Bug 1475107
Summary: | SELinux is preventing sshd from write access on the directory /etc/pki/nssdb | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Paul DeStefano <prd-fedora> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 27 | CC: | dominick.grift, dwalsh, jjelen, lsm5, lvrabec, mgrepl, plautrba, pmoore, prd-fedora, ssekidde |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-01-08 12:23:09 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Paul DeStefano
2017-07-26 05:07:00 UTC
Still getting this. I do not see this with my machine. Only a variation of this from Fedora 26: type=AVC msg=audit(1502967804.961:1757): avc: denied { search } for pid=21528 comm="sshd" name="pki" dev="dm-1" ino=655367 scontext=system_u:system_r:tcpd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=0 The OpenSSH code itself certainly does not need to touch this , but it might be some PAM module or even SSSD? Can you share some timestamped debug log from SSHD if you can reproduce it, so we could pinpoint where does it come from? Ah, right; I'm remembering now. I have yubikey libs installed and configured in PAM for SSH. I think that is why this happens. I remember now, I reported it before. Sorry, I guess it doesn't matter. Do you think it matters? If it where to get fixed, would that be yubikey or selinux package? Which yubikey libs? `pam_yubico`? What for? OTP? Does it work regardless this AVC? Yes, pam_yubico. I have all the yubikey pkgs installed for management, too, btw. OTP, yes, exactly. Yes, even with AVC, there isn't any problem authenticating. I believe it is a local OTP so for this I don't see any reason why it would need to consult NSS PKI database. I believe the NSS DB initialization is in the PAM module for other means of authentication, for example local and it is merely a bug in the pam module. From SELinux point of view, I don't think it makes sense to allow this, even conditionally. YubiKey OTP is network based and TLS secured. I think that's why it tries. Could that be it? If it is network based, then it should certainly check against the NSS DB. But then comes a question why does it work without it. Are you able to get some debug logs from the pam module? I could try, I think there is a debug option for that module. Okay, let me see what I can find... Jakub, Thank you for help! Hmm, I tried to debug pam_yubico, but it wouldn't produce a debug file, as directed. I'm confused. To make matters worse, SEAlert is misbehaving; it doesn't show any AVCs, even though it pops up in the system tray. Nevertheless, I checked the journal, manually, and now I see that the last time this AVC was logged was 6 Dec 2017, before comment 1, but after I upgraded to fedora27. So, it seems like it's gone. I think SEAlert has been confusing me by not really deleting reports I told it to delete. Thanks Paul for research. I'll close this BZ, feel free to re-open it if you'll see this denial again. Lukas. |