Bug 994173

Summary: SELinux is preventing /usr/sbin/sshd from 'name_connect' accesses on the tcp_socket .
Product: [Fedora] Fedora Reporter: Kevin <mephisto>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:c359d99806801bfd4fa2da506efe20214d54b1ae7b88332260d83b7b54f78c6d
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-07 18:15:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kevin 2013-08-06 16:06:53 UTC 
Description of problem:
Having installed the pam_yubico package from Fedora repos, ssh login with the yubikey is blocked by the
system SELixun policy.

I'm not sure if this should be allowed by default, but it seems to me that using pam_yubico with sshd is a 
very common use-case for the module.
SELinux is preventing /usr/sbin/sshd from 'name_connect' accesses on the tcp_socket .

*****  Plugin catchall_boolean (47.5 confidence) suggests  *******************

If you want to allow nis to enabled
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.
You can read 'None' man page for more details.
Do
setsebool -P nis_enabled 1

*****  Plugin catchall_boolean (47.5 confidence) suggests  *******************

If you want to allow authlogin to yubikey
Then you must tell SELinux about this by enabling the 'authlogin_yubikey' boolean.
You can read 'None' man page for more details.
Do
setsebool -P authlogin_yubikey 1

*****  Plugin catchall (6.38 confidence) suggests  ***************************

If you believe that sshd should be allowed name_connect access on the  tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sshd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:http_port_t:s0
Target Objects                 [ tcp_socket ]
Source                        sshd
Source Path                   /usr/sbin/sshd
Port                          80
Host                          (removed)
Source RPM Packages           openssh-server-6.2p2-4.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-66.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.10.4-300.fc19.x86_64 #1 SMP Tue
                              Jul 30 11:29:05 UTC 2013 x86_64 x86_64
Alert Count                   5
First Seen                    2013-08-03 01:07:20 EDT
Last Seen                     2013-08-06 11:51:16 EDT
Local ID                      185d529c-1d31-4733-b1cb-bbc1740c495d

Raw Audit Messages
type=AVC msg=audit(1375804276.446:433): avc:  denied  { name_connect } for  pid=2383 comm="sshd" dest=80 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket


type=SYSCALL msg=audit(1375804276.446:433): arch=x86_64 syscall=connect success=no exit=EACCES a0=4 a1=7fff5403ecc0 a2=1c a3=7 items=0 ppid=2381 pid=2383 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)

Hash: sshd,sshd_t,http_port_t,tcp_socket,name_connect

Additional info:
reporter:       libreport-2.1.6
hashmarkername: setroubleshoot
kernel:         3.10.4-300.fc19.x86_64
type:           libreport
Comment 1 Daniel Walsh 2013-08-07 18:15:52 UTC 
Did you read the alert?

*****  Plugin catchall_boolean (47.5 confidence) suggests  *******************

If you want to allow authlogin to yubikey
Then you must tell SELinux about this by enabling the 'authlogin_yubikey' boolean.
You can read 'None' man page for more details.
Do
setsebool -P authlogin_yubikey 1
Comment 2 Kevin 2013-08-07 18:18:03 UTC 
Yes, I did.  Did you read my original comments?
Comment 3 Miroslav Grepl 2013-08-08 12:06:45 UTC 
We don't want to allow it by default. Basically this is a reason why we have booleans.

# setsebool -P authlogin_yubikey 1

is for the permanent change.