Bug 567424

Summary: SELinux is preventing /usr/sbin/sshd "sys_nice" access .
Product: [Fedora] Fedora Reporter: Micko <micko>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:51117f5eeafc3cb3a73c6bb15f160625b2b1207f90230261bdcd01460f4739da
Fixed In Version: selinux-policy-3.6.32-92.fc12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-04 00:17:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Micko 2010-02-22 22:41:45 UTC 
Sammanfattning:

SELinux is preventing /usr/sbin/sshd "sys_nice" access .

Detaljerad beskrivning:

[SELinux är i tillåtande läge. Denna åtkomst nekades inte.]

SELinux denied access requested by sshd. It is not expected that this access is
required by sshd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Att tillåta åtkomst:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Ytterligare information:

Källkontext                  system_u:system_r:sshd_t:s0-s0:c0.c1023
Målkontext                   system_u:system_r:sshd_t:s0-s0:c0.c1023
Målobjekt                    None [ capability ]
Källa                        sshd
Källsökväg                 /usr/sbin/sshd
Port                          <Okänd>
Värd                         (removed)
Käll-RPM-paket               openssh-server-5.2p1-31.fc12
Mål-RPM-paket                
Policy-RPM                    selinux-policy-3.6.32-89.fc12
SELinux aktiverat             True
Policytyp                     targeted
Verkställande läge          Permissive
Insticksmodulnamn             catchall
Värdnamn                     (removed)
Plattform                     Linux grommit.se 2.6.31.12-174.2.22.fc12.x86_64 #1
                              SMP Fri Feb 19 18:55:03 UTC 2010 x86_64 x86_64
Antal larm                    5
Först sedd                   mån 22 feb 2010 12.35.21
Senast sedd                   mån 22 feb 2010 20.36.41
Lokalt ID                     eb805309-147d-4f94-91de-75adebfd2954
Radnummer                     

Råa granskningsmeddelanden   

node=grommit.se type=AVC msg=audit(1266867401.810:598): avc:  denied  { sys_nice } for  pid=8656 comm="sshd" capability=23 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=capability

node=grommit.se type=SYSCALL msg=audit(1266867401.810:598): arch=c000003e syscall=144 success=yes exit=128 a0=21d0 a1=0 a2=7fffb278f330 a3=7fffb278f090 items=0 ppid=1523 pid=8656 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,sshd,sshd_t,sshd_t,capability,sys_nice
audit2allow suggests:

#============= sshd_t ==============
allow sshd_t self:capability sys_nice;
Comment 1 Micko 2010-02-22 22:58:40 UTC 
Might not be a bug. Did a restorecon -R -v . on the file system but could not see any relevant files with affected/changed labels but since then no further reports so far. I suspected sshd when reading .ssh/authorized_keys but I don't really understand this.
Comment 2 Daniel Walsh 2010-02-23 14:21:13 UTC 
No this is not related to labels. But it seems legit.

Could sshd be setting the priority of login sessions?

Miroslav add sys_nice to ssh_server_templat
Comment 3 Micko 2010-02-23 18:44:53 UTC 
>Could sshd be setting the priority of login sessions?
Yes, I believe it can be. My guess is that it happens with ssh login using  RSA-public key authentication instead of password. I quite sure it started when I configured this when setting up a reverse tunnel from another host.
Comment 4 Miroslav Grepl 2010-02-23 18:47:09 UTC 
Fixed in selinux-policy-3.6.32-92.fc12
Comment 5 Fedora Update System 2010-02-23 20:58:09 UTC 
selinux-policy-3.6.32-92.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-92.fc12
Comment 6 Fedora Update System 2010-02-26 03:45:00 UTC 
selinux-policy-3.6.32-92.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-2953
Comment 7 Fedora Update System 2010-03-04 00:13:38 UTC 
selinux-policy-3.6.32-92.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.