Bug 1417908

Could you run following command on your machine?

# seinfo --portcon=443

The seinfo tool comes from setools-console package.

Based on the first AVC, the TCP port 443 is labeled openvpn_port_t on your machine. That's strange.

The second AVC needs to be fixed in selinux-policy:

# sesearch -s sshd_t -t cert_t -c dir -A -C -p write

# sesearch -s sshd_t -t cert_t -c dir -D -C -p write

#

Thanks a lot Milos for the quick reply :).

> # seinfo --portcon=443

	portcon tcp 443 system_u:object_r:openvpn_port_t:s0
	portcon tcp 443 system_u:object_r:http_port_t:s0
	portcon tcp 1-511 system_u:object_r:reserved_port_t:s0
	portcon udp 1-511 system_u:object_r:reserved_port_t:s0

> Based on the first AVC, the TCP port 443 is labeled openvpn_port_t on your
> machine. That's strange.

Actually is not, I've openvpn tcp connection on port 443, and therefore it is tagged to make it work in that way. Would this be a problem? I'm not really sure why it should be trying to bind to port 443.

> The second AVC needs to be fixed in selinux-policy:
> 
> # sesearch -s sshd_t -t cert_t -c dir -A -C -p write
> # sesearch -s sshd_t -t cert_t -c dir -D -C -p write

Both commands return empty

(In reply to Fabio Alessandro Locati from comment #4)

> Actually is not, I've openvpn tcp connection on port 443, and therefore it
> is tagged to make it work in that way. Would this be a problem?

I just didn't know why the TCP port 443 got such a label.

> I'm not
> really sure why it should be trying to bind to port 443.

Me neither.

Fabio, 
I would say that you have some issues with labeling. From comment#4, it's looks like you have tcp port 443 labeled as openvpn_port_t which is wrong.

Thanks.
I've removed the openvpn_port_t tag:

	portcon tcp 443 system_u:object_r:http_port_t:s0
	portcon tcp 1-511 system_u:object_r:reserved_port_t:s0
	portcon udp 1-511 system_u:object_r:reserved_port_t:s0

And now that problem went away.

type=AVC msg=audit(1485943073.033:4411402): avc:  denied  { write } for  pid=5393 comm="sshd" name="nssdb" dev="xvda1" ino=8523394 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cert_t:s0 tclass=dir

is still there.


I've created the following policy, which fixes it:

	policy_module(local_pam_yubikey, 1.0)

	gen_require(`
	  type sshd_t;
	  type cert_t;
	')

	allow sshd_t cert_t:dir write;

Thought I'm not very sure _why_ pam_yubikey is trying to write in the nssdb. A caching thing for certificate pinning, maybe?

Cheers,
Fale

Hi, 

Are you able to reproduce the issue? 

Lukas.

I'm seeing the nssdb SELinux message as well with pam_yubico - though it doesn't appear to be affecting operation any for me.

Just as a side note - I ended up using a proxy configuration going through port 8080.  I needed to allow sshd_t access to http_cache_port_t as well.  I'm not sure how common that will be though.

This issue was not selected to be included in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small number of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available.

We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days