Bug 364971
Summary: | /usr/sbin/sshd: Permission denied | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | John Poelstra <poelstra> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> |
Severity: | urgent | Docs Contact: | |
Priority: | low | ||
Version: | rawhide | CC: | amlau, bugzilla, chris.stone, k.georgiou |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Current | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-01-30 19:06:25 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
John Poelstra
2007-11-03 01:52:34 UTC
Re-ran entire scenario and reproduced the problem again. This time I was very careful to do nothing except try to start sshd after install. Steps to reproduce: 1) boot x86_64 live image from USB key on desktop box 2) double-click desktop icon to install to harddisk 3) complete installation 4) reboot computer 5) answer firstboot questions accepting all defaults (except I turned the firewall off). 6) create new user 7) login as new user 8) su - 9) # service sshd start Generating SSH1 RSA host key: [ OK ] Generating SSH2 RSA host key: [ OK ] Generating SSH2 DSA host key: [ OK ] Starting sshd: /etc/init.d/sshd: line 113: /usr/sbin/sshd: Permission denied [FAILED] From /var/log/audit/audit.log type=SELINUX_ERR msg=audit(1194228419.395:22): security_compute_sid: invalid context unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 for scontext=unconfined_u:system_r:initrc_t:s0 tcontext=system_u:object_r:sshd_exec_t:s0 tclass=process type=SYSCALL msg=audit(1194228419.395:22): arch=c000003e syscall=59 success=no exit=-13 a0=6fdb80 a1=6fed70 a2=6da5f0 a3=0 items=0 ppid=2653 pid=2674 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="sshd" exe="/bin/bash" subj=unconfined_u:system_r:initrc_t:s0 key=(null) Nothing in /var/log/messages # rpm -qa | grep ssh openssh-server-4.7p1-2.fc8 openssh-askpass-4.7p1-2.fc8 openssh-4.7p1-2.fc8 openssh-clients-4.7p1-2.fc8 semanage user -l | grep unconfined_u semanage user -m -R "unconfined_r system_r" unconfined_u Should fix, but this is what was supposed to be there. doesn't fix the problem $ su - Password: (1060)[root@localhost:~]# service sshd start Starting sshd: /etc/init.d/sshd: line 113: /usr/sbin/sshd: Permission denied [FAILED] (1061)[root@localhost:~]# semanage user -l | grep unconfined_u unconfined_u unconfined s0 s0 system_r unconfined_r (1062)[root@localhost:~]# semanage user -m -R "unconfined_r system_r" unconfined_u (1063)[root@localhost:~]# service sshd start Starting sshd: /etc/init.d/sshd: line 113: /usr/sbin/sshd: Permission denied [FAILED] I was wrong # semanage user -m -r s0-s0:c0.c1023 unconfined_u Log out Log back in. Should now work. This change will be in first update to F8 fixed in selinux-policy-3.0.8-45 *** Bug 367191 has been marked as a duplicate of this bug. *** Any ETA on when the selinux-policy with this fix will be released? I don't need it, but a lot of others are asking about it so I thought I'd ask. TIA selinux-policy-3.0.8-47 has been pushed to stable release. Confirmed to solve the problem. Thanks. I have updated to selinux-policy-3.0.8-47.fc8 and when I run "service sshd start" under enforcing, I still get the error: Starting sshd: /etc/init.d/sshd: line 113: /usr/sbin/sshd: Permission denied The syslog shows: setroubleshoot: #012 SELinux is preventing the /usr/sbin/sshd (sshd_t) from binding to port 9445.#012 For complete SELinux messages. run sealert -l ee4a216c-a935-4f86-8f70-6c71ab915896 sealert shows: Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023 Target Context system_u:object_r:port_t:s0 Target Objects None [ tcp_socket ] Affected RPM Packages openssh-server-4.7p1-2.fc8 [application] Policy RPM selinux-policy-3.0.8-44.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name plugins.inetd_bind_ports Host Name xxxx.yyyy Platform Linux xxxx.yyyy 2.6.23.1-42.fc8 #1 SMP Tue Oct 30 13:55:12 EDT 2007 i686 i686 Alert Count 1 First Seen Wed Nov 14 19:31:15 2007 Last Seen Wed Nov 14 19:31:15 2007 Local ID ee4a216c-a935-4f86-8f70-6c71ab915896 Line Numbers Raw Audit Messages avc: denied { name_bind } for comm=sshd egid=501 euid=501 exe=/usr/sbin/sshd exit=0 fsgid=501 fsuid=501 gid=501 items=0 pid=3921 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 sgid=501 src=9445 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 suid=501 tclass=tcp_socket tcontext=system_u:object_r:port_t:s0 tty=(none) uid=501 oops... I just realized that the syslog and sealert that I gave in the previous message were from BEFORE upgrading the selinux policy. However, I *still* get the same error when trying to restart 'sshd' though I no longer get any syslog selinux messages. However, when I set selinux to permissive, everything works, so this is still an selinux problem, I think. Why is sshd trying to bind to port 9445? Could you attach the output of # semanage user -l # semanage login -l sshd works fine for me and a number of other on x86_64 after the update. AFAICS, the bug is fixed. Anyone having problems still is probably experiencing some other bug FWIW. HTH Hi, I just upgraded from F-7 to F-8 and I am experiencing problems similar to this bug. # rpm -q selinux-policy-targeted selinux-policy-targeted-3.0.8-62.fc8 ^^ using latest version # service xinetd start Starting xinetd: /bin/bash: /usr/sbin/xinetd: Permission denied [FAILED] Dec 10 11:53:36 localhost kernel: audit(1197316416.341:10): security_compute_sid: invalid context user_u:system_r:inetd_t:s0-s0:c0.c1023 for scontext=user_u:system_r:initrc_t:s0 tcontext=system_u:object_r:inetd_exec_t:s0 tclass=process I also get problems with sshd after reading this bug I tried it and got: Dec 10 11:45:34 localhost kernel: audit(1197315934.073:8): security_compute_sid: invalid context user_u:system_r:sshd_t:s0-s0:c0.c1023 for scontext=user_u:system_r:initrc_t:s0 tcontext=system_u:object_r:sshd_exec_t:s0 tclass=process Try # semanage login -m -s unconfined_u __default__ Log all the way out, log back in and see if you can start the process. # semanage login -m -s unconfined_u __default__ libsemanage.validate_handler: selinux user unconfined_u does not exist No such file or directory. libsemanage.validate_handler: seuser mapping [__default__ -> (unconfined_u, s0)] is invalid No such file or directory. libsemanage.dbase_llist_iterate: could not iterate over records No such file or directory. /usr/sbin/semanage: Could not modify login mapping for __default__ Pasting this output before logging out... Error still persists after completely logging out from KDE and also after a complete reboot. Ok the post install was supposed to do the following. semanage user -a -P unconfined -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u semanage login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ Could you try that. This fixes the problem for me, not sure why that wasn't run when I did the upgrade. Thanks for the help. Fixed in selinux-policy-3.0.8-68 Bulk closing a old selinux policy bugs that were in the modified state. If the bug is still not fixed. Please reopen. |