Bug 652438

Summary: SELinux is preventing /usr/sbin/sshd "search" entry on /etc/samba.
Product: [Fedora] Fedora Reporter: Michael Gruys <m.gruys>
Component: opensshAssignee: Jan F. Chadima <jchadima>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 14CC: dwalsh, jchadima, mgrepl, ssorce, tmraz
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:cd4347496e1abd253a2ca966c72371416676504187c6d064142255f7b5918610
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-02-25 12:40:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
/etc/nsswitch.conf
none
/etc/pam.d/sshd none

Description Michael Gruys 2010-11-11 20:58:37 UTC 
Samenvatting:

SELinux belet /usr/sbin/sshd "search" toegang on /etc/samba.

Gedetailleerde omschrijving:

SELinux belette toegang gevraagd door sshd. Het wordt niet verwacht dat deze
toegang voor sshd nodig is en deze toegang kan een indringing poging aangeven.
Het is ook mogelijk dat de specifieke versie of configuratie van de toepassing
het veroorzaakt om extra toegang aan te vragen.

Toegang toestaan:

Je kunt een locale tactiek module maken om deze toegang toe te staan - zie FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Dien a.u.b. een fout
rapport in.

Extra informatie:

Bron context                  system_u:system_r:sshd_t:s0-s0:c0.c1023
Doel context                  system_u:object_r:samba_etc_t:s0
Doel objecten                 /etc/samba [ dir ]
Bron                          sshd
Bron pad                      /usr/sbin/sshd
Poort                         <Onbekend>
Host                          (verwijderd)
Bron RPM pakketten            openssh-server-5.5p1-23.fc14.2
Doel RPM pakketten            samba-common-3.5.6-69.fc14
Tactiek RPM                   selinux-policy-3.9.7-7.fc14
SELinux aangezet              True
Tactiek type                  targeted
Afdwingende mode              Enforcing
Plug-in naam                  catchall
Host naam                     (verwijderd)
Platform                      Linux (verwijderd) 2.6.35.6-48.fc14.i686.PAE #1 SMP Fri
                              Oct 22 15:27:53 UTC 2010 i686 i686
Aantal waarschuwingen         20
Eerst gezien op               zo 07 nov 2010 02:32:12 CET
Laatst gezien op              do 11 nov 2010 21:56:11 CET
Locale ID                     8c139fce-9fb8-46ad-8640-b0d7e51f83ee
Regel nummers                 

Onbewerkte audit boodschappen 

node=(verwijderd) type=AVC msg=audit(1289508971.200:41101): avc:  denied  { search } for  pid=22509 comm="sshd" name="samba" dev=dm-0 ino=61228 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_etc_t:s0 tclass=dir

node=(verwijderd) type=SYSCALL msg=audit(1289508971.200:41101): arch=40000003 syscall=5 success=no exit=-13 a0=b7760870 a1=8000 a2=0 a3=0 items=0 ppid=2072 pid=22509 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,sshd,sshd_t,samba_etc_t,dir,search
audit2allow suggests:

#============= sshd_t ==============
allow sshd_t samba_etc_t:dir search;
Comment 1 Miroslav Grepl 2010-11-12 11:04:35 UTC 
Did you setup ssh and Samba to play together?

Or any chance you were sitting in /etc/samba directory when you started/restarted sshd daemon using

/etc/init.d/sshd restart
Comment 2 Daniel Walsh 2010-11-12 14:29:53 UTC 
Or is /etc/samba listed as a homedir in /etc/passwd?
Comment 3 Michael Gruys 2010-11-12 20:01:07 UTC 
(In reply to comment #2)
> Or is /etc/samba listed as a homedir in /etc/passwd?

No. It is not mentioned in /etc/passwd
Comment 4 Michael Gruys 2010-11-12 20:05:51 UTC 
(In reply to comment #1)
> Did you setup ssh and Samba to play together?
> 
How can I see that? 

> Or any chance you were sitting in /etc/samba directory when you
> started/restarted sshd daemon using
> 
> /etc/init.d/sshd restart

I do not think that. I suspect fail2ban is causing this message. I have no ssh daemon started stopped or restart at the moment of the message.

I do not know what info further is needed to solve this issue?
Comment 5 Daniel Walsh 2010-11-15 16:16:43 UTC 
Has it happened again?
Comment 6 Michael Gruys 2010-11-15 16:19:03 UTC 
Not anymore.
Comment 7 Daniel Walsh 2010-11-15 16:21:03 UTC 
Ok reopen if it happens again.
Comment 8 Michael Gruys 2010-11-16 17:27:02 UTC 
I'm sorry to report this, but it happened again today...
Please let me know what additional info you further need.

Note:
I can only change the status to "assigned" and not choose it to "reopen".
Comment 9 Daniel Walsh 2010-11-16 18:00:29 UTC 
Is
Comment 10 Daniel Walsh 2010-11-16 18:01:24 UTC 
Can you guys think of any reason sshd would be searching /etc/samba?

pam_winbind?
Comment 11 Tomas Mraz 2010-11-16 20:11:12 UTC 
Do you have winbind in /etc/nsswitch.conf or pam_winbind in /etc/pam.d/sshd?
Comment 12 Michael Gruys 2010-11-17 06:10:32 UTC 
Created attachment 460995 [details]
/etc/nsswitch.conf
Comment 13 Michael Gruys 2010-11-17 06:11:08 UTC 
Created attachment 460996 [details]
/etc/pam.d/sshd
Comment 14 Daniel Walsh 2010-11-17 15:53:32 UTC 
Tomas, if winbind was in either of those, it would not be unusual for the login programs to need search.  

Miroslav can you modify auth_login_pgm_domain to use

files_read_config_files($1)

In f13/F14.
Comment 15 Miroslav Grepl 2011-02-25 12:40:32 UTC 
Fixed in the current policies.