Bug 222373
Summary: | lspp: avc when starting xinetd with mls policy | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Linda Knippers <linda.knippers> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 5.0 | CC: | iboverma, krisw, sgrubb |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | RC | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-02-08 02:15:20 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Linda Knippers
2007-01-11 22:02:46 UTC
Fixed in selinux-policy-2.4.6-25 I'm now running the MLS selinux-policy-2.4.6-25, along with the other latest packages from Dan's repo and I can no longer ssh into the system. I don't know if the problem is related to fix for this bugzilla but since it involves sshd it seems plausible. If you think its unrelated I can open a different bugzilla. When I attempt to ssh in I get this: <flounder:ljk> ssh cert-i4.zko.hp.com Password: Last login: Thu Jan 11 18:24:36 2007 from flounder.zko.hp.com /bin/bash: Permission denied Connection to cert-i4.zko.hp.com closed. and these messages in the audit log: type=USER_LOGIN msg=audit(1168558670.807:88): user pid=1929 uid=0 auid=500 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='uid=500: exe="/usr/sbin/sshd" (hostname=flounder.zko.hp.com, addr=16.116.113.236, terminal=/dev/pts/0 res=success)' type=AVC msg=audit(1168558670.808:89): avc: denied { execute_no_trans } for pid=1938 comm="sshd" name="bash" dev=dm-0 ino=1703940 scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=filetype=SYSCALL msg=audit(1168558670.808:89): arch=c0000032 syscall=1033 success=no exit=-13 a0=2000000800a99220 a1=60000fffff4194a8 a2=2000000800aabbe0 a3=d items=0 ppid=1937 pid=1938 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 key=(null) type=AVC_PATH msg=audit(1168558670.808:89): path="/bin/bash" type=CRED_DISP msg=audit(1168558670.863:90): user pid=1929 uid=0 auid=500 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM: setcred acct=ljk : exe="/usr/sbin/sshd" (hostname=flounder.zko.hp.com, addr=16.116.113.236, terminal=ssh res=success)' type=USER_END msg=audit(1168558670.881:91): user pid=1929 uid=0 auid=500 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM: session close acct=ljk : exe="/usr/sbin/sshd" (hostname=flounder.zko.hp.com, addr=16.116.113.236, terminal=ssh res=success)' I get similar AVCs with a non-admin account. type=USER_LOGIN msg=audit(1168558813.708:105): user pid=1971 uid=0 auid=501 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='uid=501: exe="/usr/sbin/sshd" (hostname=flounder.zko.hp.com, addr=16.116.113.236, terminal=/dev/pts/0 res=success)' type=AVC msg=audit(1168558813.709:106): avc: denied { execute_no_trans } for pid=1980 comm="sshd" name="bash" dev=dm-0 ino=1703940 scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file type=SYSCALL msg=audit(1168558813.709:106): arch=c0000032 syscall=1033 success=no exit=-13 a0=2000000800a99220 a1=60000fffffce94a8 a2=2000000800aabc40 a3=d items=0 ppid=1979 pid=1980 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=pts0 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 key=(null) type=AVC_PATH msg=audit(1168558813.709:106): path="/bin/bash" type=CRED_DISP msg=audit(1168558813.762:107): user pid=1971 uid=0 auid=501 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM: setcred acct=ljknoadmin : exe="/usr/sbin/sshd" (hostname=flounder.zko.hp.com, addr=16.116.113.236, terminal=ssh res=success)' type=USER_END msg=audit(1168558813.780:108): user pid=1971 uid=0 auid=501 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM: session close acct=ljknoadmin : exe="/usr/sbin/sshd" (hostname=flounder.zko.hp.com, addr=16.116.113.236, terminal=ssh res=success)' With the latest install couple of installs if sshd is not running as system_u you will not be allowed to login. The way to get ssh back to running as system_u is reboot or from an existing login or console login execute `run_init /etc/init.d/sshd restart` QE ack for RHEL5. kylene. sshd should only be started with run_init. If you are sysadmin and you try to run the application any other way in enforcing mode, it should give you permission denied. Back to the original subject, I no longer get the original AVC but now I get this one when restarting xinetd. type=AVC msg=audit(1168627434.319:280): avc: denied { name_bind } for pid=380 comm="xinetd" src=2222 scontext=system_u:system_r:inetd_t:s0-s15:c0.c1023 tcotext=system_u:object_r:port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1168627434.319:280): arch=c0000032 syscall=1191 success=es exit=0 a0=5 a1=60000ffffe5c7708 a2=10 a3=60000ffffe5c7704 items=0 ppid=3839 id=3840 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(non) comm="xinetd" exe="/usr/sbin/xinetd" subj=system_u:system_r:inetd_t:s0-s15:c0c1023 key=(null) You need to tell selinux this is a valid port for inetd to bind to. semanage port -a -t inetd_child_port_t -p tcp 2222 Regarding comment #4 above where ssh stopped working altogether, I believe its because my previous update picked up the new openssh packages and I hadn't updated my pam configuration as specified in bz 220487. I've done that now and ssh is working again, so ignore comment #4. Regarding comment #8 above, that avc is due to the /etc/xinetd.d/sshd-mls file installed by the current version of the lspp configuration script. Its either no longer needed or the script needs to register the port so we'll sort that out separately. Thanks for the help. A package has been built which should help the problem described in this bug report. This report is therefore being closed with a resolution of CURRENTRELEASE. You may reopen this bug report if the solution does not work for you. |