+++ This bug was initially created as a clone of Bug #813870 +++
libreport version: 2.0.8
executable: /usr/bin/python
hashmarkername: setroubleshoot
kernel: 3.3.1-3.fc16.x86_64
reason: SELinux is preventing /usr/sbin/sshd from using the 'sys_admin' capabilities.
time: Wed 18 Apr 2012 11:55:02 AM EDT
description:
:SELinux is preventing /usr/sbin/sshd from using the 'sys_admin' capabilities.
:
:***** Plugin catchall_boolean (89.3 confidence) suggests *******************
:
:If you want to enable polyinstantiated directory support.
:Then you must tell SELinux about this by enabling the 'allow_polyinstantiation'boolean.
:Do
:setsebool -P allow_polyinstantiation 1
:
:***** Plugin catchall (11.6 confidence) suggests ***************************
:
:If you believe that sshd should have the sys_admin capability by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep sshd /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023
:Target Context system_u:system_r:sshd_t:s0-s0:c0.c1023
:Target Objects [ capability ]
:Source sshd
:Source Path /usr/sbin/sshd
:Port <Unknown>
:Host (removed)
:Source RPM Packages openssh-server-5.8p2-25.fc16.x86_64
:Target RPM Packages
:Policy RPM selinux-policy-3.10.0-80.fc16.noarch
:Selinux Enabled True
:Policy Type targeted
:Enforcing Mode Enforcing
:Host Name (removed)
:Platform Linux (removed) 3.3.1-3.fc16.x86_64 #1 SMP
: Wed Apr 4 18:08:51 UTC 2012 x86_64 x86_64
:Alert Count 2
:First Seen Tue 10 Apr 2012 03:00:39 PM EDT
:Last Seen Wed 18 Apr 2012 11:50:29 AM EDT
:Local ID 59104706-d3ef-4249-a64f-3af84a915b34
:
:Raw Audit Messages
:type=AVC msg=audit(1334764229.337:1297): avc: denied { sys_admin } for pid=30579 comm="sshd" capability=21 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=capability
:
:
:type=SYSCALL msg=audit(1334764229.337:1297): arch=x86_64 syscall=ioctl success=yes exit=0 a0=6 a1=40084301 a2=7fff8a339dc0 a3=8 items=0 ppid=1528 pid=30579 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=153 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
:
:Hash: sshd,sshd_t,sshd_t,capability,sys_admin
:
:audit2allow
:
:#============= sshd_t ==============
:#!!!! This avc can be allowed using the boolean 'allow_polyinstantiation'
:
:allow sshd_t self:capability sys_admin;
:
:audit2allow -R
:
:#============= sshd_t ==============
:#!!!! This avc can be allowed using the boolean 'allow_polyinstantiation'
:
:allow sshd_t self:capability sys_admin;
:
--- Additional comment from Miroslav Grepl on 2012-04-20 14:11:20 CEST ---
Ok, we see it again.
Did it happen by default? Or did you setup pam_namespace?
--- Additional comment from Daniel Scott on 2012-04-20 17:06:00 CEST ---
By default.
--- Additional comment from Daniel Walsh on 2012-04-20 17:29:25 CEST ---
Daniel did you setup anything special in pam? Did everything seem to work correctly?
--- Additional comment from Daniel Scott on 2012-04-20 17:44:09 CEST ---
I am using FreeIPA for authentication with OpenAFS.
This error occurs when I ssh into my computer as root.
My /etc/pam.d/password-auth file has additional lines to get AFS tokens automatically:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth [default=done] pam_afs_session.so always_aklog debug
auth required pam_deny.so
account required pam_access.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
session required pam_afs_session.so always_aklog debug
Perhaps this is because root is not a FreeIPA or OpenAFS user?
--- Additional comment from Daniel Walsh on 2012-04-20 17:58:46 CEST ---
You only get it when you log in as root, but if you log in as a normal user, does everything work. IE do you get your proper tokens?
--- Additional comment from Daniel Scott on 2012-04-20 18:05:42 CEST ---
Sorry, I take that back - I get it as 'normal' users too. But I get a ticket and token and can access AFS OK.
--- Additional comment from Daniel Walsh on 2012-04-23 17:27:14 CEST ---
:type=SYSCALL msg=audit(1334764229.337:1297): arch=x86_64 syscall=ioctl
success=yes exit=0 a0=6 a1=40084301 a2=7fff8a339dc0 a3=8 items=0 ppid=1528
pid=30579 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=153 comm=sshd exe=/usr/sbin/sshd
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
Actually the syscall is succeeding "success=yes" even though the AVC is generated, so you could safely generate a dontaudit alert for this.
# grep sys_admin /var/log/audit/audit.log | audit2allow -D -M mysshd
# semodule -i mysshd.pp
I am not sure if this is caused by a problem with our kernel or with the afs kernel module.
--- Additional comment from Miroslav Grepl on 2012-06-28 11:47:29 CEST ---
*** Bug 835975 has been marked as a duplicate of this bug. ***
--- Additional comment from Trond H. Amundsen on 2012-07-20 20:18:35 CEST ---
Just a "me too". I'm seeing this as well, but on RHEL6, and without using pam_afs_session.
--- Additional comment from Daniel Walsh on 2012-07-20 23:33:09 CEST ---
Trond is this happening on an AVS System?
--- Additional comment from Trond H. Amundsen on 2012-07-21 00:24:11 CEST ---
(In reply to comment #10)
> Trond is this happening on an AVS System?
Hm.. I don't know what an AVS system is, so I'm pretty sure that the answer is no :) This is a Dell R720 running web server statistics (Google Urchin) for our site, but I'm not sure if it is in production yet. I've seen this AVC before on other RHEL6 hosts. Tested a few and found one more that has this problem. Also a Dell server, running mysql and some web apps.
Comparing Daniel's /etc/pam.d/password-auth in comment #4 to ours, except for the obvious I can only find one common denominator: pam_sss. I can't tell if that is significant though, I'm not sure what to look for. In my limited testing, this happens consistently on affected servers, for both root (local) and regular users (from SSSD/LDAP).
I'll be happy to perform some (non-desctructive) debugging, but I'll need some guidance on how to proceed.
--- Additional comment from Daniel Walsh on 2012-07-23 16:29:02 CEST ---
AFS, sorry.
--- Additional comment from Trond H. Amundsen on 2012-07-23 16:49:22 CEST ---
(In reply to comment #12)
> AFS, sorry.
Nope, Kerberos isn't in the picture at all. These systems use LDAP (rfc2307, not IPA) and SSSD for authentication.
--- Additional comment from Daniel Walsh on 2012-07-23 17:01:26 CEST ---
Trond what AVC are you seeing?
--- Additional comment from Trond H. Amundsen on 2012-07-23 17:11:13 CEST ---
Here is the AVC that is generated:
type=AVC msg=audit(1343055966.291:482641): avc: denied { sys_admin } for pid=7134 comm="sshd" capability=21 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=capability
--- Additional comment from Ken Dreyer on 2012-12-12 06:08:26 CET ---
I'm seeing this on my AFS client (Fedora 19). It happens whenever I log in over SSH. I use sssd (Kerberos) and pam_afs_session. My homedir is in AFS.
--- Additional comment from Daniel Walsh on 2012-12-17 22:39:51 CET ---
Ken are you successfully allowed to login?
--- Additional comment from Ken Dreyer on 2012-12-27 03:27:33 CET ---
(In reply to comment #17)
> Ken are you successfully allowed to login?
Yep, I can still log in via SSH. (I'm using "Enforcing".)
I tested with selinux-policy-targeted-3.11.1-67.fc19 today, and SELinux still logs the AVC denial.
--- Additional comment from Daniel Walsh on 2012-12-27 16:48:41 CET ---
Ok I just checked in a fix for this to allow sshd_t sys_admin privs, Looks like it requests it in a couple of different ways so might as well allow it. sshd_t is already a really powerful domain.
--- Additional comment from Fedora Update System on 2013-01-02 18:37:50 CET ---
selinux-policy-3.11.1-69.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-69.fc18
--- Additional comment from Ken Dreyer on 2013-01-03 03:50:38 CET ---
I can confirm that I no longer get the AVC denial in 3.11.1-69.fc19
--- Additional comment from Miroslav Grepl on 2013-01-03 10:20:51 CET ---
Could you update karma? Thank you for testing.
--- Additional comment from Fedora Update System on 2013-01-04 00:50:50 CET ---
Package selinux-policy-3.11.1-69.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-69.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-0147/selinux-policy-3.11.1-69.fc18
then log in and leave karma (feedback).
--- Additional comment from Fedora Update System on 2013-01-15 23:20:39 CET ---
selinux-policy-3.11.1-71.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-71.fc18
--- Additional comment from Fedora Update System on 2013-01-23 02:56:03 CET ---
selinux-policy-3.11.1-71.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
http://rhn.redhat.com/errata/RHBA-2013-1598.html