Bug 987778
| Summary: | selinux prevents dyntransition with sshd | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | David Spurek <dspurek> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.0 | CC: | dspurek, ebenes, mmalik |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-07-24 08:18:54 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
David, basically it means that the sshd daemon is running with the bad context. Did you start it by hand? Are you trying to debug sshd? |
Description of problem: selinux prevents dyntransition with sshd. ausearch output: ---- time->Wed Jul 24 02:24:21 2013 type=SYSCALL msg=audit(1374647061.593:2024): arch=c000003e syscall=1 success=no exit=-13 a0=8 a1=7fa07e96e590 a2=36 a3=666e6f636e753a72 items=0 ppid=25992 pid=26005 auid=0 uid=9999 gid=9999 euid=9999 suid=9999 fsuid=9999 egid=9999 sgid=9999 fsgid=9999 ses=70 tty=pts0 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1374647061.593:2024): avc: denied { dyntransition } for pid=26005 comm="sshd" scontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process part of log from sshd server: debug1: SELinux support enabled [preauth] debug3: ssh_selinux_change_context: setting context from 'unconfined_u:system_r: unconfined_t:s0-s0:c0.c1023' to 'unconfined_u:system_r:sshd_net_t:s0-s0:c0.c1023 ' [preauth] debug3: ssh_selinux_change_context: setcon unconfined_u:system_r:sshd_net_t:s0-s 0:c0.c1023 from unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 failed with Pe rmission denied [preauth] Version-Release number of selected component (if applicable): selinux-policy-3.12.1-63.el7 openssh-6.2p2-3.el7 How reproducible: always Steps to Reproduce: 1.run reproduce test 2. 3. Actual results: AVC message, in log of ssh server i see - ssh_selinux_change_context: failed with Permission denied [preauth] Expected results: no AVC message, no problem with ssh_selinux_change_context in sshd log Additional info: