Bug 1813023
| Summary: | selinux-policy-3.14.6-7 with pam-1.3.1-24 blocks SSH logins | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Paul Moore <paul> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | urgent | Docs Contact: | |
| Priority: | high | ||
| Version: | 32 | CC: | dwalsh, grepl.miroslav, gtwilliams, ipedrosa, jjelen, kdudka, lvrabec, plautrba, ppisar, tdecacqu, vmojzis, zpytela |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.14.6-8.fc33 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-04-02 00:31:15 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Paul Moore
2020-03-12 18:18:32 UTC
Hi Paul, With the same policy version ssh works for me, either for user root or non-root. Do you use confined users? Is there anything else special in your settings? Are there avc/user_avc/selinux_err denials logged? Hi Zdenek,
I can't believe I forgot to include the AVCs; I'm sorry about that! Here is a quick reproducer from my test system; this is a current Fedora Rawhide system if it helps better understand the bug.
# ausearch -m AVC -i
<no matches>
# ssh root@localhost -- id -Z
root@localhost's password:
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# ausearch -m AVC -i
----
type=AVC msg=audit(03/12/2020 14:35:36.375:195) : avc: denied { create } for pid=967 comm=sshd scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket permissive=1
----
type=AVC msg=audit(03/12/2020 14:35:36.375:196) : avc: denied { bind } for pid=967 comm=sshd scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket permissive=1
# setenforce 1
# ssh root@localhost -- id -Z
root@localhost's password:
client_loop: send disconnect: Broken pipe
# ausearch -m AVC -i
----
type=AVC msg=audit(03/12/2020 14:35:36.375:195) : avc: denied { create } for pid=967 comm=sshd scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket permissive=1
----
type=AVC msg=audit(03/12/2020 14:35:36.375:196) : avc: denied { bind } for pid=967 comm=sshd scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket permissive=1
----
type=AVC msg=audit(03/12/2020 14:35:59.935:220) : avc: denied { create } for pid=991 comm=sshd scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket permissive=0
Hi Paul! I expected also PR not only bugzilla ticket. Just kidding :P We want to look on it. @Jakub Are there any changes in sshd component in rawhide? Thanks, Lukas. We also have a similar one for cockpit: https://bugzilla.redhat.com/show_bug.cgi?id=1812901 With full today rawhide update I also see the same error, suspecting some library. Investigating further. Paul, could you please try to downgrade pam? Latest pam started to use selinux_check_access() instead of security_compute_av(). selinux_check_access() calls (void) avc_netlink_check_nb(); which matches on "netlink" substring with tclass Ok, it's related to https://bugzilla.redhat.com/show_bug.cgi?id=1680961 and to the change I described in comment 5 The following rule should fix it: allow login_pgm self:netlink_selinux_socket manage_socket_perms; cil version: # cat > pamnetlink.cil <<EOF (allow login_pgm self (netlink_selinux_socket (create bind))) EOF # semodule -i pamnetlink.cil allow login_pgm self:netlink_selinux_socket create_socket_perms; sorry *** Bug 1812901 has been marked as a duplicate of this bug. *** FYI the fix is going to be available soon - https://src.fedoraproject.org/rpms/selinux-policy/pull-request/54 A build for Fedora Rawhide is available: https://koji.fedoraproject.org/koji/taskinfo?taskID=42445203 I confirm selinux-policy-3.14.6-8.fc33 fixes it. I can also confirm that selinux-policy-3.14.6-8.fc33 fixed the SSH login problem - thanks everyone! *** Bug 1813388 has been marked as a duplicate of this bug. *** pam-1.3.1-24.fc32, selinux-policy-3.14.5-30.fc32 has been pushed to the Fedora 32 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-d0986e01cd FEDORA-2020-d0986e01cd has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-d0986e01cd This problem affects fc31 with selinux-policy-3.14.4-50.fc31.noarch . This version was installed from fc31 updates-testing repo. FEDORA-2020-d0986e01cd has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report. |