Bug 462231
| Summary: | SELinux is preventing sshd (sshd_t) "search" to <Unknown> (crond_t). | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Dave Jones <davej> |
| Component: | kernel | Assignee: | Kernel Maintainer List <kernel-maint> |
| Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 12 | CC: | dhowells, dwalsh, eparis, kernel-maint, pfrields, sdsmall |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-12-05 07:08:11 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 513462 | ||
You can just ignore this. I have no idea of why it is happening. Looks like sshd somehow has gotten seeing a key tab owned by crond_t. I guess something in the kernel is looking through all of the keyrings context and generating these AVCs. I can dontaudit or allow this, But I think this could be a bug in the kernel. Some api that sshd is calling is causing this avc to be triggered. $ sudo grep 06f27a55-eba1-4903-be3b-372d535d92d6 /var/log/messages* | wc -l 19913 kind of hard to ignore. hopefully I won't run out of diskspace before I get home :-) I agree that it looks like a bug in the kernel keyring support - punting to David Howells for clarification. SELinux labels keys based on their creator or based on the context the creator specified using setkeycreatecon(3). I don't know why a key created by crond is being encountered by sshd on a lookup.
Possible workaround to silence the noise in the interim:
$ cat quietkey.te
policy_module(quietkey, 1.0)
require {
type sshd_t;
type crond_t;
}
dontaudit sshd_t crond_t:key search;
$ make -f /usr/share/selinux/devel/Makefile quietkey.pp
$ sudo semodule -i quietkey.pp
My guess is that the problem is not a kernel bug, but results from a feature mandated by Linus. There are shared keyrings for each UID (user and user session keyrings), but these pick up the security label of whatever creates them and then are stuck with it, but such a keyring, once created, is automatically shared between all the processes that use that UID. Does your /etc/pam.d/crond or /etc/pam.d/system-auth invoke pam_keyinit.so? I am pretty sure they do. crond doesn't, system-auth does I just believe the kernel should not be reporting this as an AVC, it should be allowed. If every keyring created for a user is going to require all domains that create keyrings to be able to search them, then there is little reason to deny. Why isn't pam_keyinit using setkeycreatecon() to set the context for the key to something appropriate for the user whose keyring it is? Also, if such sharing is mandated, how do we actually protect one program from misusing keys created by another program under the same uid? Do we need per-context keyrings? > Also, if such sharing is mandated, how do we actually protect one program
> from misusing keys created by another program under the same uid? Do we
> need per-context keyrings?
The whole point of per-UID shared keyrings is that the keys in them are shared. Misuse is something you might just have to live with. If you don't want your keys to be misused, don't put them in the per-UID shared keyrings.
That said, any key that is in the per-UID shared keyring has all operations on it approved by SELinux. That means a process can be restricted to only being able to find out the key ID of a key in one of these keyrings; the view, read, write, setattr, link and search attributes on a key can all be denied by SELinux, preventing a process from effectively doing anything with it.
There is, however, nothing to stop a process unlinking a specific key from those keyrings. All that SELinux can see is that the keyring is being 'written'. Also, there's nothing to stop a process finding the key ID by listing the keyring. That's an all-or-nothing 'read' op on the keyring. These two circumstances could be dealt with.
Another option is to make per-UID keyrings unavailable if SELINUX is enabled. I'd need to check with Linus if he's happy to do this. My original idea for how these might be used was for storing equivalent user identities, such as a SMB/CIFS/FAT/VFAT/NTFS user ID. However, that's probably better stored in a session keyring.
This message is a reminder that Fedora 9 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 9. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '9'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 9's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 9 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle. Changing version to '12'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping This message is a reminder that Fedora 12 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 12. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '12'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 12's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 12 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Fedora 12 changed to end-of-life (EOL) status on 2010-12-02. Fedora 12 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed. |
I have camE set up to scp a jpeg to localhost. (It doesn't seem to offer a 'just save pics locally' mode). Every time this happens, I get an AVC.. host=gelk.kernelslacker.org type=AVC msg=audit(1221407938.306:4261): avc: denied { search } for pid=18666 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=key host=gelk.kernelslacker.org type=SYSCALL msg=audit(1221407938.306:4261): arch=c000003e syscall=250 success=yes exit=1007585457 a0=0 a1=fffffffd a2=0 a3=35ec260 items=0 ppid=2448 pid=18666 auid=4294967295 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) selinux-policy-3.3.1-87.fc9 selinux-policy-targeted-3.3.1-87.fc9.noarch