Bug 465283

Summary: SELinux denials on remote root login
Product: [Fedora] Fedora Reporter: Orion Poplawski <orion>
Component: opensshAssignee: Tomas Mraz <tmraz>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 10CC: dwalsh, mcepl, mgrepl, tmraz
Target Milestone: ---Keywords: Reopened, SELinux
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-11-30 05:39:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
output from SEtroubleshoot none

Description Orion Poplawski 2008-10-02 15:38:12 UTC 
Description of problem:

Logging in as root via ssh.

/var/log/messages:Oct  2 09:11:23 test kernel: type=1400 audit(1222960283.046:4): avc:  denied  { search } for  pid=2594 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_crond_t:s0-s0:c0.c1023 tclass=key
/var/log/secure:Oct  2 09:11:23 test sshd[2594]: Accepted publickey for root from 192.168.0.72 port 34507 ssh2
/var/log/secure:Oct  2 09:11:23 test sshd[2594]: pam_unix(sshd:session): session opened for user root by (uid=0)

Version-Release number of selected component (if applicable):
openssh-5.1p1-2.fc10.i386
selinux-policy-3.5.9-4.fc10.noarch
Comment 1 Daniel Walsh 2008-10-02 15:53:22 UTC 
This is a kernel bug, but I will get rid of the avc for now.

Fixed in selinux-policy-3.5.9-5.fc10.noarch
Comment 2 Matěj Cepl 2008-11-18 14:22:37 UTC 
Created attachment 323900 [details]
output from SEtroubleshoot

Happens again with

[matej@hubmaier ~]$ rpm -q openssh selinux-policy-targeted kernel
openssh-5.1p1-3.fc10.x86_64
selinux-policy-targeted-3.5.13-18.fc10.noarch
kernel-2.6.27.5-94.fc10.x86_64
kernel-2.6.27.4-79.fc10.x86_64
kernel-2.6.27.5-101.fc10.x86_64
kernel-2.6.27.5-109.fc10.x86_64
[matej@hubmaier ~]$ uname -r
2.6.27.5-109.fc10.x86_64
[matej@hubmaier ~]$
Comment 3 Daniel Walsh 2008-11-18 18:43:19 UTC 
Well I run this under audit2allow on selinux-policy-targeted-3.5.13-21.fc10.noarch

and it says it should be allowed.
Comment 4 Bug Zapper 2008-11-26 03:28:21 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle.
Changing version to '10'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 5 Orion Poplawski 2008-11-30 05:39:38 UTC 
I don't see this anymore.