Bug 364971
| Summary: | /usr/sbin/sshd: Permission denied | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | John Poelstra <poelstra> |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> |
| Severity: | urgent | Docs Contact: | |
| Priority: | low | ||
| Version: | rawhide | CC: | amlau, bugzilla, chris.stone, k.georgiou |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Current | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-01-30 19:06:25 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Re-ran entire scenario and reproduced the problem again.
This time I was very careful to do nothing except try to start sshd after install.
Steps to reproduce:
1) boot x86_64 live image from USB key on desktop box
2) double-click desktop icon to install to harddisk
3) complete installation
4) reboot computer
5) answer firstboot questions accepting all defaults (except I turned the
firewall off).
6) create new user
7) login as new user
8) su -
9) # service sshd start
Generating SSH1 RSA host key: [ OK ]
Generating SSH2 RSA host key: [ OK ]
Generating SSH2 DSA host key: [ OK ]
Starting sshd: /etc/init.d/sshd: line 113: /usr/sbin/sshd: Permission denied
[FAILED]
From /var/log/audit/audit.log
type=SELINUX_ERR msg=audit(1194228419.395:22): security_compute_sid: invalid
context unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 for
scontext=unconfined_u:system_r:initrc_t:s0
tcontext=system_u:object_r:sshd_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1194228419.395:22): arch=c000003e syscall=59 success=no
exit=-13 a0=6fdb80 a1=6fed70 a2=6da5f0 a3=0 items=0 ppid=2653 pid=2674 auid=500
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="sshd"
exe="/bin/bash" subj=unconfined_u:system_r:initrc_t:s0 key=(null)
Nothing in /var/log/messages
# rpm -qa | grep ssh
openssh-server-4.7p1-2.fc8
openssh-askpass-4.7p1-2.fc8
openssh-4.7p1-2.fc8
openssh-clients-4.7p1-2.fc8
semanage user -l | grep unconfined_u semanage user -m -R "unconfined_r system_r" unconfined_u Should fix, but this is what was supposed to be there. doesn't fix the problem
$ su -
Password:
(1060)[root@localhost:~]# service sshd start
Starting sshd: /etc/init.d/sshd: line 113: /usr/sbin/sshd: Permission denied
[FAILED]
(1061)[root@localhost:~]# semanage user -l | grep unconfined_u
unconfined_u unconfined s0 s0 system_r
unconfined_r
(1062)[root@localhost:~]# semanage user -m -R "unconfined_r system_r" unconfined_u
(1063)[root@localhost:~]# service sshd start
Starting sshd: /etc/init.d/sshd: line 113: /usr/sbin/sshd: Permission denied
[FAILED]
I was wrong # semanage user -m -r s0-s0:c0.c1023 unconfined_u Log out Log back in. Should now work. This change will be in first update to F8 fixed in selinux-policy-3.0.8-45 *** Bug 367191 has been marked as a duplicate of this bug. *** Any ETA on when the selinux-policy with this fix will be released? I don't need it, but a lot of others are asking about it so I thought I'd ask. TIA selinux-policy-3.0.8-47 has been pushed to stable release. Confirmed to solve the problem. Thanks. I have updated to selinux-policy-3.0.8-47.fc8 and when I run "service sshd
start" under enforcing, I still get the error:
Starting sshd: /etc/init.d/sshd: line 113: /usr/sbin/sshd: Permission denied
The syslog shows:
setroubleshoot: #012 SELinux is preventing the /usr/sbin/sshd (sshd_t) from
binding to port 9445.#012 For complete SELinux messages. run sealert -l
ee4a216c-a935-4f86-8f70-6c71ab915896
sealert shows:
Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context system_u:object_r:port_t:s0
Target Objects None [ tcp_socket ]
Affected RPM Packages openssh-server-4.7p1-2.fc8 [application]
Policy RPM selinux-policy-3.0.8-44.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.inetd_bind_ports
Host Name xxxx.yyyy
Platform Linux xxxx.yyyy 2.6.23.1-42.fc8 #1 SMP Tue
Oct 30 13:55:12 EDT 2007 i686 i686
Alert Count 1
First Seen Wed Nov 14 19:31:15 2007
Last Seen Wed Nov 14 19:31:15 2007
Local ID ee4a216c-a935-4f86-8f70-6c71ab915896
Line Numbers
Raw Audit Messages
avc: denied { name_bind } for comm=sshd egid=501 euid=501 exe=/usr/sbin/sshd
exit=0 fsgid=501 fsuid=501 gid=501 items=0 pid=3921
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 sgid=501 src=9445
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 suid=501 tclass=tcp_socket
tcontext=system_u:object_r:port_t:s0 tty=(none) uid=501
oops... I just realized that the syslog and sealert that I gave in the previous message were from BEFORE upgrading the selinux policy. However, I *still* get the same error when trying to restart 'sshd' though I no longer get any syslog selinux messages. However, when I set selinux to permissive, everything works, so this is still an selinux problem, I think. Why is sshd trying to bind to port 9445? Could you attach the output of # semanage user -l # semanage login -l sshd works fine for me and a number of other on x86_64 after the update. AFAICS, the bug is fixed. Anyone having problems still is probably experiencing some other bug FWIW. HTH Hi, I just upgraded from F-7 to F-8 and I am experiencing problems similar to
this bug.
# rpm -q selinux-policy-targeted
selinux-policy-targeted-3.0.8-62.fc8
^^ using latest version
# service xinetd start
Starting xinetd: /bin/bash: /usr/sbin/xinetd: Permission denied
[FAILED]
Dec 10 11:53:36 localhost kernel: audit(1197316416.341:10):
security_compute_sid: invalid context user_u:system_r:inetd_t:s0-s0:c0.c1023
for scontext=user_u:system_r:initrc_t:s0
tcontext=system_u:object_r:inetd_exec_t:s0 tclass=process
I also get problems with sshd after reading this bug I tried it and got:
Dec 10 11:45:34 localhost kernel: audit(1197315934.073:8): security_compute_sid:
invalid context user_u:system_r:sshd_t:s0-s0:c0.c1023 for
scontext=user_u:system_r:initrc_t:s0 tcontext=system_u:object_r:sshd_exec_t:s0
tclass=process
Try # semanage login -m -s unconfined_u __default__ Log all the way out, log back in and see if you can start the process. # semanage login -m -s unconfined_u __default__ libsemanage.validate_handler: selinux user unconfined_u does not exist No such file or directory. libsemanage.validate_handler: seuser mapping [__default__ -> (unconfined_u, s0)] is invalid No such file or directory. libsemanage.dbase_llist_iterate: could not iterate over records No such file or directory. /usr/sbin/semanage: Could not modify login mapping for __default__ Pasting this output before logging out... Error still persists after completely logging out from KDE and also after a complete reboot. Ok the post install was supposed to do the following. semanage user -a -P unconfined -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u semanage login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ Could you try that. This fixes the problem for me, not sure why that wasn't run when I did the upgrade. Thanks for the help. Fixed in selinux-policy-3.0.8-68 Bulk closing a old selinux policy bugs that were in the modified state. If the bug is still not fixed. Please reopen. |
Description of problem: Install F8 x86_64 RC5 to hardisk from USB key. Reboot box and try to enable sshd (1007)[root@localhost:~]# setenforce 1 (1008)[root@localhost:~]# service sshd start Starting sshd: /etc/init.d/sshd: line 113: /usr/sbin/sshd: Permission denied [FAILED] (1009)[root@localhost:~]# rpm -qa | grep selinux libselinux-2.0.37-1.fc8 libselinux-python-2.0.37-1.fc8 selinux-policy-targeted-3.0.8-44.fc8 libselinux-2.0.37-1.fc8 selinux-policy-3.0.8-44.fc8 (1010)[root@localhost:~]# setenforce 0 (1011)[root@localhost:~]# service sshd start Starting sshd: [ OK ] type=SELINUX_ERR msg=audit(1194053949.966:55): security_compute_sid: invalid context unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 for scontext=unconfined_u:system_r:initrc_t:s0 tcontext=system_u:object_r:sshd_exec_t:s0 tclass=process type=SYSCALL msg=audit(1194053949.966:55): arch=c000003e syscall=59 success=yes exit=0 a0=6fdb80 a1=6ff080 a2=6da5f0 a3=0 items=0 ppid=3497 pid=3506 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) This error is not picked up by setroubleshoot.