Bug 1482554
| Summary: | SELinux is preventing SSHD to start from TCPD wrapper | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jakub Jelen <jjelen> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 28 | CC: | dominick.grift, dwalsh, ilmostro7, lsm5, lvrabec, mgrepl, plautrba, pmoore, ssekidde |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.14.1-18.fc28 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-03-26 22:31:56 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle. Changing version to '28'. selinux-policy-3.14.1-17.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-b8cb71b345 selinux-policy-3.14.1-17.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-b8cb71b345 selinux-policy-3.14.1-18.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-7821b2e7c4 selinux-policy-3.14.1-18.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: OpenSSH is built with libwrap at this point. It will not the this way in future and for the ones who would like to make use of tcp_wrappers, they can use tcpd wrapper for "socket activated services". But this does not work with SELinux, because probably nobody tried yet Version-Release number of selected component (if applicable): * How reproducible: deterministic Steps to Reproduce: * Disable sshd.service systemctl disable sshd * Copy the shipped sshd@.service to /etc/: cp {/usr/lib,/etc}/systemd/system/sshd@.service * Modify the ExecStart line in the above file under /ect/ from ExecStart=-/usr/sbin/sshd -i $OPTIONS to ExecStart=@-/usr/sbin/tcpd /usr/sbin/sshd -i $OPTIONS * Reload systemctl systemctl daemon-reload * Enable and start sshd.socket systemctl enable sshd.socket systemctl start sshd.socket * Verify that you can connect to new service (not working now, because it is blocked by SELinux). Actual results: The connection fails, AVCs appear. Expected results: Clients are able to connect to ssh. Additional info: I was able to make it working with the following SELinux modules: * Transition from tcpd_t to sshd_t * Allow sshd_t and sshd_net_t to read the socket passed from tcpd_t [jjelen@t470s ~]$ cat mytcpd2.te policy_module(mytcpd2, 1.0.0) gen_require(` type tcpd_t; ') optional_policy(` ssh_domtrans(tcpd_t) ') [jjelen@t470s ~]$ cat mytcpd.cil (allow init_t tcpd_t (tcp_socket (create setopt bind listen accept getattr))) (allow sshd_t tcpd_t (tcp_socket (getattr read setopt write))) (allow sshd_net_t tcpd_t (tcp_socket (read write))) (allow tcpd_t ssh_port_t (tcp_socket (name_bind))) (allow tcpd_t node_t (tcp_socket (node_bind))) (allow tcpd_t tcpd_exec_t (file (execute_no_trans))) It would be ideal to solve this somehow using a macro, because this will be needed for other services that currently use libwrap directly and they might stop doing so in close future. Most of the rules will be the same for them Also it would make sense to gate this change by some SELinux boolean -- we probably do not want to allow that by default (can it be security problem?).