Bug 567129

Summary: allow sshd_t user_devpts_t:chr_file setattr; needed for sshd to work
Product: [Fedora] Fedora Reporter: Bruno Wolff III <bruno>
Component: opensshAssignee: Jan F. Chadima <jchadima>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 13CC: dwalsh, jchadima, mgrepl, misek, tmraz
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-02-24 12:02:01 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Bruno Wolff III 2010-02-21 14:44:37 EST
Description of problem:
After a recent upgrade (I am not sure if it was selinux-policy or open ssh), ssh connections to the upgraded machines started failing after a password was entered. Switching to permissive prevented the issue. Looking at the audit, I found that adding the rule:
allow sshd_t user_devpts_t:chr_file setattr;
made things work again.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. ssh to the affected server while it is running in enforcing mode
Actual results:

Expected results:

Additional info:
Comment 1 Daniel Walsh 2010-02-22 15:20:42 EST
Fixed in selinux-policy-3.7.10-2.fc13
Comment 2 Bruno Wolff III 2010-02-23 12:44:41 EST
I tested selinux-policy-targeted-3.7.10-2.fc13.noarch and I am still seeing what looks like the same problem:
type=AVC msg=audit(1266946901.773:210): avc:  denied  { setattr } for  pid=5050 comm="sshd" name="7" dev=devpts ino=10 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file
Comment 3 Daniel Walsh 2010-02-23 13:30:36 EST
Shoot lets try again.

Fixed in selinux-policy-3.7.10-3.fc13
Comment 4 Daniel Walsh 2010-02-23 13:31:16 EST
*** Bug 567707 has been marked as a duplicate of this bug. ***
Comment 5 Bruno Wolff III 2010-02-23 17:12:37 EST
selinux-policy-targeted-3.7.10-3.fc13.noarch does seem to fix the problem.
Comment 6 Vaclav "sHINOBI" Misek 2010-02-24 11:05:45 EST
I can confirm the fix with selinux-policy-targeted-3.7.10-3.fc13.