Bug 1559355
| Summary: | The machine is accessible through the sshd.socket (tcpd) dispite hosts.deny settings | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Lukas Ruzicka <lruzicka> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 28 | CC: | dwalsh, jjelen, lvrabec, mgrepl, plautrba, pmoore |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-03-23 16:16:12 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Lukas Ruzicka
2018-03-22 11:33:58 UTC
Fixed in newer version of selinux-policy package. https://koji.fedoraproject.org/koji/buildinfo?buildID=1061018 I'll create new update soon. I have installed the packages from Koji and still have the same issue.
===
Name : selinux-policy
Version : 3.14.1
Release : 16.fc28
Architecture: noarch
Install Date: Čt 22. březen 2018, 13:07:39 CET
Group : System Environment/Base
Size : 24429
License : GPLv2+
Signature : (none)
Source RPM : selinux-policy-3.14.1-16.fc28.src.rpm
Build Date : St 21. březen 2018, 20:11:28 CET
Build Host : buildvm-aarch64-09.arm.fedoraproject.org
Relocations : (not relocatable)
Packager : Fedora Project
Vendor : Fedora Project
URL : %{git0-base}
Bug URL : https://bugz.fedoraproject.org/selinux-policy
Summary : SELinux policy configuration
Description :
SELinux Base package for SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision 2.20091117
====
Did you enable the `ssh_use_tcpd` SELinux boolean after installing the update? To verify, list the booleans state:
semanage boolean --list | grep ssh_use_tcpd
I did not have it enabled, so I have enabled it, and still allows me to log in. I also tried to setenforce to 0, but no difference. Please, make sure that:
* sshd.service is stopped
systemctl status sshd.service
* sshd.socket is enabled and started
systemctl status sshd.socket
* sshd@.service is using the modified ExecPath
systemctl cat sshd@.service
* systemd daemon is reloaded:
systemctl daemon-reload
Also attach the output of the above commands.
(In reply to Jakub Jelen from comment #5) > * sshd.service is stopped ----------------------------------------------- ● sshd.service - OpenSSH server daemon Loaded: loaded (/usr/lib/systemd/system/sshd.service; disabled; vendor preset: enabled) Drop-In: /etc/systemd/system/sshd.service.d └─filter.conf Active: inactive (dead) since Fri 2018-03-23 12:57:56 CET; 30min ago Docs: man:sshd(8) man:sshd_config(5) Main PID: 1321 (code=exited, status=0/SUCCESS) bře 23 12:43:37 localhost.localdomain systemd[1]: Starting OpenSSH server daemon... bře 23 12:43:37 localhost.localdomain sshd[1321]: Server listening on 0.0.0.0 port 22. bře 23 12:43:37 localhost.localdomain sshd[1321]: Server listening on :: port 22. bře 23 12:43:37 localhost.localdomain systemd[1]: Started OpenSSH server daemon. bře 23 12:57:56 localhost.localdomain sshd[1321]: Received signal 15; terminating. bře 23 12:57:56 localhost.localdomain systemd[1]: Stopping OpenSSH server daemon... bře 23 12:57:56 localhost.localdomain systemd[1]: Stopped OpenSSH server daemon. --------------------------------------------------- * sshd.socket is enabled and started -------------------------------------------------- ● sshd.socket - OpenSSH Server Socket Loaded: loaded (/usr/lib/systemd/system/sshd.socket; enabled; vendor preset: disabled) Active: active (listening) since Fri 2018-03-23 13:00:56 CET; 28min ago Docs: man:sshd(8) man:sshd_config(5) Listen: [::]:22 (Stream) Accepted: 4; Connected: 0 Tasks: 0 (limit: 2891) Memory: 36.0K CGroup: /system.slice/sshd.socket bře 23 13:00:56 localhost.localdomain systemd[1]: Listening on OpenSSH Server Socket. -------------------------------------------------- * sshd@.service is using the modified ExecPath -------------------------------------------------- [Unit] Description=OpenSSH per-connection server daemon Documentation=man:sshd(8) man:sshd_config(5) Wants=sshd-keygen.target After=sshd-keygen.target [Service] EnvironmentFile=-/etc/crypto-policies/back-ends/opensshserver.config EnvironmentFile=-/etc/sysconfig/sshd ExecStart=@-/usr/sbin/tcpd /usr/sbin/sshd -i $OPTIONS $CRYPTO_POLICY StandardInput=socket -------------------------------------------------- * systemd daemon is reloaded: systemctl daemon-reload done, returned an empty line Jakub Jelen helped me to troubleshoot my settings and he was able to find out that I misinterpreted the location of the sshd@.service file. After I moved the file in the correct location, the the test case works as expected. Thank you, Jakub, very much for your help. I am veryfing this bug. |