Bug 459510

Summary: SELinux is preventing /usr/sbin/sshd (sshd_t) "append" to (var_log_t).
Product: [Fedora] Fedora Reporter: David Lee Lambert <dllamber>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 8CC: jkubin
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-08-29 16:49:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Lee Lambert 2008-08-19 15:49:32 UTC 
Description of problem:

sshd won't start with SELinux enabled.

Version-Release number of selected component (if applicable):

  Affected RPM Packages:  openssh-server-4.7p1-2.fc8 [application]
  Policy RPM:  selinux-policy-3.0.8-44.fc8
  Selinux Enabled:  True
  Policy Type:  targeted
  MLS Enabled:  True
  Enforcing Mode:  Enforcing

Steps to Reproduce:

1.  /etc/init.d/sshd start
  
Actual results:

Starting sshd: /etc/init.d/sshd: line 111: /usr/sbin/sshd: Permission denied

Expected results:

Daemon should start
Comment 1 Daniel Walsh 2008-08-20 11:11:25 UTC 
What is the AVC you are seeing?

grep avc /var/log/audit/audit.log

I no of no log file that ssh would need to append to.

You should also update to the latest selinux policy for fc8

yum -y upgrade selinux-policy

You might want to update all of your system

yum -y upgrade
Comment 2 David Lee Lambert 2008-08-20 14:23:17 UTC 
type=AVC msg=audit(1219161384.508:133): avc:  denied  { append } for  pid=23367 comm="sshd" name="btmp" dev=dm-0 ino=851979 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1219161384.604:134): avc:  denied  { getattr } for  pid=23367 comm="sshd" path="/var/log/btmp" dev=dm-0 ino=851979 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file

sshd is also configured to log via syslog;  but I believe it writes to /dev/log,  context "unconfined_u:object_r:devlog_t:s0", so that can't be the problem here.

This is after a "yum -y upgrade" and "yum remove openssh-server; yum install openssh-server".
Comment 3 Daniel Walsh 2008-08-29 16:49:09 UTC 
restorecon /var/log/btmp

Should fix.  Some how this got the wrong context on it.  Did someone/process delete and recreate the file?