Bug 513186

Summary: setroubleshoot: SELinux is preventing sshd (sshd_t) "write" tmpfs_t.
Product: [Fedora] Fedora Reporter: Matěj Cepl <mcepl>
Component: opensshAssignee: Jan F. Chadima <jchadima>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dwalsh, jchadima, jkubin, mcepl, mgrepl, tmraz
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:2626001907c8c5c7ed1e296c80cd10ad1542d9b41122070a0dc45effb124dee4
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-07-23 10:39:17 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Description Flags
information about /dev/log none

Description Matěj Cepl 2009-07-22 09:12:16 EDT
The following was filed automatically by setroubleshoot:


SELinux is preventing sshd (sshd_t) "write" tmpfs_t.

Podrobný popis:

[SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena
kvůli uvolněnému režimu.]

SELinux denied access requested by sshd. It is not expected that this access is
required by sshd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                system_u:system_r:sshd_t:s0-s0:c0.c1023
Kontext cíle                 system_u:object_r:tmpfs_t:s0
Objekty cíle                 log [ sock_file ]
Zdroj                         sshd
Cesta zdroje                  /usr/sbin/sshd
Port                          <Neznámé>
Počítač                    (removed)
RPM balíčky zdroje          
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.6.19-1.fc12
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Permissive
Název zásuvného modulu     catchall
Název počítače            (removed)
Platforma                     Linux (removed)
                              2.6.31-0.24.rc0.git18.fc12.i686.PAE #1 SMP Mon Jun
                              22 16:26:36 EDT 2009 i686 i686
Počet upozornění           2
Poprvé viděno               St 1. červenec 2009, 23:59:40 CEST
Naposledy viděno             Čt 2. červenec 2009, 01:16:12 CEST
Místní ID                   87bcfbbd-b45f-45f9-8ec1-1857d9efc58c
Čísla řádků              

Původní zprávy auditu      

node=(removed) type=AVC msg=audit(1246490172.806:83): avc:  denied  { write } for  pid=716 comm="sshd" name="log" dev=tmpfs ino=5933 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=sock_file

node=(removed) type=SYSCALL msg=audit(1246490172.806:83): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfa5b5ec a2=c88ff4 a3=ffffff58 items=0 ppid=1 pid=716 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe=2F7573722F7362696E2F73736864202864656C6574656429 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)

audit2allow suggests:

#============= sshd_t ==============
allow sshd_t tmpfs_t:sock_file write;
Comment 1 Daniel Walsh 2009-07-23 10:39:17 EDT
This looks like a labeling problem.

Was /dev/log screwed up on this machine?
Comment 2 Matěj Cepl 2009-07-23 11:31:06 EDT
Created attachment 354877 [details]
information about /dev/log

I think /dev/log is and was alright? (although there might be some selinux-policy update which did relabelling).
Comment 3 Daniel Walsh 2009-07-23 12:20:37 EDT
Well we have an AVC saying sshd can not write to a sock_file named log.  That is labeled tmpfs_t.   /dev is a tmpfs_t file system so if for some reason udev did not run properly or the boot up failed, or some other labeling failure you ended up with /dev/log with the wrong label on it.  At least that is what the evidence shows.
Comment 4 Matěj Cepl 2009-07-23 17:00:25 EDT
Just I tried to find what kind of file it is by inode number, but the result is disappointing:

[root@torquemada /]# find / -inum 5933 2>/dev/null
[root@torquemada /]#

I guess it means, it is "file" generated during the state of the computer, so there is no way how to find what was it when I got that AVC denial, right?