Bug 1015211 - RHEL7 ssh avc denials preventing proper hostkey setup
RHEL7 ssh avc denials preventing proper hostkey setup
Status: CLOSED DUPLICATE of bug 1014482
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.0
Unspecified Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-03 12:32 EDT by Scott Poore
Modified: 2015-02-18 08:42 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-10-03 12:54:53 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Scott Poore 2013-10-03 12:32:22 EDT
Description of problem:

On RHEL7 test builds, I'm seeing the following trying to start sshd:

[root@qe-blade-05 ssh]# setenforce 1

[root@qe-blade-05 ssh]# rm ssh_host_rsa_key* -f 

[root@qe-blade-05 ssh]# date; service sshd start
Thu Oct  3 12:22:40 EDT 2013
Redirecting to /bin/systemctl start  sshd.service

[root@qe-blade-05 ssh]# tail /var/log/messages
...
Oct  3 12:22:40 qe-blade-05 systemd: Starting OpenSSH server daemon...
Oct  3 12:22:40 qe-blade-05 sshd-keygen: Generating SSH2 RSA host key: chgrp: changing group of ‘/etc/ssh/ssh_host_rsa_key’: Operation not permitted
Oct  3 12:22:40 qe-blade-05 sshd-keygen: [  OK  ]
Oct  3 12:22:40 qe-blade-05 systemd: Started OpenSSH server daemon.
Oct  3 12:22:40 qe-blade-05 sshd: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Oct  3 12:22:40 qe-blade-05 sshd: @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
Oct  3 12:22:40 qe-blade-05 sshd: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Oct  3 12:22:40 qe-blade-05 sshd: Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
Oct  3 12:22:40 qe-blade-05 sshd: It is required that your private key files are NOT accessible by others.
Oct  3 12:22:40 qe-blade-05 sshd: This private key will be ignored.
Oct  3 12:22:40 qe-blade-05 sshd: bad permissions: ignore key: /etc/ssh/ssh_host_rsa_key
Oct  3 12:22:40 qe-blade-05 sshd: Could not load host key: /etc/ssh/ssh_host_rsa_key
Oct  3 12:22:40 qe-blade-05 sshd: Could not load host key: /etc/ssh/ssh_host_dsa_key
Oct  3 12:22:40 qe-blade-05 sshd: Could not load host key: /etc/ssh/ssh_host_ecdsa_key

[root@qe-blade-05 ssh]# ausearch -m avc  -ts 12:22:40 
----
time->Thu Oct  3 12:22:40 2013
type=SYSCALL msg=audit(1380817360.234:208): arch=c000003e syscall=260 success=no exit=-1 a0=ffffffffffffff9c a1=86f3f0 a2=ffffffff a3=3e6 items=0 ppid=27629 pid=27632 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chgrp" exe="/usr/bin/chgrp" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)
type=AVC msg=audit(1380817360.234:208): avc:  denied  { chown } for  pid=27632 comm="chgrp" capability=0  scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:system_r:ssh_keygen_t:s0 tclass=capability
----
time->Thu Oct  3 12:22:40 2013
type=SYSCALL msg=audit(1380817360.236:209): arch=c000003e syscall=269 success=no exit=-13 a0=ffffffffffffff9c a1=1271d10 a2=1 a3=7fffee202910 items=0 ppid=1 pid=27629 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd-keygen" exe="/usr/bin/bash" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)
type=AVC msg=audit(1380817360.236:209): avc:  denied  { execute } for  pid=27629 comm="sshd-keygen" name="setfiles" dev="dm-1" ino=202250182 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file

And it appears as if the file is left with group read:

[root@qe-blade-05 ssh]# ls -ld /etc/ssh/ssh_host_rsa_key*
-rw-r-----. 1 root root 1679 Oct  3 12:22 /etc/ssh/ssh_host_rsa_key
-rw-r--r--. 1 root root  382 Oct  3 12:22 /etc/ssh/ssh_host_rsa_key.pub

Version-Release number of selected component (if applicable):

[root@qe-blade-05 ssh]# rpm -q openssh selinux-policy
openssh-6.2p2-8.el7.x86_64
selinux-policy-3.12.1-85.el7.noarch

Note that selinux-policy was upgaded from the previous -84 release.

How reproducible:
Currently unknown.  Issue seen on two separate test boxes in lab.


Steps to Reproduce:
1. Install RHEL7 from repo with affected versions
2. service sshd stop
3. rm -f /etc/ssh/ssh_host_rsa_key*
4. date; service sshd start
5. ls -l /etc/ssh_host_rsa_key*
6. ausearch -m avc -ts <time from step 4>

Actual results:
above errors and unable to ssh into host

Expected results:
proper permissions and ownership set for sshd to function properly.

Additional info:
Comment 1 Scott Poore 2013-10-03 12:34:07 EDT
fyi, all AVC denials I see when I set permissive mode:

[root@qe-blade-05 ssh]# service sshd stop
Redirecting to /bin/systemctl stop  sshd.service

[root@qe-blade-05 ssh]# setenforce 0

[root@qe-blade-05 ssh]# rm ssh_host_rsa_key* -f 

[root@qe-blade-05 ssh]# date; service sshd start
Thu Oct  3 12:30:37 EDT 2013
Redirecting to /bin/systemctl start  sshd.service

[root@qe-blade-05 ssh]# ausearch -m avc -ts 12:30:37
----
time->Thu Oct  3 12:30:37 2013
type=SYSCALL msg=audit(1380817837.919:218): arch=c000003e syscall=260 success=yes exit=0 a0=ffffffffffffff9c a1=13e73f0 a2=ffffffff a3=3e6 items=0 ppid=27710 pid=27713 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chgrp" exe="/usr/bin/chgrp" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)
type=AVC msg=audit(1380817837.919:218): avc:  denied  { chown } for  pid=27713 comm="chgrp" capability=0  scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:system_r:ssh_keygen_t:s0 tclass=capability
----
time->Thu Oct  3 12:30:37 2013
type=SYSCALL msg=audit(1380817837.920:219): arch=c000003e syscall=268 success=yes exit=0 a0=ffffffffffffff9c a1=8fc0f0 a2=1a0 a3=7fffcb249860 items=0 ppid=27710 pid=27714 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chmod" exe="/usr/bin/chmod" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)
type=AVC msg=audit(1380817837.920:219): avc:  denied  { fsetid } for  pid=27714 comm="chmod" capability=4  scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:system_r:ssh_keygen_t:s0 tclass=capability
----
time->Thu Oct  3 12:30:37 2013
type=SYSCALL msg=audit(1380817837.921:220): arch=c000003e syscall=269 success=yes exit=0 a0=ffffffffffffff9c a1=fc2d10 a2=1 a3=7fff0f7ece90 items=0 ppid=1 pid=27710 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd-keygen" exe="/usr/bin/bash" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)
type=AVC msg=audit(1380817837.921:220): avc:  denied  { execute } for  pid=27710 comm="sshd-keygen" name="setfiles" dev="dm-1" ino=202250182 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file
----
time->Thu Oct  3 12:30:37 2013
type=SYSCALL msg=audit(1380817837.921:221): arch=c000003e syscall=59 success=yes exit=0 a0=fc2d10 a1=fc3790 a2=fc3250 a3=7fff0f7ecff0 items=0 ppid=27710 pid=27716 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)
type=AVC msg=audit(1380817837.921:221): avc:  denied  { execute_no_trans } for  pid=27716 comm="sshd-keygen" path="/usr/sbin/setfiles" dev="dm-1" ino=202250182 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file
type=AVC msg=audit(1380817837.921:221): avc:  denied  { read open } for  pid=27716 comm="sshd-keygen" path="/usr/sbin/setfiles" dev="dm-1" ino=202250182 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file
----
time->Thu Oct  3 12:30:37 2013
type=SYSCALL msg=audit(1380817837.922:222): arch=c000003e syscall=137 success=yes exit=0 a0=7f3a3a775299 a1=7ffffcc58ed0 a2=7f3a3a775299 a3=36393631363d7365 items=0 ppid=27710 pid=27716 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)
type=AVC msg=audit(1380817837.922:222): avc:  denied  { getattr } for  pid=27716 comm="restorecon" name="/" dev="devtmpfs" ino=1025 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem
----
time->Thu Oct  3 12:30:37 2013
type=SYSCALL msg=audit(1380817837.922:223): arch=c000003e syscall=137 success=yes exit=0 a0=7f3a3a775296 a1=7ffffcc58ed0 a2=7f3a3a775296 a3=6975736f6e2c6c65 items=0 ppid=27710 pid=27716 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)
type=AVC msg=audit(1380817837.922:223): avc:  denied  { getattr } for  pid=27716 comm="restorecon" name="/" dev="tmpfs" ino=1174 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
----
time->Thu Oct  3 12:30:37 2013
type=SYSCALL msg=audit(1380817837.922:224): arch=c000003e syscall=137 success=yes exit=0 a0=7f3a3a775297 a1=7ffffcc58ed0 a2=7f3a3a775297 a3=65646f6d2c353d64 items=0 ppid=27710 pid=27716 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)
type=AVC msg=audit(1380817837.922:224): avc:  denied  { getattr } for  pid=27716 comm="restorecon" name="/" dev="devpts" ino=1 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=filesystem
----
time->Thu Oct  3 12:30:37 2013
type=SYSCALL msg=audit(1380817837.923:225): arch=c000003e syscall=137 success=yes exit=0 a0=7f3a3a7753b4 a1=7ffffcc58ed0 a2=7f3a3a7753b4 a3=7f3a37eaf000 items=0 ppid=27710 pid=27716 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)
type=AVC msg=audit(1380817837.923:225): avc:  denied  { getattr } for  pid=27716 comm="restorecon" name="/" dev="dm-1" ino=128 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
----
time->Thu Oct  3 12:30:37 2013
type=SYSCALL msg=audit(1380817837.923:226): arch=c000003e syscall=137 success=yes exit=0 a0=7f3a3a77539a a1=7ffffcc58ed0 a2=7f3a3a77539a a3=732c777220736662 items=0 ppid=27710 pid=27716 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)
type=AVC msg=audit(1380817837.923:226): avc:  denied  { getattr } for  pid=27716 comm="restorecon" name="/" dev="hugetlbfs" ino=15218 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=filesystem
Comment 3 Miroslav Grepl 2013-10-03 12:54:53 EDT

*** This bug has been marked as a duplicate of bug 1014482 ***

Note You need to log in before you can comment on or make changes to this bug.