1264073 – SELinux is preventing /usr/sbin/sshd from read access on the file nologin.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1264073 - SELinux is preventing /usr/sbin/sshd from read access on the file nologin.

Summary: SELinux is preventing /usr/sbin/sshd from read access on the file nologin.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	systemd
Sub Component:
Version:	7.1
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	systemd-maint
QA Contact:	Frantisek Sumsal
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-09-17 12:47 UTC by Paul Stauffer
Modified:	2015-12-01 12:49 UTC (History)
CC List:	12 users (show)
Fixed In Version:	systemd-219-16.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-11-19 15:09:28 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:2092	0	normal	SHIPPED_LIVE	systemd bug fix and enhancement update	2015-11-19 12:13:57 UTC

Description Paul Stauffer 2015-09-17 12:47:30 UTC

While a shutdown process is running, ssh logins generate the following selinux denial:

setroubleshoot: SELinux is preventing /usr/sbin/sshd from read access on the file nologin. For complete SELinux messages. run sealert -l a5bd7e5c-5e3b-4b9a-9a1a-03119de80d63

(Oddly, I do not see the associated AVC denial message in /var/log/audit/audit.log*.)

# sealert -l a5bd7e5c-5e3b-4b9a-9a1a-03119de80d63
SELinux is preventing /usr/sbin/sshd from read access on the file nologin.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that sshd should be allowed read access on the nologin file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sshd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:init_var_run_t:s0
Target Objects                nologin [ file ]
Source                        sshd
Source Path                   /usr/sbin/sshd
Port                          <Unknown>
Host                          [hostname]
Source RPM Packages           openssh-server-6.6.1p1-12.el7_1.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-23.el7_1.18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     [hostname]
Platform                      Linux [hostname] 3.10.0-229.7.2.el7.x86_64 #1 SMP
                              Tue Jun 23 22:06:11 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-09-16 10:55:05 EDT
Last Seen                     2015-09-16 10:55:05 EDT
Local ID                      a5bd7e5c-5e3b-4b9a-9a1a-03119de80d63

Raw Audit Messages
type=AVC msg=audit(1442415305.449:880158): avc:  denied  { read } for  pid=14239 comm="sshd" name="nologin" dev="tmpfs" ino=34822437 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file


type=SYSCALL msg=audit(1442415305.449:880158): arch=x86_64 syscall=open success=no exit=EACCES a0=7f659c791e3a a1=0 a2=0 a3=0 items=0 ppid=1825 pid=14239 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)

Hash: sshd,sshd_t,init_var_run_t,file,read

Comment 2 Milos Malik 2015-09-17 12:58:02 UTC

It seems that the /var/run/nologin file is mislabeled on your machine:

# matchpathcon /var/run/nologin
/var/run/nologin	system_u:object_r:systemd_logind_var_run_t:s0
#

Following command should fix it:

# restorecon -v /var/run/nologin

If it happens again then we will need to find out, what process creates that file.

Comment 3 Paul Stauffer 2015-09-17 13:11:58 UTC

That file is created dynamically by the shutdown process.  It does not otherwise exist.  Per the shutdown(8) man page:

       If the time argument is used, 5 minutes before the system goes down the
       /run/nologin file is created to ensure that further logins shall not be
       allowed.

# ls -lZ /var/run/nologin
ls: cannot access /var/run/nologin: No such file or directory
# ls -lZ /run/nologin
ls: cannot access /run/nologin: No such file or directory

Sounds like you're saying this is a mislabeling bug, not a policy bug?  If so, this bug should perhaps be reassigned to the systemd component, since that's the package that owns /usr/sbin/shutdown.

Comment 4 Milos Malik 2015-09-17 13:36:26 UTC

Based on following AVCs generated by a special policy module, /usr/lib/systemd/systemd-user-sessions process creates a temporary file and then renames it to /run/nologin:
----
type=PATH msg=audit(09/17/2015 15:27:43.062:123) : item=1 name=/run/.#nologin5aGJgw inode=58085 dev=00:12 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 objtype=CREATE 
type=PATH msg=audit(09/17/2015 15:27:43.062:123) : item=0 name=/run/ inode=6649 dev=00:12 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 objtype=PARENT 
type=CWD msg=audit(09/17/2015 15:27:43.062:123) :  cwd=/ 
type=SYSCALL msg=audit(09/17/2015 15:27:43.062:123) : arch=x86_64 syscall=open success=yes exit=4 a0=0x7f0a7eeb4010 a1=O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC a2=0600 a3=0x55fabfcf items=2 ppid=1 pid=2417 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-user-se exe=/usr/lib/systemd/systemd-user-sessions subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(09/17/2015 15:27:43.062:123) : avc:  granted  { create } for  pid=2417 comm=systemd-user-se name=.#nologin5aGJgw scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file 
----
type=PATH msg=audit(09/17/2015 15:27:43.071:125) : item=3 name=/run/nologin inode=58085 dev=00:12 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 objtype=CREATE 
type=PATH msg=audit(09/17/2015 15:27:43.071:125) : item=2 name=/run/.#nologin5aGJgw inode=58085 dev=00:12 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 objtype=DELETE 
type=PATH msg=audit(09/17/2015 15:27:43.071:125) : item=1 name=/run/ inode=6649 dev=00:12 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 objtype=PARENT 
type=PATH msg=audit(09/17/2015 15:27:43.071:125) : item=0 name=/run/ inode=6649 dev=00:12 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 objtype=PARENT 
type=CWD msg=audit(09/17/2015 15:27:43.071:125) :  cwd=/ 
type=SYSCALL msg=audit(09/17/2015 15:27:43.071:125) : arch=x86_64 syscall=rename success=yes exit=0 a0=0x7f0a7eeb4010 a1=0x7f0a7d407f84 a2=0x7f0a7eeb4110 a3=0x22 items=4 ppid=1 pid=2417 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-user-se exe=/usr/lib/systemd/systemd-user-sessions subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(09/17/2015 15:27:43.071:125) : avc:  granted  { rename } for  pid=2417 comm=systemd-user-se name=.#nologin5aGJgw dev="tmpfs" ino=58085 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file 
----

Because filename transition rules are not applied during a rename operation, the label on /run/nologin file stays init_var_run_t.

Comment 5 Miroslav Grepl 2015-09-21 06:14:29 UTC

The problem is it creates random names 

.#nologin5aGJgw 

and we are now able to cover them using SELinux policy rules.

Comment 6 Michal Sekletar 2015-09-21 11:27:09 UTC

(In reply to Miroslav Grepl from comment #5)
> The problem is it creates random names 
> 
> .#nologin5aGJgw 
> 
> and we are now able to cover them using SELinux policy rules.

I will assume this should read "... not able to ..."

I think we should preserve current semantics, i.e. creation of /run/nologin should stay an atomic operation. Thus we need to create temporary file and then rename it to /run/nologin. However just before we call rename we can query selinux policy and figure out proper label, set it and rename it after that.

Comment 7 Miroslav Grepl 2015-09-21 12:00:09 UTC

(In reply to Michal Sekletar from comment #6)
> (In reply to Miroslav Grepl from comment #5)
> > The problem is it creates random names 
> > 
> > .#nologin5aGJgw 
> > 
> > and we are now able to cover them using SELinux policy rules.
> 
> I will assume this should read "... not able to ..."
> 
> I think we should preserve current semantics, i.e. creation of /run/nologin
> should stay an atomic operation. Thus we need to create temporary file and
> then rename it to /run/nologin. However just before we call rename we can
> query selinux policy and figure out proper label, set it and rename it after
> that.

AFAIK we already do it in systemd for another case.

Comment 9 Lukáš Nykrýn 2015-09-22 10:42:18 UTC

https://github.com/lnykryn/systemd-rhel/commit/ca5c3dbfd843b6acd92425a6f56c4b01d1a80dde

Comment 11 Frantisek Sumsal 2015-09-29 09:15:52 UTC

Updated 'Fixed in' due to https://github.com/lnykryn/systemd-rhel/commit/4dd0d6644c71149a0a1af89944b95325ac4d2f18

Comment 13 errata-xmlrpc 2015-11-19 15:09:28 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2092.html

Note You need to log in before you can comment on or make changes to this bug.