Bug 477922

Summary: SElinux-targeted policy reverts to broken SSH rules
Product: [Fedora] Fedora Reporter: John Mellor <john.mellor>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: low    
Version: 10   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-03-23 13:38:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
setroubleshoot output none

Description John Mellor 2008-12-25 14:30:58 UTC 
Description of problem:
crontab not allowed to start ssh

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.5.13-34.fc10.noarch

How reproducible:
every time

Steps to Reproduce:
1. add crontab entries to start/stop ssh to reduce hacker window on opportunity
2. watch, as SElinux policy denies ssh startup
  
Actual results:
ssh not started/stopped

Expected results:
normal ssh startup, as in F9

Additional info:
This is a rule reversion, as this same bug was already fixed in F8/F9 timeframe.

setroubleshoot output attached.
Comment 1 John Mellor 2008-12-25 14:32:15 UTC 
Created attachment 327837 [details]
setroubleshoot output
Comment 2 Daniel Walsh 2008-12-27 12:11:20 UTC 
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.5.13-37.fc10

This is actually a change in the kernel or in libc that is causing the problem.  This policy is not in F8 or F9, but that is not your problem.  :^)  So it is a regression and I will get the fix out for you.
Comment 3 John Mellor 2008-12-29 20:42:41 UTC 
Where do I get this new selinux-policy-3.5.13-37.fc10
 package?  It is not rolled out to updates-testing.
Comment 4 Daniel Walsh 2009-01-04 17:42:44 UTC 
You can download it from koji,   I will push out this update or a newer one once we get back to work tomorrow.
Comment 5 John Mellor 2009-03-21 18:41:34 UTC 
Seems to be working properly now