Bug 375431
Summary: | sshd denies logins due to SELinux denial | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ben Webb <ben> | ||||
Component: | openssh | Assignee: | Tomas Mraz <tmraz> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | low | ||||||
Version: | 8 | CC: | dwalsh | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Current | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2007-11-16 14:05:44 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Ben Webb
2007-11-11 04:19:18 UTC
An strace on the sshd process shows the crash of the child process: ... 2983 shmget(IPC_PRIVATE, 463, IPC_CREAT|0600) = 360453 2983 shmat(360453, 0, 0) = -1 EACCES (Permission denied) 2983 --- SIGSEGV (Segmentation fault) @ 0 (0) --- With SELinux disabled, the shmat suceeds and the process does not segfault. A couple more data points: 1. A reboot and autorelabel did not change the symptoms at all. 2. The errors suggest (to me) mislabeling of /dev/shm, but it looks OK to me: drwxrwxrwt root root system_u:object_r:tmpfs_t /dev/shm/ Could you attach bigger part of the strace (of course with non-valuable password used). Also please try to create a backtrace with gdb with debuginfo packages installed. Created attachment 255031 [details]
strace-sshd.gz
This is a full strace - pid 2079 is the listener sshd process. I attached
strace to pid 2079 on the server, and then immediately tried to log in from the
client as 'testuser'. The strace ends shortly after the segfault of the child
process (pid 2904).
Notice that we do Kerberos auth against the SALILAB.ORG realm. (I created a
testuser principal for the purposes of this test.) If, however, the principal
is deleted and Unix password auth is used instead, sshd does not crash (this
presumably explains why root logins work, since we don't use Kerberos for
them).
I can't figure out right now how to attach gdb to the sshd process correctly (I
can attach to the pid of the listener process, but even with 'set
detach-on-fork off' this seems to prevent sshd from forking and accepting any
new client connections). Any suggestions?
Fixed in selinux-policy-3.0.8-53.fc8 Confirmed: selinux-policy-3.0.8-53.fc8 fixes this problem for me on both i386 and x86_64 systems. |