Bug 430548

Summary: SELinux doesn't allow connecting through openssh
Product: [Fedora] Fedora Reporter: Matěj Cepl <mcepl>
Component: opensshAssignee: Tomas Mraz <tmraz>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-30 10:14:53 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description Matěj Cepl 2008-01-28 13:28:04 EST
Description of problem:

SELinux is preventing sshd(/usr/sbin/sshd) (sshd_t) "search" to <Unknown>
(xdm_t).

Detailed Description:

[SELinux in permissive mode, the operation would have been denied but was
permitted due to enforcing mode.]

SELinux denied access requested by sshd(/usr/sbin/sshd). It is not expected that
this access is required by sshd(/usr/sbin/sshd) and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:sshd_t:SystemLow-SystemHigh
Target Context                system_u:system_r:xdm_t:SystemLow-SystemHigh
Target Objects                None [ key ]
Source                        sshd(/usr/sbin/sshd)
Port                          <Unknown>
Host                          hubmaier.ceplovi.cz
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.2.5-19.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     hubmaier.ceplovi.cz
Platform                      Linux hubmaier.ceplovi.cz
                              2.6.24-0.167.rc8.git4.fc9 #1 SMP Tue Jan 22
                              22:53:00 EST 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Po 28. leden 2008, 19:22:55 CET
Last Seen                     Po 28. leden 2008, 19:22:55 CET
Local ID                      8c6f9ae9-b46a-43dc-945a-2c0369b4bd8c
Line Numbers                  

Raw Audit Messages            

host=hubmaier.ceplovi.cz type=AVC msg=audit(1201544575.621:964): avc:  denied  {
search } for  pid=14334 comm="sshd"
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=key

host=hubmaier.ceplovi.cz type=SYSCALL msg=audit(1201544575.621:964):
arch=c000003e syscall=250 success=yes exit=0 a0=3 a1=fda4a22 a2=ffffffffffffffff
a3=2aaaae161280 items=0 ppid=2388 pid=14334 auid=500 uid=0 gid=0 euid=500
suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="sshd"
exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)

Version-Release number of selected component (if applicable):
openssh-4.7p1-7.fc9.x86_64
selinux-policy-targeted-3.2.5-19.fc9.noarch

How reproducible:
not sure (not always, but now three times in the row)

Steps to Reproduce:
1. connect to computer with running sshd
2.
3.
  
Actual results:
on the computer with sshd running, observe sealert popup

Expected results:
no problems

Additional info:
Comment 1 Tomas Mraz 2008-01-28 14:23:10 EST
I don't understand this report - should s/openvpn/openssh/ be done on subject?
And in enforcing mode you really cannot connect? What happens if you restart the
sshd from root login on the linux text console?
Comment 2 Matěj Cepl 2008-01-28 17:46:58 EST
Yes, I am sorry, I meant openssh. I am in the permissive mode, so I can connect.
Rawhide in enforcing mode seems kind of crazy ;-). I am away from the computer,
so I will tell you tomorrow.
Comment 3 Matěj Cepl 2008-01-30 10:14:53 EST
OK, cannot reproduce anymore -- probably something mislabeled.