Bug 1477613

Summary: Update SELinux policy for SSH and Crypto policies
Product: [Fedora] Fedora Reporter: Jakub Jelen <jjelen>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: dominick.grift, dwalsh, lsm5, lvrabec, mgrepl, plautrba, pmoore, ssekidde
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-14 15:46:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1479271    

Description Jakub Jelen 2017-08-02 13:23:26 UTC
Description of problem:
The Crypto policies in server requires some changes in the SSHD server structure and we went a way of simple script instead of modification of the SSHD server itself.

From there we need to create a temporary files under /run/openssh/, but the sshd server is not allowed to read the files with the labels under this path.

So far, there is a hack in the PreStart script, that changes the label to etc_t from var_run_t so we can start the daemon.

ls -Z $SSHD_CONFIG_RUNTIME | grep -q var_run_t && chcon -t etc_t $SSHD_CONFIG_RUNTIME

Better solution would be to create a special label for this file (and directory) so it is accessible only by the SSHD.

The AVC we are getting without this workaround:
type=AVC msg=audit(1501604780.224:775): avc:  denied  { read } for  pid=2789 comm="sshd" name="sshd_config" dev="tmpfs" ino=59058 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0

Alternatively we can also create some policy for helper script /usr/libexec/openssh/sshd-pre

Version-Release number of selected component (if applicable):
Fedora 27

How reproducible:
always

Steps to Reproduce:
1. Install openssh
2. Remove the above workaround from /usr/libexec/openssh/sshd-pre
3. Remove /run/openssh/sshd_config
4. Restart the sshd service

Actual results:
The service fails, the above AVC is visible in the audit log

Expected results:
The service starts, no AVCs

Additional info:

https://fedoraproject.org/wiki/Changes/OpenSSH_Server_Crypto_Policy

Comment 1 Jakub Jelen 2017-08-14 15:46:30 UTC
Solved differently in the latest build. Closing this bug.