Bug 813870
Summary: | SELinux is preventing /usr/sbin/sshd from using the 'sys_admin' capabilities. | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Daniel Scott <dan> | |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
Severity: | unspecified | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 18 | CC: | dominick.grift, dpal, dwalsh, eparis, jhrozek, jwelsh, ktdreyer, mgrepl, moez.roy, nalin, t.h.amundsen | |
Target Milestone: | --- | |||
Target Release: | --- | |||
Hardware: | x86_64 | |||
OS: | Unspecified | |||
Whiteboard: | abrt_hash:a55113d93e8d1bd229165135b0aee59e53f4f7571fe14c35c318788fa91445dc | |||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 910430 (view as bug list) | Environment: | ||
Last Closed: | 2013-01-23 01:56:00 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 910430 |
Description
Daniel Scott
2012-04-18 15:55:24 UTC
Ok, we see it again. Did it happen by default? Or did you setup pam_namespace? By default. Daniel did you setup anything special in pam? Did everything seem to work correctly? I am using FreeIPA for authentication with OpenAFS. This error occurs when I ssh into my computer as root. My /etc/pam.d/password-auth file has additional lines to get AFS tokens automatically: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth [default=done] pam_afs_session.so always_aklog debug auth required pam_deny.so account required pam_access.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so session required pam_afs_session.so always_aklog debug Perhaps this is because root is not a FreeIPA or OpenAFS user? You only get it when you log in as root, but if you log in as a normal user, does everything work. IE do you get your proper tokens? Sorry, I take that back - I get it as 'normal' users too. But I get a ticket and token and can access AFS OK. :type=SYSCALL msg=audit(1334764229.337:1297): arch=x86_64 syscall=ioctl success=yes exit=0 a0=6 a1=40084301 a2=7fff8a339dc0 a3=8 items=0 ppid=1528 pid=30579 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=153 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) Actually the syscall is succeeding "success=yes" even though the AVC is generated, so you could safely generate a dontaudit alert for this. # grep sys_admin /var/log/audit/audit.log | audit2allow -D -M mysshd # semodule -i mysshd.pp I am not sure if this is caused by a problem with our kernel or with the afs kernel module. *** Bug 835975 has been marked as a duplicate of this bug. *** Just a "me too". I'm seeing this as well, but on RHEL6, and without using pam_afs_session. Trond is this happening on an AVS System? (In reply to comment #10) > Trond is this happening on an AVS System? Hm.. I don't know what an AVS system is, so I'm pretty sure that the answer is no :) This is a Dell R720 running web server statistics (Google Urchin) for our site, but I'm not sure if it is in production yet. I've seen this AVC before on other RHEL6 hosts. Tested a few and found one more that has this problem. Also a Dell server, running mysql and some web apps. Comparing Daniel's /etc/pam.d/password-auth in comment #4 to ours, except for the obvious I can only find one common denominator: pam_sss. I can't tell if that is significant though, I'm not sure what to look for. In my limited testing, this happens consistently on affected servers, for both root (local) and regular users (from SSSD/LDAP). I'll be happy to perform some (non-desctructive) debugging, but I'll need some guidance on how to proceed. AFS, sorry. (In reply to comment #12) > AFS, sorry. Nope, Kerberos isn't in the picture at all. These systems use LDAP (rfc2307, not IPA) and SSSD for authentication. Trond what AVC are you seeing? Here is the AVC that is generated: type=AVC msg=audit(1343055966.291:482641): avc: denied { sys_admin } for pid=7134 comm="sshd" capability=21 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=capability I'm seeing this on my AFS client (Fedora 19). It happens whenever I log in over SSH. I use sssd (Kerberos) and pam_afs_session. My homedir is in AFS. Ken are you successfully allowed to login? (In reply to comment #17) > Ken are you successfully allowed to login? Yep, I can still log in via SSH. (I'm using "Enforcing".) I tested with selinux-policy-targeted-3.11.1-67.fc19 today, and SELinux still logs the AVC denial. Ok I just checked in a fix for this to allow sshd_t sys_admin privs, Looks like it requests it in a couple of different ways so might as well allow it. sshd_t is already a really powerful domain. selinux-policy-3.11.1-69.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-69.fc18 I can confirm that I no longer get the AVC denial in 3.11.1-69.fc19 Could you update karma? Thank you for testing. Package selinux-policy-3.11.1-69.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-69.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-0147/selinux-policy-3.11.1-69.fc18 then log in and leave karma (feedback). selinux-policy-3.11.1-71.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-71.fc18 selinux-policy-3.11.1-71.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. |