Red Hat Bugzilla – Bug 1062643
SSHD and SELinux entrypoint access denied
Last modified: 2017-04-18 17:55:35 EDT
Description of problem: Upon system bootup, everything is fine and no issue occur. However as root, restart the sshd and then the users ssh connection is presented with : ####@####'s password: Last login: Fri Feb 7 14:36:55 UTC 2014 from ### on pts/1 Last login: Fri Feb 7 14:38:37 2014 from ### /bin/bash: Permission denied Connection to #### closed. Selinux shows this in the logs: type=AVC msg=audit(1391783451.309:99): avc: denied { entrypoint } for pid=3461 comm="sshd" path="/bin/bash" dev=dm-0 ino=4774818 scontext=user_u:system_r:update_modules_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file type=AVC msg=audit(1391783815.832:111): avc: denied { entrypoint } for pid=3489 comm="sshd" path="/bin/bash" dev=dm-0 ino=4774818 scontext=user_u:system_r:update_modules_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file type=AVC msg=audit(1391783917.334:125): avc: denied { entrypoint } for pid=3527 comm="sshd" path="/bin/bash" dev=dm-0 ino=4774818 scontext=user_u:system_r:update_modules_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file setroubleshoot: SELinux is preventing sshd (update_modules_t) "entrypoint" to /bin/bash (shell_exec_t). For complete SELinux messages. run sealert -l b134f048-ea68-41c1-a35e-6c1dd6f18c44 sealert -l b134f048-ea68-41c1-a35e-6c1dd6f18c44 Summary: SELinux is preventing sshd (update_modules_t) "entrypoint" to /bin/bash (shell_exec_t). Detailed Description: SELinux denied access requested by sshd. It is not expected that this access is required by sshd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /bin/bash, restorecon -v '/bin/bash' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context user_u:system_r:update_modules_t Target Context system_u:object_r:shell_exec_t Target Objects /bin/bash [ file ] Source sshd Source Path /usr/sbin/sshd Port <Unknown> Host hal04.halogenonline.co.uk Source RPM Packages openssh-server-4.3p2-82.el5 Target RPM Packages bash-3.2-32.el5_9.1 Policy RPM selinux-policy-2.4.6-346.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name hal04.halogenonline.co.uk Platform Linux hal04.halogenonline.co.uk 2.6.18-371.3.1.el5 #1 SMP Mon Nov 11 03:24:35 EST 2013 i686 i686 Alert Count 29 First Seen Wed Feb 5 15:53:59 2014 Last Seen Fri Feb 7 12:20:43 2014 Local ID b134f048-ea68-41c1-a35e-6c1dd6f18c44 Line Numbers Raw Audit Messages host=hal04.halogenonline.co.uk type=AVC msg=audit(1391775643.42:73): avc: denied { entrypoint } for pid=3333 comm="sshd" path="/bin/bash" dev=dm-0 ino=4774818 scontext=user_u:system_r:update_modules_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file host=hal04.halogenonline.co.uk type=SYSCALL msg=audit(1391775643.42:73): arch=40000003 syscall=11 success=no exit=-13 a0=8476868 a1=bf7ff828 a2=847cef8 a3=0 items=0 ppid=3332 pid=3333 auid=503 uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503 sgid=503 fsgid=503 tty=pts1 ses=5 comm="sshd" exe="/usr/sbin/sshd" subj=user_u:sysadm_r:unconfined_t:s0-s0:c0.c1023 key=(null) Version-Release number of selected component (if applicable): openssh-server-4.3p2-82.el5 libselinux-devel-1.33.4-5.7.el5 selinux-policy-targeted-2.4.6-346.el5 libselinux-1.33.4-5.7.el5 selinux-policy-2.4.6-346.el5 selinux-policy-minimum-2.4.6-346.el5 libselinux-utils-1.33.4-5.7.el5 libselinux-python-1.33.4-5.7.el5 Feb 7 14:30:51 hal04 setroubleshoot: SELinux is preventing sshd (update_modules_t) "entrypoint" to /bin/bash (shell_exec_t). For complete SELinux messages. run sealert -l c65c8e44-d025-477f-aec1-64429b734f62 Feb 7 14:36:55 hal04 setroubleshoot: SELinux is preventing sshd (update_modules_t) "entrypoint" to /bin/bash (shell_exec_t). For complete SELinux messages. run sealert -l c65c8e44-d025-477f-aec1-64429b734f62 Feb 7 14:38:37 hal04 setroubleshoot: SELinux is preventing sshd (update_modules_t) "entrypoint" to /bin/bash (shell_exec_t). For complete SELinux messages. run sealert -l c65c8e44-d025-477f-aec1-64429b734f62 How reproducible: Steps to Reproduce: 1. Run RHEL 5 system 2. restart sshd 3. try to ssh to system Actual results: selinux blocks entrypoint Expected results: selinux should allow entrypoint Additional info: Two systems build using simuarl kickstarts occour with this issue. System reboot will restore sshd connectivity as well as setenforce 0. System with selinux enforcing on bootup will allow ssh connection.
What does # id -Z if you are log in?
Root: user_u:sysadm_r:unconfined_t own user: user_u:system_r:unconfined_t
And if you restart sshd # ps -efZ |grep ssh
Before restart: system_u:system_r:unconfined_t:SystemLow-SystemHigh root 2643 1 0 Feb07 ? 00:00:00 /usr/sbin/sshd system_u:system_r:unconfined_t:SystemLow-SystemHigh root 20290 2643 1 10:05 ? 00:00:00 sshd: mad56570 [priv] system_u:system_r:unconfined_t:SystemLow-SystemHigh mad56570 20292 20290 0 10:05 ? 00:00:00 sshd: mad56570@pts/0 user_u:sysadm_r:unconfined_t root 20347 20323 0 10:05 pts/0 00:00:00 grep ssh After Restart: system_u:system_r:unconfined_t:SystemLow-SystemHigh root 20290 1 0 10:05 ? 00:00:00 sshd: mad56570 [priv] system_u:system_r:unconfined_t:SystemLow-SystemHigh mad56570 20292 20290 0 10:05 ? 00:00:00 sshd: mad56570@pts/0 user_u:sysadm_r:unconfined_t:SystemLow-SystemHigh root 20366 1 0 10:05 ? 00:00:00 /usr/sbin/sshd user_u:sysadm_r:unconfined_t root 20369 20323 0 10:05 pts/0 00:00:00 grep ssh
Is this enough information, I can send you the kickstart if required for the system
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate, in the next release of Red Hat Enterprise Linux.
This bug/component is not included in scope for RHEL-5.11.0 which is the last RHEL5 minor release. This Bugzilla will soon be CLOSED as WONTFIX (at the end of RHEL5.11 development phase (Apr 22, 2014)). Please contact your account manager or support representative in case you need to escalate this bug.
Could you add your outputs of # semanage login -l # semanage user -l
Also how does look /etc/pam.d/sshd file and output of /var/log/secure in enforcing after you restart the sshd. You can mail me with these outputs.
Login Name SELinux User MLS/MCS Range __default__ user_u s0 root root SystemLow-SystemHigh [root@hal04 ~]# SELinux User Prefix MCS Level MCS Range SELinux Roles root user s0 SystemLow-SystemHigh system_r sysadm_r user_r system_u user s0 SystemLow-SystemHigh system_r user_u user s0 SystemLow-SystemHigh system_r sysadm_r user_r /etc/pam.d/sshd #%PAM-1.0 auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so Mar 14 09:17:24 hal04 sshd[2668]: Received signal 15; terminating. Mar 14 09:17:24 hal04 sshd[6073]: Server listening on 192.168.201.4 port 22. Mar 14 09:17:35 hal04 sshd[6075]: Accepted password for mad56570 from 10.59.53.22 port 64329 ssh2 Mar 14 09:17:35 hal04 sshd[6075]: pam_unix(sshd:session): session opened for user mad56570 by (uid=0) Mar 14 09:17:35 hal04 sshd[6077]: Received disconnect from 10.59.53.22: 11: disconnected by user Mar 14 09:17:35 hal04 sshd[6075]: pam_unix(sshd:session): session closed for user mad56570
May not help, but please see the suggestions at the Red Hat discussion where someone posted this bugzilla at https://access.redhat.com/site/discussions/748453
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux.
Red Hat Enterprise Linux 5 shipped it's last minor release, 5.11, on September 14th, 2014. On March 31st, 2017 RHEL 5 exited Production Phase 3 and entered Extended Life Phase. For RHEL releases in the Extended Life Phase, Red Hat will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only. If the customer purchases the Extended Life-cycle Support (ELS), certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release will be provided. For more details please consult the Red Hat Enterprise Linux Life Cycle Page: https://access.redhat.com/support/policy/updates/errata This BZ does not appear to meet ELS criteria so is being closed WONTFIX. If this BZ is critical for your environment and you have an Extended Life-cycle Support Add-on entitlement, please open a case in the Red Hat Customer Portal, https://access.redhat.com ,provide a thorough business justification and ask that the BZ be re-opened for consideration of an errata. Please note, only certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release can be considered.