Bug 448367

Summary: SELinux is preventing sshd (sshd_t) "search" to <Neznámé> (crond_t).
Product: [Fedora] Fedora Reporter: Matěj Cepl <mcepl>
Component: cronieAssignee: Marcela Mašláňová <mmaslano>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: dwalsh, mcepl, pertusus, tmraz
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-28 07:49:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
/var/log/audit/audit.log none

Description Matěj Cepl 2008-05-26 09:43:19 UTC 
Description of problem:

Absolutely no idea, how I deserved this -- what did I do to get this.

Souhrn:

SELinux is preventing sshd (sshd_t) "search" to <Neznámé> (crond_t).

Podrobný popis:

SELinux denied access requested by sshd. It is not expected that this access is
required by sshd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                system_u:system_r:sshd_t:SystemLow-SystemHigh
Kontext cíle                 system_u:system_r:crond_t:SystemLow-SystemHigh
Objekty cíle                 None [ key ]
Zdroj                         sshd
Cesta zdroje                  /usr/sbin/sshd
Port                          <Neznámé>
Počítač                    hubmaier.ceplovi.cz
RPM balíčky zdroje          openssh-server-5.0p1-2.fc10
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.3.1-45.fc10
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall
Název počítače            hubmaier.ceplovi.cz
Platforma                     Linux hubmaier.ceplovi.cz
                              2.6.26-0.17.rc3.fc10.x86_64 #1 SMP Sun May 18
                              18:44:39 EDT 2008 x86_64 x86_64
Počet uporoznění           5
Poprvé viděno               St 21. květen 2008, 23:02:49 CEST
Naposledy viděno             Pá 23. květen 2008, 07:32:16 CEST
Místní ID                   30cbc996-27a8-4025-8aad-cffa4f396167
Čísla řádků              

Původní zprávy auditu      

host=hubmaier.ceplovi.cz type=AVC msg=audit(1211520736.490:3035): avc:  denied 
{ search } for  pid=1067 comm="sshd"
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=key

host=hubmaier.ceplovi.cz type=SYSCALL msg=audit(1211520736.490:3035):
arch=c000003e syscall=250 success=no exit=-13 a0=0 a1=fffffffd a2=0 a3=2b42280
items=0 ppid=19335 pid=1067 auid=4294967295 uid=500 gid=500 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd"
exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
Comment 1 Tomas Mraz 2008-05-26 10:05:19 UTC 
Cronie must call setkeycreatecon() with the context it uses when calling
setexeccon(). This call has to be done before pam_open_session() is called.
Comment 2 Marcela Mašláňová 2008-05-26 12:45:29 UTC 
Please try test package at http://mmaslano.fedorapeople.org/cronie/
Comment 3 Tomas Mraz 2008-05-26 13:53:09 UTC 
Note that you'll have to restart the computer so the keyring is recreated for
the user. Also the cron job of the user must run before you log in to reproduce
the problem.
Comment 4 Matěj Cepl 2008-05-26 15:24:20 UTC 
Created attachment 306685 [details]
/var/log/audit/audit.log

Using local rebuild of the src.rpm from comment 2, I don't get AVC denial on
cronnie, but I get plenty of other AVC denials -- I have logged into slightly
after 17:00 CEST. And no I haven't heard any sound on the whole hour (which I
should). This is the output of crontab -e:
[matej@hubmaier ~]$ crontab -l
SHELL=/bin/bash
MAILTO=""

* 15 * * mon-fri curl -s
http://www.cnb.cz/cz/financni_trhy/devizovy_trh/kurzy_devizoveho_trhu/denni_kurz.txt
>$HOME/dnesni-kurs.txt
0 8-19 * * mon-fri  gst-launch filesrc
location=/home/matej/archiv/music/Pranks/Clock_Big_Ben_London.mp3 ! decodebin !
audioconvert ! volume volume=0.2 ! autoaudiosink >/dev/null 2>&1
# 10 4 * * * /home/matej/rpm/kompiliste/bitlbee/update.sh
[matej@hubmaier ~]$
Comment 5 Tomas Mraz 2008-05-26 16:05:19 UTC 
The sound will not play when you're not logged in due to permissions on the
sound devices. And the AVCs seem to be unrelated. Verify that the user cron jobs
are still working and if so then this bug can be closed as fixed.
Comment 6 Daniel Walsh 2008-05-27 16:37:49 UTC 
Matej you seem to have bitlbee attempting connects to lots of random ports.  Is
this expected behaviour?
Comment 7 Matěj Cepl 2008-05-27 20:17:15 UTC 
(In reply to comment #6)
> Matej you seem to have bitlbee attempting connects to lots of random ports.  Is
> this expected behaviour?

Yes, it is, I have patched version of bitlbee doing file transfer and the file
transfer apparently makes connection totally randomly -- not sure how to make it
behave more sanely, and it doesn't matter that much for me. I just added

allow bitlbee_t port_t:tcp_socket name_connect;

to my bitlbeeFT policy module and will deal with that later.
Comment 8 Daniel Walsh 2008-05-27 20:31:11 UTC 
So it is doing some kind of ftp transfer?
Comment 9 Matěj Cepl 2008-05-27 20:41:17 UTC 
(In reply to comment #8)
> So it is doing some kind of ftp transfer?

Roughly speaking yes, it actually is more http connection between two Jabber
clients, but that probably doesn't make a difference for you.
Comment 10 Marcela Mašláňová 2008-05-28 07:49:29 UTC 
This is fixed for cronie in next update. If your problem persist please open new
bug on appropriate component.