Bug 1691914

Summary: console-login-helper-messages-motdgen: Generated MOTD not displayed - AVC denial
Product: [Fedora] Fedora Reporter: Robert Fairley <rfairley>
Component: console-login-helper-messagesAssignee: Robert Fairley <rfairley>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: 29CC: dustymabe, rfairley
Target Milestone: ---   
Target Release: ---   
Hardware: noarch   
OS: Linux   
Whiteboard:
Fixed In Version: console-login-helper-messages-0.16-2.fc28 console-login-helper-messages-0.16-2.fc29 console-login-helper-messages-0.16-2.fc30 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-04-03 02:02:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robert Fairley 2019-03-22 19:53:18 UTC 
Description of problem:

console-login-helper-messages-motdgen-0.13-4.fc29 generates a file in /run/console-login-helper-messages/console-login-helper-messages.motd which is to be displayed upon SSH login. When logging in, the message is not displayed, and an AVC denial is given.

Version-Release number of selected component (if applicable):

0.13-4

How reproducible:

Always

Steps to Reproduce:
1. Log into a Fedora 29 system that you can SSH into later on (I'm using Fedora 29 Cloud Base to reproduce this). The file /etc/pam.d/sshd should have a line that looks like `session    optional     pam_motd.so` present.
2. Run `dnf update -y` to make sure the latest versions of selinux-policy and pam are present.
3. Run `dnf install -y console-login-helper-messages-motdgen to install the MOTD generation functionality.
4. Run `systemctl start console-login-helper-messages-motdgen.service` to run the unit that generates the MOTD.
5. SSH into the system as the user you installed `console-login-helper-messages-motdgen`.
6. Run `ausearch -m avc --start recent`. This will show an AVC denial that looks like:

```
time->Fri Mar 22 19:41:24 2019
type=AVC msg=audit(1553283684.735:139): avc:  denied  { read } for  pid=638 comm="sshd" name="console-login-helper-messages.motd" dev="tmpfs" ino=18184 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0
```

Actual results:

The MOTD is not displayed on SSH login, and an AVC denial like above is given.


Expected results:

The MOTD displays on SSH login (the default generated by motdgen looks like `Fedora (29 (Cloud Edition))`), and no AVC denial is given.


Additional info:

A fix for this has been made and will be present in the v0.16 version of the package https://github.com/rfairley/console-login-helper-messages/releases/tag/v0.16. This bug is just filed for reference in case it comes up in an earlier version of the package.
Comment 1 Fedora Update System 2019-03-22 20:09:15 UTC 
console-login-helper-messages-0.16-1.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-7a90d44da3
Comment 2 Fedora Update System 2019-03-22 20:26:33 UTC 
console-login-helper-messages-0.16-2.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2019-b41fdb4c81
Comment 3 Fedora Update System 2019-03-22 21:04:21 UTC 
console-login-helper-messages-0.16-2.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-f96dcbfe3a
Comment 4 Fedora Update System 2019-03-23 02:41:35 UTC 
console-login-helper-messages-0.16-2.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-f96dcbfe3a
Comment 5 Fedora Update System 2019-03-23 03:13:02 UTC 
console-login-helper-messages-0.16-2.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-b41fdb4c81
Comment 6 Fedora Update System 2019-04-02 13:52:56 UTC 
console-login-helper-messages-0.16-2.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-c09c5fc553
Comment 7 Fedora Update System 2019-04-03 02:02:18 UTC 
console-login-helper-messages-0.16-2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2019-04-03 02:27:25 UTC 
console-login-helper-messages-0.16-2.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-c09c5fc553
Comment 9 Fedora Update System 2019-04-03 03:31:04 UTC 
console-login-helper-messages-0.16-2.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2019-04-14 00:01:29 UTC 
console-login-helper-messages-0.16-2.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.