Bug 567129

Summary: allow sshd_t user_devpts_t:chr_file setattr; needed for sshd to work
Product: [Fedora] Fedora Reporter: Bruno Wolff III <bruno>
Component: opensshAssignee: Jan F. Chadima <jchadima>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 13CC: dwalsh, jchadima, mgrepl, misek, tmraz
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-02-24 17:02:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Bruno Wolff III 2010-02-21 19:44:37 UTC 
Description of problem:
After a recent upgrade (I am not sure if it was selinux-policy or open ssh), ssh connections to the upgraded machines started failing after a password was entered. Switching to permissive prevented the issue. Looking at the audit, I found that adding the rule:
allow sshd_t user_devpts_t:chr_file setattr;
made things work again.

Version-Release number of selected component (if applicable):
openssh-server-5.3p1-22.fc13.i686
selinux-policy-targeted-3.7.9-4.fc13.noarch

How reproducible:
100%

Steps to Reproduce:
1. ssh to the affected server while it is running in enforcing mode
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Daniel Walsh 2010-02-22 20:20:42 UTC 
Fixed in selinux-policy-3.7.10-2.fc13
Comment 2 Bruno Wolff III 2010-02-23 17:44:41 UTC 
I tested selinux-policy-targeted-3.7.10-2.fc13.noarch and I am still seeing what looks like the same problem:
type=AVC msg=audit(1266946901.773:210): avc:  denied  { setattr } for  pid=5050 comm="sshd" name="7" dev=devpts ino=10 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file
Comment 3 Daniel Walsh 2010-02-23 18:30:36 UTC 
Shoot lets try again.

Fixed in selinux-policy-3.7.10-3.fc13
Comment 4 Daniel Walsh 2010-02-23 18:31:16 UTC 
*** Bug 567707 has been marked as a duplicate of this bug. ***
Comment 5 Bruno Wolff III 2010-02-23 22:12:37 UTC 
selinux-policy-targeted-3.7.10-3.fc13.noarch does seem to fix the problem.
Thanks!
Comment 6 Vaclav "sHINOBI" Misek 2010-02-24 16:05:45 UTC 
I can confirm the fix with selinux-policy-targeted-3.7.10-3.fc13.