Bug 364971

Summary: /usr/sbin/sshd: Permission denied
Product: [Fedora] Fedora Reporter: John Poelstra <poelstra>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: urgent Docs Contact:
Priority: low    
Version: rawhideCC: amlau, bugzilla, chris.stone, k.georgiou
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-30 14:06:25 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description John Poelstra 2007-11-02 21:52:34 EDT
Description of problem:

Install F8 x86_64 RC5 to hardisk from USB key.  Reboot box and try to enable sshd

(1007)[root@localhost:~]# setenforce 1
(1008)[root@localhost:~]# service sshd start
Starting sshd: /etc/init.d/sshd: line 113: /usr/sbin/sshd: Permission denied
(1009)[root@localhost:~]# rpm -qa | grep selinux
(1010)[root@localhost:~]# setenforce 0
(1011)[root@localhost:~]# service sshd start
Starting sshd:                                             [  OK  ]

type=SELINUX_ERR msg=audit(1194053949.966:55): security_compute_sid:  invalid
context unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 for
tcontext=system_u:object_r:sshd_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1194053949.966:55): arch=c000003e syscall=59 success=yes
exit=0 a0=6fdb80 a1=6ff080 a2=6da5f0 a3=0 items=0 ppid=3497 pid=3506 auid=500
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="sshd"
exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)

This error is not picked up by setroubleshoot.
Comment 1 John Poelstra 2007-11-04 22:03:11 EST
Re-ran entire scenario and reproduced the problem again.

This time I was very careful to do nothing except try to start sshd after install.

Steps to reproduce:

1) boot x86_64 live image from USB key on desktop box
2) double-click desktop icon to install to harddisk
3) complete installation
4) reboot computer
5) answer firstboot questions accepting all defaults (except I turned the
firewall off).
6) create new user
7) login as new user
8) su -
9) # service sshd start
Generating SSH1 RSA host key:                              [  OK  ]
Generating SSH2 RSA host key:                              [  OK  ]
Generating SSH2 DSA host key:                              [  OK  ]
Starting sshd: /etc/init.d/sshd: line 113: /usr/sbin/sshd: Permission denied
From /var/log/audit/audit.log
type=SELINUX_ERR msg=audit(1194228419.395:22): security_compute_sid:  invalid
context unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 for
tcontext=system_u:object_r:sshd_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1194228419.395:22): arch=c000003e syscall=59 success=no
exit=-13 a0=6fdb80 a1=6fed70 a2=6da5f0 a3=0 items=0 ppid=2653 pid=2674 auid=500
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="sshd"
exe="/bin/bash" subj=unconfined_u:system_r:initrc_t:s0 key=(null)

Nothing in /var/log/messages

# rpm -qa | grep ssh
Comment 2 Daniel Walsh 2007-11-05 11:41:15 EST
semanage user -l | grep unconfined_u
Comment 3 Daniel Walsh 2007-11-05 11:42:00 EST
semanage user -m -R "unconfined_r system_r" unconfined_u 

Should fix, but this is what was supposed to be there.
Comment 4 John Poelstra 2007-11-05 13:37:37 EST
doesn't fix the problem

$ su -
(1060)[root@localhost:~]# service sshd start
Starting sshd: /etc/init.d/sshd: line 113: /usr/sbin/sshd: Permission denied
(1061)[root@localhost:~]# semanage user -l | grep unconfined_u
unconfined_u    unconfined s0         s0                             system_r
(1062)[root@localhost:~]# semanage user -m -R "unconfined_r system_r" unconfined_u
(1063)[root@localhost:~]# service sshd start
Starting sshd: /etc/init.d/sshd: line 113: /usr/sbin/sshd: Permission denied
Comment 5 Daniel Walsh 2007-11-05 15:31:16 EST
I was wrong 

# semanage user -m -r s0-s0:c0.c1023 unconfined_u
Log out 
Log back in.
Should now work.  This change will be in first update to F8

fixed in selinux-policy-3.0.8-45
Comment 6 Tomas Mraz 2007-11-05 18:39:46 EST
*** Bug 367191 has been marked as a duplicate of this bug. ***
Comment 7 Mike A. Harris 2007-11-09 03:14:32 EST
Any ETA on when the selinux-policy with this fix will be released?  I don't need
it, but a lot of others are asking about it so I thought I'd ask.

Comment 8 Daniel Walsh 2007-11-12 09:42:15 EST
selinux-policy-3.0.8-47 has been pushed to stable release.
Comment 9 Mike A. Harris 2007-11-12 10:27:46 EST
Confirmed to solve the problem.  Thanks.
Comment 10 Need Real Name 2007-11-14 20:04:00 EST
I have updated to selinux-policy-3.0.8-47.fc8 and when I run "service sshd
start" under enforcing, I still get the error:

Starting sshd: /etc/init.d/sshd: line 113: /usr/sbin/sshd: Permission denied

The syslog shows:
setroubleshoot: #012    SELinux is preventing the /usr/sbin/sshd (sshd_t) from
binding to port 9445.#012     For complete SELinux messages. run sealert -l

sealert shows: 
Source Context                system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:port_t:s0
Target Objects                None [ tcp_socket ]
Affected RPM Packages         openssh-server-4.7p1-2.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-44.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.inetd_bind_ports
Host Name                     xxxx.yyyy
Platform                      Linux xxxx.yyyy #1 SMP Tue
                              Oct 30 13:55:12 EDT 2007 i686 i686
Alert Count                   1
First Seen                    Wed Nov 14 19:31:15 2007
Last Seen                     Wed Nov 14 19:31:15 2007
Local ID                      ee4a216c-a935-4f86-8f70-6c71ab915896
Line Numbers

Raw Audit Messages

avc: denied { name_bind } for comm=sshd egid=501 euid=501 exe=/usr/sbin/sshd
exit=0 fsgid=501 fsuid=501 gid=501 items=0 pid=3921
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 sgid=501 src=9445
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 suid=501 tclass=tcp_socket
tcontext=system_u:object_r:port_t:s0 tty=(none) uid=501
Comment 11 Need Real Name 2007-11-14 20:12:03 EST
oops... I just realized that the syslog and sealert that I gave in the previous
message were from BEFORE upgrading the selinux policy.

However, I *still* get the same error when trying to restart 'sshd' though I no
longer get any syslog selinux messages. However, when I set selinux to
permissive, everything works, so this is still an selinux problem, I think.
Comment 12 Daniel Walsh 2007-11-15 08:59:26 EST
Why is sshd trying to bind to port 9445?

Could you attach the output of 

# semanage user -l
# semanage login -l
Comment 13 Mike A. Harris 2007-11-16 16:37:59 EST
sshd works fine for me and a number of other on x86_64 after the update.

AFAICS, the bug is fixed.  Anyone having problems still is probably experiencing
some other bug FWIW.

Comment 14 Christopher Stone 2007-12-10 14:55:50 EST
Hi, I just upgraded from F-7 to F-8 and I am experiencing problems similar to
this bug.

# rpm -q selinux-policy-targeted
^^ using latest version

# service xinetd start
Starting xinetd: /bin/bash: /usr/sbin/xinetd: Permission denied
Dec 10 11:53:36 localhost kernel: audit(1197316416.341:10):
security_compute_sid:  invalid context user_u:system_r:inetd_t:s0-s0:c0.c1023
for scontext=user_u:system_r:initrc_t:s0
tcontext=system_u:object_r:inetd_exec_t:s0 tclass=process

I also get problems with sshd after reading this bug I tried it and got:
Dec 10 11:45:34 localhost kernel: audit(1197315934.073:8): security_compute_sid:
 invalid context user_u:system_r:sshd_t:s0-s0:c0.c1023 for
scontext=user_u:system_r:initrc_t:s0 tcontext=system_u:object_r:sshd_exec_t:s0
Comment 15 Daniel Walsh 2007-12-10 16:15:05 EST

# semanage login -m -s unconfined_u __default__

Log all the way out, log back in and see if you can start the process.
Comment 16 Christopher Stone 2007-12-10 16:57:49 EST
# semanage login -m -s unconfined_u __default__
libsemanage.validate_handler: selinux user unconfined_u does not exist No such
file or directory.
libsemanage.validate_handler: seuser mapping [__default__ -> (unconfined_u, s0)]
is invalid No such file or directory.
libsemanage.dbase_llist_iterate: could not iterate over records No such file or
/usr/sbin/semanage: Could not modify login mapping for __default__

Pasting this output before logging out...
Comment 17 Christopher Stone 2007-12-10 17:16:46 EST
Error still persists after completely logging out from KDE and also after a
complete reboot.
Comment 18 Daniel Walsh 2007-12-10 17:33:52 EST
Ok the post install was supposed to do the following.

semanage user -a -P unconfined -R "unconfined_r system_r" -r s0-s0:c0.c1023
semanage login -m -s unconfined_u -r s0-s0:c0.c1023 __default__

Could you try that.
Comment 19 Christopher Stone 2007-12-10 17:50:24 EST
This fixes the problem for me, not sure why that wasn't run when I did the
upgrade.  Thanks for the help.
Comment 20 Daniel Walsh 2007-12-12 17:05:47 EST
Fixed in selinux-policy-3.0.8-68
Comment 21 Daniel Walsh 2008-01-30 14:06:25 EST
Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.