Bug 2036585

Summary:	sshd failing to open "/proc/sys/fs/nr_open"
Product:	Red Hat Enterprise Linux 9	Reporter:	Anuj Borah <aborah>
Component:	selinux-policy	Assignee:	Zdenek Pytela <zpytela>
Status:	CLOSED ERRATA	QA Contact:	Milos Malik <mmalik>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	9.0	CC:	ipedrosa, lvrabec, mmalik, ssekidde
Target Milestone:	rc	Keywords:	AutoVerified, Triaged
Target Release:	9.0	Flags:	pm-rhel: mirror+
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-34.1.22-1.el9	Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:
Clones:	2061403 (view as bug list)		Environment:
Last Closed:	2022-05-17 15:50:02 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Anuj Borah 2022-01-03 09:52:29 UTC

Description of problem:

failing to open is "/proc/sys/fs/nr_open"


This is what SELinux reports:
time->Mon Jan  3 09:59:40 2022
type=AVC msg=audit(1641200380.380:449): avc:  denied  { read } for  pid=1817 comm="sshd" name="nr_open" dev="proc" ino=14415 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=0
the file that is failing to open is "/proc/sys/fs/nr_open"



How reproducible: Always 


Steps to Reproduce:

Run this script:  https://github.com/RedHatQE/pam/blob/main/multihost_test/bz_automation/test_bz_automation.py


Use steps provided in the bz:  https://bugzilla.redhat.com/show_bug.cgi?id=1989900





Actual results:

user unable to ssh to machine


Expected results:

user should able to login 

Additional info:

Comment 1 Iker Pedrosa 2022-01-03 10:22:09 UTC

sshd fails to open "/proc/sys/fs/nr_open" because pam_limits has been configured to use an "unlimited" value for the nofile option.

Comment 2 Milos Malik 2022-01-03 11:03:26 UTC

Caught in enforcing mode:
----
type=PROCTITLE msg=audit(01/03/2022 06:01:46.037:298) : proctitle=sshd: test-user [priv] 
type=PATH msg=audit(01/03/2022 06:01:46.037:298) : item=0 name=/proc/sys/fs/nr_open inode=11559 dev=00:15 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_fs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/03/2022 06:01:46.037:298) : cwd=/ 
type=SYSCALL msg=audit(01/03/2022 06:01:46.037:298) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7fc8918bc0c5 a2=O_RDONLY a3=0x0 items=1 ppid=739 pid=4024 auid=test-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(01/03/2022 06:01:46.037:298) : avc:  denied  { read } for  pid=4024 comm=sshd name=nr_open dev="proc" ino=11559 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=0 
----

Comment 3 Milos Malik 2022-01-03 11:05:07 UTC

# ls -ilZ /proc/sys/fs/nr_open 
11559 -rw-r--r--. 1 root root system_u:object_r:sysctl_fs_t:s0 0 Jan  3 05:57 /proc/sys/fs/nr_open
# rpm -qa selinux\*
selinux-policy-34.1.20-1.el9.noarch
selinux-policy-targeted-34.1.20-1.el9.noarch
#

Comment 4 Milos Malik 2022-01-03 11:06:58 UTC

Caught in permissive mode:
----
type=PROCTITLE msg=audit(01/03/2022 06:05:57.287:334) : proctitle=sshd: test-user [priv] 
type=PATH msg=audit(01/03/2022 06:05:57.287:334) : item=0 name=/proc/sys/fs/nr_open inode=11559 dev=00:15 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_fs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/03/2022 06:05:57.287:334) : cwd=/ 
type=SYSCALL msg=audit(01/03/2022 06:05:57.287:334) : arch=x86_64 syscall=openat success=yes exit=5 a0=0xffffff9c a1=0x7f62913b90c5 a2=O_RDONLY a3=0x0 items=1 ppid=739 pid=4055 auid=test-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=6 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(01/03/2022 06:05:57.287:334) : avc:  denied  { open } for  pid=4055 comm=sshd path=/proc/sys/fs/nr_open dev="proc" ino=11559 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=1 
type=AVC msg=audit(01/03/2022 06:05:57.287:334) : avc:  denied  { read } for  pid=4055 comm=sshd name=nr_open dev="proc" ino=11559 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(01/03/2022 06:05:57.287:335) : proctitle=sshd: test-user [priv] 
type=PATH msg=audit(01/03/2022 06:05:57.287:335) : item=0 name= inode=11559 dev=00:15 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_fs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/03/2022 06:05:57.287:335) : cwd=/ 
type=SYSCALL msg=audit(01/03/2022 06:05:57.287:335) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=0x5 a1=0x7f6291a94ff5 a2=0x7ffd0d872800 a3=0x1000 items=1 ppid=739 pid=4055 auid=test-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=6 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(01/03/2022 06:05:57.287:335) : avc:  denied  { getattr } for  pid=4055 comm=sshd path=/proc/sys/fs/nr_open dev="proc" ino=11559 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=1 
----

Comment 5 Milos Malik 2022-01-03 11:12:35 UTC

One of the reproducers:

# grep test-user /etc/security/limits.conf
test-user	hard	nofile	unlimited
# useradd test-user
# passwd test-user
Changing password for user test-user.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
# ssh test-user@localhost
...
test-user@localhost's password: 
Connection to localhost closed.
#

Comment 11 Zdenek Pytela 2022-01-11 14:20:28 UTC

I've submitted a Fedora PR to revert the previous incorrect commit and add the required permission:
https://github.com/fedora-selinux/selinux-policy/pull/994

Comment 18 Iker Pedrosa 2022-01-12 12:02:29 UTC

Thanks for your hard work and for solving it so quickly!

Comment 21 errata-xmlrpc 2022-05-17 15:50:02 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: selinux-policy), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3918