Created attachment 948456 [details] Selinux audit.log Description of problem: While trying to ssh to my system : [tshefi@tshefi ~]$ ssh cougar12 Warning: Permanently added 'cougar12,X.Y.Z.W' (RSA) to the list of known hosts. root@cougar12's password: (*** There is delay of a few seconds here***) Last login: Mon Oct 20 09:29:37 2014 /bin/bash: Permission denied Connection to cougar12 closed. Note I've bypassed on my box the need to add user prefix root.z.w. when running ssh (I know less secure). I've also tired it with ssh root@cougar12, same error. Version-Release number of selected component (if applicable): Fedora release 21 (Twenty One) How reproducible: Not sure first time it happened to me. Steps to Reproduce: 1. In my case the system was installed with Fedora20 and then upgraded to 21. 2. Try to ssh into machine, got error. 3. Using console via IPMI setenforce 0 4. ssh now works. Actual results: Can't ssh to system while selinux is enforceing ssh cougar12 Warning: Permanently added 'cougar12,X.Y.Z.W' (RSA) to the list of known hosts. root@cougar12's password: Last login: Mon Oct 20 09:29:37 2014 /bin/bash: Permission denied Connection to cougar12 closed. Expected results: If ssh is enabled by default, a proper rule should be added on selinux. Additional info: Attached: selinux audit log sealert -a /var/log/audit/audit.log
Created attachment 948457 [details] Sealert parse of audit.log
(In reply to Tzach Shefi from comment #0) > Steps to Reproduce: > 1. In my case the system was installed with Fedora20 and then upgraded to 21. Did you use yum for that? Did you see any errror or warning messages during upgrade? Could you please check your logs and try to find something suspicious? Your filetystem is apparently mis-labelled. Please check: # ls -Z /usr/sbin/sshd # matchpathcon /usr/sbin/sshd The outputs most probably differ. You can fix it using: # fixfiles onboot and reboot.
Did you use fedup?
Didn't use fedup, found out about this afterwords. Used yum to upgrade https://fedoraproject.org/wiki/Upgrading_Fedora_using_yum # rpm --import https://fedoraproject.org/static/95A43F54.txt # yum update yum # yum clean all # yum --releasever=21 distro-sync --nogpgcheck # yum install system-release-server Don't recall getting any errors during upgrade, which log files would indicate any such errors? [root@cougar12 ~]# ls -Z /usr/sbin/sshd -rwxr-xr-x. root root unconfined_u:object_r:bin_t:s0 /usr/sbin/sshd [root@cougar12 ~]# matchpathcon /usr/sbin/sshd /usr/sbin/sshd system_u:object_r:sshd_exec_t:s0 Compared above to my RHEL6.5 got same results for both. Ran fixfiles onboot, still same error. I'll email you system details if you wish to check your self.
Something odd just happened, I played around with selinux conf file, set to disabled, rebooted, then set to enforcing again, rebooted. Now ssh works fine with enforcing.
It looks I found a bug in the policy which breaks f20->f21 update.
mgrepl: would this affect a fedup upgrade too?
(In reply to Adam Williamson (Red Hat) from comment #7) > mgrepl: would this affect a fedup upgrade too? I think so. We have builds which need to be tested.
OK. I don't think this needs to be a blocker or FE bug, as packages used during upgrade are pulled from the 'fedora' repo, i.e. this can be fixed after Beta is unfrozen and people doing upgrades will get the fix.
OK. Lukas, could you get a new f21 update with this fix?
selinux-policy-3.13.1-88.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-88.fc21
done.
Package selinux-policy-3.13.1-88.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-88.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-13454/selinux-policy-3.13.1-88.fc21 then log in and leave karma (feedback).
Package selinux-policy-3.13.1-90.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-90.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-13454/selinux-policy-3.13.1-90.fc21 then log in and leave karma (feedback).
selinux-policy-3.13.1-90.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.