Bug 2379871
| Summary: | avc: denied { getattr } for pid=1215 comm="sshd-session" path="/var/lib/lastlog/lastlog2.db" dev="sda6" ino=117596106 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1 | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Bruno Goncalves <bgoncalv> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | rawhide | CC: | dwalsh, lvrabec, mikhail.v.gavrilov, mmalik, nixuser, omosnacek, pkoncity, vmojzis, zdohnal, zpytela |
| Target Milestone: | --- | Flags: | zpytela:
mirror+
|
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2025-08-05 07:56:27 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2360108 | ||
Bruno, I am pretty sure the denials were not in place on Friday. Does your modify any default pam or ssh related configuration? And please provide: $ rpm -qa util-linux* openssh liblastlog2 Seen on 1MT Fedora rawhide machine after doing "dnf update" and rebooting the machine:
----
type=PROCTITLE msg=audit(07/14/2025 04:30:45.942:127) : proctitle=sshd-session: root [priv]
type=PATH msg=audit(07/14/2025 04:30:45.942:127) : item=0 name=/var/lib/lastlog/ inode=262583 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(07/14/2025 04:30:45.942:127) : cwd=/
type=SYSCALL msg=audit(07/14/2025 04:30:45.942:127) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55d92f9eb104 a2=O_RDWR|O_CREAT|O_NOFOLLOW|O_CLOEXEC a3=0x1a4 items=1 ppid=884 pid=918 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=sshd-session exe=/usr/libexec/openssh/sshd-session subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/14/2025 04:30:45.942:127) : avc: denied { create } for pid=918 comm=sshd-session name=lastlog2.db scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
----
The following journal message matches the previous SELinux denial: Jul 14 04:30:45 local-vm-name sshd-session[918]: pam_lastlog2(sshd:session): Cannot create/open database (/var/lib/lastlog/lastlog2.db): unable to open database file # rpm -qf /usr/lib/systemd/system/lastlog2-import.service
liblastlog2-2.41.1-10.fc43.x86_64
# rpm -qa --scripts | grep lastlog
/usr/bin/authselect select local with-silent-lastlog --force --nobackup &> /dev/null
### Enable after completing migration to lastlog2
# %post -n liblastlog2
/usr/lib/systemd/systemd-update-helper install-system-units lastlog2-import.service || :
# %postun -n liblastlog2
# rpm -qf /usr/lib64/security/pam_lastlog2.so liblastlog2-2.41.1-10.fc43.x86_64 # strings /usr/lib64/security/pam_lastlog2.so | grep ^/ /dev/ /var/lib/lastlog/lastlog2.db # The same issue encountered in Vim test suite in rawhide https://artifacts.dev.testing-farm.io/f887599f-ac91-4249-bdba-b2c7eafb62cd/work-public178qz597/plans/public/execute/data/guest/default-0/Regression/bz1490927-vim-dumps-core-when-system-reboots-4/checks/avc.txt . Just for the sake of completeness, here are SELinux denials caught in permissive mode:
----
type=PROCTITLE msg=audit(07/16/2025 07:27:40.322:177) : proctitle=sshd-session: root [priv]
type=PATH msg=audit(07/16/2025 07:27:40.322:177) : item=0 name=/var/lib/lastlog/lastlog2.db inode=2120 dev=fd:02 mode=file,644 ouid=root ogid=gdm rdev=00:00 obj=system_u:object_r:xdm_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(07/16/2025 07:27:40.322:177) : cwd=/
type=SYSCALL msg=audit(07/16/2025 07:27:40.322:177) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=AT_FDCWD a1=0x55bc96eb1c68 a2=0x7fff8b7f44e0 a3=0x100 items=1 ppid=937 pid=1635 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=sshd-session exe=/usr/libexec/openssh/sshd-session subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/16/2025 07:27:40.322:177) : avc: denied { getattr } for pid=1635 comm=sshd-session path=/var/lib/lastlog/lastlog2.db dev="vda2" ino=2120 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(07/16/2025 07:27:40.322:178) : proctitle=sshd-session: root [priv]
type=PATH msg=audit(07/16/2025 07:27:40.322:178) : item=0 name=/var/lib/lastlog/lastlog2.db inode=2120 dev=fd:02 mode=file,644 ouid=root ogid=gdm rdev=00:00 obj=system_u:object_r:xdm_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(07/16/2025 07:27:40.322:178) : cwd=/
type=SYSCALL msg=audit(07/16/2025 07:27:40.322:178) : arch=x86_64 syscall=openat success=yes exit=8 a0=AT_FDCWD a1=0x55bc96eb1404 a2=O_RDWR|O_CREAT|O_NOFOLLOW|O_CLOEXEC a3=0x1a4 items=1 ppid=937 pid=1635 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=sshd-session exe=/usr/libexec/openssh/sshd-session subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/16/2025 07:27:40.322:178) : avc: denied { open } for pid=1635 comm=sshd-session path=/var/lib/lastlog/lastlog2.db dev="vda2" ino=2120 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(07/16/2025 07:27:40.322:178) : avc: denied { read write } for pid=1635 comm=sshd-session name=lastlog2.db dev="vda2" ino=2120 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(07/16/2025 07:27:40.323:179) : proctitle=sshd-session: root [priv]
type=SYSCALL msg=audit(07/16/2025 07:27:40.323:179) : arch=x86_64 syscall=fcntl success=yes exit=0 a0=0x8 a1=F_SETLK a2=0x7fff8b7f55e0 a3=0x0 items=0 ppid=937 pid=1635 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=sshd-session exe=/usr/libexec/openssh/sshd-session subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/16/2025 07:27:40.323:179) : avc: denied { lock } for pid=1635 comm=sshd-session path=/var/lib/lastlog/lastlog2.db dev="vda2" ino=2120 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(07/16/2025 07:27:40.323:180) : proctitle=sshd-session: root [priv]
type=PATH msg=audit(07/16/2025 07:27:40.323:180) : item=1 name=/var/lib/lastlog/lastlog2.db-journal inode=2036 dev=fd:02 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(07/16/2025 07:27:40.323:180) : item=0 name=/var/lib/lastlog/ inode=1838 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(07/16/2025 07:27:40.323:180) : cwd=/
type=SYSCALL msg=audit(07/16/2025 07:27:40.323:180) : arch=x86_64 syscall=openat success=yes exit=10 a0=AT_FDCWD a1=0x55bc96eb1422 a2=O_RDWR|O_CREAT|O_NOFOLLOW|O_CLOEXEC a3=0x1a4 items=2 ppid=937 pid=1635 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=sshd-session exe=/usr/libexec/openssh/sshd-session subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/16/2025 07:27:40.323:180) : avc: denied { read write open } for pid=1635 comm=sshd-session path=/var/lib/lastlog/lastlog2.db-journal dev="vda2" ino=2036 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(07/16/2025 07:27:40.323:180) : avc: denied { create } for pid=1635 comm=sshd-session name=lastlog2.db-journal scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(07/16/2025 07:27:40.323:181) : proctitle=sshd-session: root [priv]
type=SYSCALL msg=audit(07/16/2025 07:27:40.323:181) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0xa a1=0x7fff8b7f5e00 a2=0x0 a3=0x1a4 items=0 ppid=937 pid=1635 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=sshd-session exe=/usr/libexec/openssh/sshd-session subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/16/2025 07:27:40.323:181) : avc: denied { getattr } for pid=1635 comm=sshd-session path=/var/lib/lastlog/lastlog2.db-journal dev="vda2" ino=2036 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(07/16/2025 07:27:40.323:182) : proctitle=sshd-session: root [priv]
type=PATH msg=audit(07/16/2025 07:27:40.323:182) : item=0 name=(null) inode=2036 dev=fd:02 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(07/16/2025 07:27:40.323:182) : cwd=/
type=SYSCALL msg=audit(07/16/2025 07:27:40.323:182) : arch=x86_64 syscall=fchown success=yes exit=0 a0=0xa a1=0x0 a2=0x2a a3=0x1a4 items=1 ppid=937 pid=1635 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=sshd-session exe=/usr/libexec/openssh/sshd-session subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/16/2025 07:27:40.323:182) : avc: denied { setattr } for pid=1635 comm=sshd-session name=lastlog2.db-journal dev="vda2" ino=2036 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(07/16/2025 07:27:40.332:183) : proctitle=sshd-session: root [priv]
type=PATH msg=audit(07/16/2025 07:27:40.332:183) : item=1 name=/var/lib/lastlog/lastlog2.db-journal inode=2036 dev=fd:02 mode=file,644 ouid=root ogid=gdm rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(07/16/2025 07:27:40.332:183) : item=0 name=/var/lib/lastlog/ inode=1838 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(07/16/2025 07:27:40.332:183) : cwd=/
type=SYSCALL msg=audit(07/16/2025 07:27:40.332:183) : arch=x86_64 syscall=unlink success=yes exit=0 a0=0x55bc96eb1422 a1=0x55bc96eb1422 a2=0x0 a3=0x0 items=2 ppid=937 pid=1635 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=sshd-session exe=/usr/libexec/openssh/sshd-session subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/16/2025 07:27:40.332:183) : avc: denied { unlink } for pid=1635 comm=sshd-session name=lastlog2.db-journal dev="vda2" ino=2036 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
----
Apparently, SELinux label of the lastlog2.db file depends on the first process which creates it:
# ls -dlZ /var/lib/lastlog/
drwxr-xr-x. 2 root root system_u:object_r:var_lib_t:s0 4096 Jul 16 07:27 /var/lib/lastlog/
# ls -dlZ /var/lib/lastlog/lastlog2.db
-rw-r--r--. 1 root gdm system_u:object_r:xdm_var_lib_t:s0 12288 Jul 16 07:27 /var/lib/lastlog/lastlog2.db
# restorecon -Rv /var/lib/
Relabeled /var/lib/lastlog/lastlog2.db from system_u:object_r:xdm_var_lib_t:s0 to system_u:object_r:var_lib_t:s0
#
*** Bug 2381604 has been marked as a duplicate of this bug. *** *** Bug 2382114 has been marked as a duplicate of this bug. *** *** Bug 2382125 has been marked as a duplicate of this bug. *** *** Bug 2382390 has been marked as a duplicate of this bug. *** *** Bug 2382553 has been marked as a duplicate of this bug. *** *** Bug 2381605 has been marked as a duplicate of this bug. *** |
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 34 selinux-policy-41.45-1.fc43.noarch ---- time->Mon Jul 14 03:57:25 2025 type=AVC msg=audit(1752465445.436:122): avc: denied { getattr } for pid=1214 comm="sshd-session" path="/var/lib/lastlog/lastlog2.db" dev="dm-0" ino=25169447 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1 ---- time->Mon Jul 14 03:57:25 2025 type=AVC msg=audit(1752465445.436:123): avc: denied { read write } for pid=1214 comm="sshd-session" name="lastlog2.db" dev="dm-0" ino=25169447 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1 ---- time->Mon Jul 14 03:57:25 2025 type=AVC msg=audit(1752465445.436:124): avc: denied { open } for pid=1214 comm="sshd-session" path="/var/lib/lastlog/lastlog2.db" dev="dm-0" ino=25169447 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1 ---- time->Mon Jul 14 03:57:25 2025 type=AVC msg=audit(1752465445.436:125): avc: denied { lock } for pid=1214 comm="sshd-session" path="/var/lib/lastlog/lastlog2.db" dev="dm-0" ino=25169447 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1 ---- time->Mon Jul 14 03:57:25 2025 type=AVC msg=audit(1752465445.436:126): avc: denied { create } for pid=1214 comm="sshd-session" name="lastlog2.db-journal" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1 ---- time->Mon Jul 14 03:57:25 2025 type=AVC msg=audit(1752465445.436:127): avc: denied { setattr } for pid=1214 comm="sshd-session" name="lastlog2.db-journal" dev="dm-0" ino=25169446 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1 ---- time->Mon Jul 14 03:57:25 2025 type=AVC msg=audit(1752465445.436:128): avc: denied { unlink } for pid=1214 comm="sshd-session" name="lastlog2.db-journal" dev="dm-0" ino=25169446 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1 Reproducible: Always Steps to Reproduce: 1.It seems easily reproducible when booting a machine using recent Fedora Rawhide composes