Bug 1264073
| Summary: | SELinux is preventing /usr/sbin/sshd from read access on the file nologin. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Paul Stauffer <paulds> |
| Component: | systemd | Assignee: | systemd-maint |
| Status: | CLOSED ERRATA | QA Contact: | Frantisek Sumsal <fsumsal> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.1 | CC: | fsumsal, jscotka, lmiksik, lnykryn, lvrabec, mgrepl, mmalik, msekleta, plautrba, pvrabec, ssekidde, systemd-maint-list |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | systemd-219-16.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-11-19 15:09:28 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
It seems that the /var/run/nologin file is mislabeled on your machine: # matchpathcon /var/run/nologin /var/run/nologin system_u:object_r:systemd_logind_var_run_t:s0 # Following command should fix it: # restorecon -v /var/run/nologin If it happens again then we will need to find out, what process creates that file. That file is created dynamically by the shutdown process. It does not otherwise exist. Per the shutdown(8) man page:
If the time argument is used, 5 minutes before the system goes down the
/run/nologin file is created to ensure that further logins shall not be
allowed.
# ls -lZ /var/run/nologin
ls: cannot access /var/run/nologin: No such file or directory
# ls -lZ /run/nologin
ls: cannot access /run/nologin: No such file or directory
Sounds like you're saying this is a mislabeling bug, not a policy bug? If so, this bug should perhaps be reassigned to the systemd component, since that's the package that owns /usr/sbin/shutdown.
Based on following AVCs generated by a special policy module, /usr/lib/systemd/systemd-user-sessions process creates a temporary file and then renames it to /run/nologin:
----
type=PATH msg=audit(09/17/2015 15:27:43.062:123) : item=1 name=/run/.#nologin5aGJgw inode=58085 dev=00:12 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 objtype=CREATE
type=PATH msg=audit(09/17/2015 15:27:43.062:123) : item=0 name=/run/ inode=6649 dev=00:12 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 objtype=PARENT
type=CWD msg=audit(09/17/2015 15:27:43.062:123) : cwd=/
type=SYSCALL msg=audit(09/17/2015 15:27:43.062:123) : arch=x86_64 syscall=open success=yes exit=4 a0=0x7f0a7eeb4010 a1=O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC a2=0600 a3=0x55fabfcf items=2 ppid=1 pid=2417 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-user-se exe=/usr/lib/systemd/systemd-user-sessions subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(09/17/2015 15:27:43.062:123) : avc: granted { create } for pid=2417 comm=systemd-user-se name=.#nologin5aGJgw scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file
----
type=PATH msg=audit(09/17/2015 15:27:43.071:125) : item=3 name=/run/nologin inode=58085 dev=00:12 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 objtype=CREATE
type=PATH msg=audit(09/17/2015 15:27:43.071:125) : item=2 name=/run/.#nologin5aGJgw inode=58085 dev=00:12 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 objtype=DELETE
type=PATH msg=audit(09/17/2015 15:27:43.071:125) : item=1 name=/run/ inode=6649 dev=00:12 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 objtype=PARENT
type=PATH msg=audit(09/17/2015 15:27:43.071:125) : item=0 name=/run/ inode=6649 dev=00:12 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 objtype=PARENT
type=CWD msg=audit(09/17/2015 15:27:43.071:125) : cwd=/
type=SYSCALL msg=audit(09/17/2015 15:27:43.071:125) : arch=x86_64 syscall=rename success=yes exit=0 a0=0x7f0a7eeb4010 a1=0x7f0a7d407f84 a2=0x7f0a7eeb4110 a3=0x22 items=4 ppid=1 pid=2417 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-user-se exe=/usr/lib/systemd/systemd-user-sessions subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(09/17/2015 15:27:43.071:125) : avc: granted { rename } for pid=2417 comm=systemd-user-se name=.#nologin5aGJgw dev="tmpfs" ino=58085 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file
----
Because filename transition rules are not applied during a rename operation, the label on /run/nologin file stays init_var_run_t.
The problem is it creates random names .#nologin5aGJgw and we are now able to cover them using SELinux policy rules. (In reply to Miroslav Grepl from comment #5) > The problem is it creates random names > > .#nologin5aGJgw > > and we are now able to cover them using SELinux policy rules. I will assume this should read "... not able to ..." I think we should preserve current semantics, i.e. creation of /run/nologin should stay an atomic operation. Thus we need to create temporary file and then rename it to /run/nologin. However just before we call rename we can query selinux policy and figure out proper label, set it and rename it after that. (In reply to Michal Sekletar from comment #6) > (In reply to Miroslav Grepl from comment #5) > > The problem is it creates random names > > > > .#nologin5aGJgw > > > > and we are now able to cover them using SELinux policy rules. > > I will assume this should read "... not able to ..." > > I think we should preserve current semantics, i.e. creation of /run/nologin > should stay an atomic operation. Thus we need to create temporary file and > then rename it to /run/nologin. However just before we call rename we can > query selinux policy and figure out proper label, set it and rename it after > that. AFAIK we already do it in systemd for another case. Updated 'Fixed in' due to https://github.com/lnykryn/systemd-rhel/commit/4dd0d6644c71149a0a1af89944b95325ac4d2f18 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2092.html |
While a shutdown process is running, ssh logins generate the following selinux denial: setroubleshoot: SELinux is preventing /usr/sbin/sshd from read access on the file nologin. For complete SELinux messages. run sealert -l a5bd7e5c-5e3b-4b9a-9a1a-03119de80d63 (Oddly, I do not see the associated AVC denial message in /var/log/audit/audit.log*.) # sealert -l a5bd7e5c-5e3b-4b9a-9a1a-03119de80d63 SELinux is preventing /usr/sbin/sshd from read access on the file nologin. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sshd should be allowed read access on the nologin file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep sshd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023 Target Context system_u:object_r:init_var_run_t:s0 Target Objects nologin [ file ] Source sshd Source Path /usr/sbin/sshd Port <Unknown> Host [hostname] Source RPM Packages openssh-server-6.6.1p1-12.el7_1.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-23.el7_1.18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name [hostname] Platform Linux [hostname] 3.10.0-229.7.2.el7.x86_64 #1 SMP Tue Jun 23 22:06:11 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-09-16 10:55:05 EDT Last Seen 2015-09-16 10:55:05 EDT Local ID a5bd7e5c-5e3b-4b9a-9a1a-03119de80d63 Raw Audit Messages type=AVC msg=audit(1442415305.449:880158): avc: denied { read } for pid=14239 comm="sshd" name="nologin" dev="tmpfs" ino=34822437 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file type=SYSCALL msg=audit(1442415305.449:880158): arch=x86_64 syscall=open success=no exit=EACCES a0=7f659c791e3a a1=0 a2=0 a3=0 items=0 ppid=1825 pid=14239 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) Hash: sshd,sshd_t,init_var_run_t,file,read