Bug 222333
| Summary: | lspp: error message and avc when starting sshd | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Linda Knippers <linda.knippers> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 5.0 | CC: | iboverma, krisw, sgrubb |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | RC | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-02-08 02:14:42 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Fixed in selinux-policy-2.4.6-25 QE ack for RHEL5. I'm running the Jan 31 rc and I'm seeing this problem again, only now I'm
getting additional error messages from the sshd start script. its
got selinux-policy-mls-2.4.6-30.el5 so shouldn't it have the fixes?
Generating SSH1 RSA host key: chmod: changing permissions of
`/etc/ssh/ssh_host_key': Permission denied
chmod: changing permissions of `/etc/ssh/ssh_host_key.pub': Permission denied
[ OK ]
Generating SSH2 RSA host key: chmod: changing permissions of
`/etc/ssh/ssh_host_rsa_key': Permission denied
chmod: changing permissions of `/etc/ssh/ssh_host_rsa_key.pub': Permission denied
[ OK ]
Generating SSH2 DSA host key: chmod: changing permissions of
`/etc/ssh/ssh_host_dsa_key': Permission denied
chmod: changing permissions of `/etc/ssh/ssh_host_dsa_key.pub': Permission denied
[ OK ]
cp: cannot create regular file `/var/empty/sshd/etc/localtime': Permission denied
Starting sshd: [ OK ]
AVCs:
type=AVC msg=audit(1170559562.079:279): avc: denied { setattr } for pid=1715
comm="chmod" name="ssh_host_key" dev=dm-0 ino=2196745
scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:sshd_key_t:s0 tclass=file
type=SYSCALL msg=audit(1170559562.079:279): arch=c0000032 syscall=1038
success=no exit=-13 a0=60000000000050b0 a1=180 a2=12 a3=60000000000062d0 items=0
ppid=1706 pid=1715 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="chmod" exe="/bin/chmod"
subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1170559562.080:280): avc: denied { setattr } for pid=1716
comm="chmod" name="ssh_host_key.pub" dev=dm-0 ino=2196746
scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:sshd_key_t:s0 tclass=file
type=SYSCALL msg=audit(1170559562.080:280): arch=c0000032 syscall=1038
success=no exit=-13 a0=60000000000050b0 a1=1a4 a2=12 a3=60000000000062d0 items=0
ppid=1706 pid=1716 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="chmod" exe="/bin/chmod"
subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1170559562.628:281): avc: denied { setattr } for pid=1720
comm="chmod" name="ssh_host_rsa_key" dev=dm-0 ino=2196747
scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:sshd_key_t:s0 tclass=file
type=SYSCALL msg=audit(1170559562.628:281): arch=c0000032 syscall=1038
success=no exit=-13 a0=60000000000050b0 a1=180 a2=12 a3=60000000000062d0 items=0
ppid=1706 pid=1720 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="chmod" exe="/bin/chmod"
subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1170559562.629:282): avc: denied { setattr } for pid=1721
comm="chmod" name="ssh_host_rsa_key.pub" dev=dm-0 ino=2196748
scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:sshd_key_t:s0 tclass=file
type=SYSCALL msg=audit(1170559562.629:282): arch=c0000032 syscall=1038
success=no exit=-13 a0=60000000000050b0 a1=1a4 a2=12 a3=60000000000062d0 items=0
ppid=1706 pid=1721 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="chmod" exe="/bin/chmod"
subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1170559562.909:283): avc: denied { setattr } for pid=1724
comm="chmod" name="ssh_host_dsa_key" dev=dm-0 ino=2196750
scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:sshd_key_t:s0 tclass=file
type=SYSCALL msg=audit(1170559562.909:283): arch=c0000032 syscall=1038
success=no exit=-13 a0=60000000000050b0 a1=180 a2=12 a3=60000000000062d0 items=0
ppid=1706 pid=1724 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="chmod" exe="/bin/chmod"
subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1170559562.910:284): avc: denied { setattr } for pid=1725
comm="chmod" name="ssh_host_dsa_key.pub" dev=dm-0 ino=2196752
scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:sshd_key_t:s0 tclass=file
type=SYSCALL msg=audit(1170559562.910:284): arch=c0000032 syscall=1038
success=no exit=-13 a0=60000000000050b0 a1=1a4 a2=12 a3=60000000000062d0 items=0
ppid=1706 pid=1725 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="chmod" exe="/bin/chmod"
subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1170559563.046:285): avc: granted { setfscreate } for
pid=1727 comm="cp" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1170559563.046:285): arch=c0000032 syscall=1027
success=yes exit=30 a0=3 a1=6000000000011da0 a2=1e a3=c00000000000038b items=0
ppid=1706 pid=1727 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="cp" exe="/bin/cp"
subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1170559563.047:286): avc: denied { create } for pid=1727
comm="cp" name="localtime" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:locale_t:s0 tclass=file
type=SYSCALL msg=audit(1170559563.047:286): arch=c0000032 syscall=1028
success=no exit=-13 a0=6000000000011d70 a1=41 a2=81a4 a3=0 items=0 ppid=1706
pid=1727 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="cp" exe="/bin/cp"
subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
Fixed in selinux-policy-2.4.6-36 A package has been built which should help the problem described in this bug report. This report is therefore being closed with a resolution of CURRENTRELEASE. You may reopen this bug report if the solution does not work for you. |
Description of problem: When I boot a rhel5rcs6 ia64 box (don't think its related to ia64) with the MLS policy in enforcing mode, I get an error message from the sshd init script and a couple of avcs. Version-Release number of selected component (if applicable): rhel5 snapshot 6 also running the lastest policy and tools from Dan's RHEL5 selinux repo. Also running the lspp.62 kernel. However, this was also seen running the stock snapshot 6 build with the MLS policy. How reproducible: very Steps to Reproduce: 1.boot the system with the mls policy in enforcing mode 2. 3. Actual results: cp: cannot remove `/var/empty/sshd/etc/localtime': Permission denied Starting sshd: [ OK ] Expected results: No error Additional info: [root@cert-i4 init.d]# ls -ldZ !$ ls -ldZ /var/empty/sshd/etc drwxr-xr-x root root system_u:object_r:var_t:SystemLow /var/empty/sshd/etc type=AVC msg=audit(1168539643.649:351): avc: denied { write } for pid=1749 comm="cp" name="localtime" dev=dm-0 ino=1671338 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file type=SYSCALL msg=audit(1168539643.649:351): arch=c0000032 syscall=1028 success=no exit=-13 a0=6000000000011d70 a1=201 a2=0 a3=0 items=0 ppid=1741 pid=1749 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="cp" exe="/bin/cp" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1168539643.649:352): avc: denied { remove_name } for pid=1749 comm="cp" name="localtime" dev=dm-0 ino=1671338 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=dir type=SYSCALL msg=audit(1168539643.649:352): arch=c0000032 syscall=1032 success=no exit=-13 a0=6000000000011d70 a1=201 a2=81a4 a3=c000000000000a99 items=0 ppid=1741 pid=1749 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="cp" exe="/bin/cp" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) audit2allow says this but I wonder if its really an MLS issue rather than a TE issue. allow initrc_t var_t:dir remove_name; allow initrc_t var_t:file write;