Bug 2187353
| Summary: | SELinux detects sshd writing to its own binary /usr/sbin/sshd | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | jan |
| Component: | openssh | Assignee: | Dmitry Belyavskiy <dbelyavs> |
| Status: | NEW --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 37 | CC: | crypto-team, dbelyavs, dwalsh, jjelen, lkundrak, mattias.ellert, tm |
| Target Milestone: | --- | Keywords: | SELinux |
| Target Release: | --- | Flags: | dbelyavs:
needinfo?
(jan) |
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Is it still relevant? |
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36 Build Identifier: SELinux detected that sshd is writing to /usr/sbin/sshd (see the report below). This happened several times in the past, but not very regularly. I've checked the integrity of the installed RPMs on the system and was not able to find anything pointing to a rootkit. Any idea what's going on here? SELinux is preventing sshd from write access on the file /usr/sbin/sshd. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sshd should be allowed write access on the sshd file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sshd' --raw | audit2allow -M my-sshd # semodule -X 300 -i my-sshd.pp Additional Information: Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023 Target Context system_u:object_r:sshd_exec_t:s0 Target Objects /usr/sbin/sshd [ file ] Source sshd Source Path sshd Port <Unknown> Host dupre.underworld.lan Source RPM Packages Target RPM Packages openssh-server-8.8p1-9.fc37.x86_64 SELinux Policy RPM selinux-policy-targeted-37.19-1.fc37.noarch Local Policy RPM selinux-policy-targeted-37.19-1.fc37.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name dupre.underworld.lan Platform Linux dupre.underworld.lan 6.2.7-200.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Mar 17 16:16:00 UTC 2023 x86_64 x86_64 Alert Count 13 First Seen 2022-07-03 14:59:55 CEST Last Seen 2023-04-13 12:14:21 CEST Local ID b3618271-3987-4712-917b-519cc59a884a Raw Audit Messages type=AVC msg=audit(1681380861.264:117421): avc: denied { write } for pid=1619349 comm="sshd" name="sshd" dev="dm-0" ino=26681080 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sshd_exec_t:s0 tclass=file permissive=0 Hash: sshd,sshd_t,sshd_exec_t,file,write Reproducible: Couldn't Reproduce Steps to Reproduce: I cannot not reproduce it on demand. It happened two times on the same day and before that for a long time not at all (months).