr-xr-x. 3 root root system_u:object_r:var_t:s0 4096  3. Jul 23:43 /var/empty
drwx--x--x. 2 root root unconfined_u:object_r:var_t:s0 4096  1. Jul 09:30 /var/empty/sshd

After changing the parameter to usepasswd=true and running the genhomedircon and then restorecon, we got the following changes:
# restorecon -rv /var/empty
restorecon reset /var/empty context system_u:object_r:var_t:s0->system_u:object_r:home_root_t:s0
restorecon reset /var/empty/sshd context unconfined_u:object_r:var_t:s0->unconfined_u:object_r:user_home_dir_t:s0

Wrong selinux labels:
drwxr-xr-x. 3 root root system_u:object_r:home_root_t:s0 4096  3. Jul 23:43 /var/empty
drwx--x--x. 2 root root unconfined_u:object_r:user_home_dir_t:s0 4096  1. Jul 09:30 /var/empty/sshd

After running gehhomedircon file /etc/selinux/targeted/contexts/files/file_contexts.homedirs contains lines for "/var/empty/...".
After undoing the changes in /etc/selinux/semanage.conf and running the commands above again, then the entries for "/var/empty/..." are gone (as it was before the change).


I think there should be at least a warning in /etc/selinux/semanage.conf and the man page that setting usepasswd to true may break ssh login (and possible other services). 

Even better would be to prevent the wrong labels on /var/empty/...
This may be done by adding /var/empty (or /var/empty/sshd, I am not sure which one is right) to parameter ignoredirs (it currently contais "/root").


Version-Release number of selected component (if applicable):
libsemanage-2.5-2.fc24.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Install Fedora 24
2. Try ssh login.
3. sed -i -e 's/^usepasswd=False/usepasswd=true/' /etc/selinux/semanage.conf
4. genhomedircon
5. restorecon -rv /var
6. Try ssh login.


Actual results:
Step 2: ssh login successful.
Step 6: ssh login fails with "Connection closed by ..."

Expected results:
Step 2: ssh login successful.
Step 6: ssh login successful.
Comment 1 Fedora Update System 2016-10-05 20:29:31 UTC 
checkpolicy-2.5-8.fc25, libselinux-2.5-12.fc25, libsemanage-2.5-8.fc25, libsepol-2.5-10.fc25, policycoreutils-2.5-17.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-b7e8e980ef
Comment 2 Fedora Update System 2016-10-06 20:59:04 UTC 
checkpolicy-2.5-8.fc25, libselinux-2.5-12.fc25, libsemanage-2.5-8.fc25, libsepol-2.5-10.fc25, policycoreutils-2.5-17.fc25, secilc-2.5-6.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-b7e8e980ef
Comment 3 Fedora Update System 2016-10-10 17:43:49 UTC 
checkpolicy-2.5-8.fc25, libselinux-2.5-12.fc25, libsemanage-2.5-8.fc25, libsepol-2.5-10.fc25, policycoreutils-2.5-17.fc25, secilc-2.5-6.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.