Bug 1264073 - SELinux is preventing /usr/sbin/sshd from read access on the file nologin.
SELinux is preventing /usr/sbin/sshd from read access on the file nologin.
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: systemd (Show other bugs)
7.1
All Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: systemd-maint
Frantisek Sumsal
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-17 08:47 EDT by Paul Stauffer
Modified: 2015-12-01 07:49 EST (History)
12 users (show)

See Also:
Fixed In Version: systemd-219-16.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-19 10:09:28 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Paul Stauffer 2015-09-17 08:47:30 EDT
While a shutdown process is running, ssh logins generate the following selinux denial:

setroubleshoot: SELinux is preventing /usr/sbin/sshd from read access on the file nologin. For complete SELinux messages. run sealert -l a5bd7e5c-5e3b-4b9a-9a1a-03119de80d63

(Oddly, I do not see the associated AVC denial message in /var/log/audit/audit.log*.)

# sealert -l a5bd7e5c-5e3b-4b9a-9a1a-03119de80d63
SELinux is preventing /usr/sbin/sshd from read access on the file nologin.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that sshd should be allowed read access on the nologin file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sshd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:init_var_run_t:s0
Target Objects                nologin [ file ]
Source                        sshd
Source Path                   /usr/sbin/sshd
Port                          <Unknown>
Host                          [hostname]
Source RPM Packages           openssh-server-6.6.1p1-12.el7_1.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-23.el7_1.18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     [hostname]
Platform                      Linux [hostname] 3.10.0-229.7.2.el7.x86_64 #1 SMP
                              Tue Jun 23 22:06:11 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-09-16 10:55:05 EDT
Last Seen                     2015-09-16 10:55:05 EDT
Local ID                      a5bd7e5c-5e3b-4b9a-9a1a-03119de80d63

Raw Audit Messages
type=AVC msg=audit(1442415305.449:880158): avc:  denied  { read } for  pid=14239 comm="sshd" name="nologin" dev="tmpfs" ino=34822437 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file


type=SYSCALL msg=audit(1442415305.449:880158): arch=x86_64 syscall=open success=no exit=EACCES a0=7f659c791e3a a1=0 a2=0 a3=0 items=0 ppid=1825 pid=14239 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)

Hash: sshd,sshd_t,init_var_run_t,file,read
Comment 2 Milos Malik 2015-09-17 08:58:02 EDT
It seems that the /var/run/nologin file is mislabeled on your machine:

# matchpathcon /var/run/nologin
/var/run/nologin	system_u:object_r:systemd_logind_var_run_t:s0
#

Following command should fix it:

# restorecon -v /var/run/nologin

If it happens again then we will need to find out, what process creates that file.
Comment 3 Paul Stauffer 2015-09-17 09:11:58 EDT
That file is created dynamically by the shutdown process.  It does not otherwise exist.  Per the shutdown(8) man page:

       If the time argument is used, 5 minutes before the system goes down the
       /run/nologin file is created to ensure that further logins shall not be
       allowed.

# ls -lZ /var/run/nologin
ls: cannot access /var/run/nologin: No such file or directory
# ls -lZ /run/nologin
ls: cannot access /run/nologin: No such file or directory

Sounds like you're saying this is a mislabeling bug, not a policy bug?  If so, this bug should perhaps be reassigned to the systemd component, since that's the package that owns /usr/sbin/shutdown.
Comment 4 Milos Malik 2015-09-17 09:36:26 EDT
Based on following AVCs generated by a special policy module, /usr/lib/systemd/systemd-user-sessions process creates a temporary file and then renames it to /run/nologin:
----
type=PATH msg=audit(09/17/2015 15:27:43.062:123) : item=1 name=/run/.#nologin5aGJgw inode=58085 dev=00:12 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 objtype=CREATE 
type=PATH msg=audit(09/17/2015 15:27:43.062:123) : item=0 name=/run/ inode=6649 dev=00:12 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 objtype=PARENT 
type=CWD msg=audit(09/17/2015 15:27:43.062:123) :  cwd=/ 
type=SYSCALL msg=audit(09/17/2015 15:27:43.062:123) : arch=x86_64 syscall=open success=yes exit=4 a0=0x7f0a7eeb4010 a1=O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC a2=0600 a3=0x55fabfcf items=2 ppid=1 pid=2417 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-user-se exe=/usr/lib/systemd/systemd-user-sessions subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(09/17/2015 15:27:43.062:123) : avc:  granted  { create } for  pid=2417 comm=systemd-user-se name=.#nologin5aGJgw scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file 
----
type=PATH msg=audit(09/17/2015 15:27:43.071:125) : item=3 name=/run/nologin inode=58085 dev=00:12 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 objtype=CREATE 
type=PATH msg=audit(09/17/2015 15:27:43.071:125) : item=2 name=/run/.#nologin5aGJgw inode=58085 dev=00:12 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 objtype=DELETE 
type=PATH msg=audit(09/17/2015 15:27:43.071:125) : item=1 name=/run/ inode=6649 dev=00:12 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 objtype=PARENT 
type=PATH msg=audit(09/17/2015 15:27:43.071:125) : item=0 name=/run/ inode=6649 dev=00:12 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 objtype=PARENT 
type=CWD msg=audit(09/17/2015 15:27:43.071:125) :  cwd=/ 
type=SYSCALL msg=audit(09/17/2015 15:27:43.071:125) : arch=x86_64 syscall=rename success=yes exit=0 a0=0x7f0a7eeb4010 a1=0x7f0a7d407f84 a2=0x7f0a7eeb4110 a3=0x22 items=4 ppid=1 pid=2417 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-user-se exe=/usr/lib/systemd/systemd-user-sessions subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(09/17/2015 15:27:43.071:125) : avc:  granted  { rename } for  pid=2417 comm=systemd-user-se name=.#nologin5aGJgw dev="tmpfs" ino=58085 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file 
----

Because filename transition rules are not applied during a rename operation, the label on /run/nologin file stays init_var_run_t.
Comment 5 Miroslav Grepl 2015-09-21 02:14:29 EDT
The problem is it creates random names 

.#nologin5aGJgw 

and we are now able to cover them using SELinux policy rules.
Comment 6 Michal Sekletar 2015-09-21 07:27:09 EDT
(In reply to Miroslav Grepl from comment #5)
> The problem is it creates random names 
> 
> .#nologin5aGJgw 
> 
> and we are now able to cover them using SELinux policy rules.

I will assume this should read "... not able to ..."

I think we should preserve current semantics, i.e. creation of /run/nologin should stay an atomic operation. Thus we need to create temporary file and then rename it to /run/nologin. However just before we call rename we can query selinux policy and figure out proper label, set it and rename it after that.
Comment 7 Miroslav Grepl 2015-09-21 08:00:09 EDT
(In reply to Michal Sekletar from comment #6)
> (In reply to Miroslav Grepl from comment #5)
> > The problem is it creates random names 
> > 
> > .#nologin5aGJgw 
> > 
> > and we are now able to cover them using SELinux policy rules.
> 
> I will assume this should read "... not able to ..."
> 
> I think we should preserve current semantics, i.e. creation of /run/nologin
> should stay an atomic operation. Thus we need to create temporary file and
> then rename it to /run/nologin. However just before we call rename we can
> query selinux policy and figure out proper label, set it and rename it after
> that.

AFAIK we already do it in systemd for another case.
Comment 11 Frantisek Sumsal 2015-09-29 05:15:52 EDT
Updated 'Fixed in' due to https://github.com/lnykryn/systemd-rhel/commit/4dd0d6644c71149a0a1af89944b95325ac4d2f18
Comment 13 errata-xmlrpc 2015-11-19 10:09:28 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2092.html

Note You need to log in before you can comment on or make changes to this bug.