Bug 1299106 - SELinux is preventing systemd from 'getattr' accesses on the file /etc/ssh/ssh_host_rsa_key.
SELinux is preventing systemd from 'getattr' accesses on the file /etc/ssh/ss...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
24
x86_64 Unspecified
high Severity medium
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
abrt_hash:5310c716937875b9e9aeb45b15b...
:
Depends On:
Blocks: 1306197
  Show dependency treegraph
 
Reported: 2016-01-15 19:04 EST by Vít Ondruch
Modified: 2016-03-23 12:56 EDT (History)
9 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-170.fc24 selinux-policy-3.13.1-179.fc24
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1306197 (view as bug list)
Environment:
Last Closed: 2016-03-23 12:56:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vít Ondruch 2016-01-15 19:04:33 EST
Description of problem:
SELinux is preventing systemd from 'getattr' accesses on the file /etc/ssh/ssh_host_rsa_key.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd should be allowed getattr access on the ssh_host_rsa_key file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:sshd_key_t:s0
Target Objects                /etc/ssh/ssh_host_rsa_key [ file ]
Source                        systemd
Source Path                   systemd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-166.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.4.0-1.fc24.x86_64 #1 SMP Mon Jan
                              11 16:48:24 UTC 2016 x86_64 x86_64
Alert Count                   9
First Seen                    2016-01-16 00:16:32 CET
Last Seen                     2016-01-16 01:02:02 CET
Local ID                      309aa1c1-7df2-484c-bc12-f0d5b2f09067

Raw Audit Messages
type=AVC msg=audit(1452902522.632:89): avc:  denied  { getattr } for  pid=1 comm="systemd" path="/etc/ssh/ssh_host_rsa_key" dev="dm-1" ino=1837544 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:sshd_key_t:s0 tclass=file permissive=0


Hash: systemd,init_t,sshd_key_t,file,getattr

Version-Release number of selected component:
selinux-policy-3.13.1-166.fc24.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.4.0-1.fc24.x86_64
type:           libreport
Comment 1 Lukas Vrabec 2016-02-09 12:00:15 EST
I had a discussion with ssh maintainer Jakub Jelen, and we ended up with that getattr si enough. Here is patch which caused the issue.

http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/commit/?id=af94f46861844cbd6ba4162115039bebcc8f78ba

I'm going to allow this.
Comment 2 Lukas Vrabec 2016-02-10 04:57:01 EST
commit 1b1d96b26018468f9f930ddd5a7707eab05ebcfc
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Wed Feb 10 10:27:41 2016 +0100

    Allow run sshd-keygen on second boot if first boot fails after some reason and content is not syncedon the disk. These changes are reflecting this commit in sshd.
    http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/commit/?id=af94f46861844cbd6ba4162115039bebcc8f78ba
    rhbz#1299106

commit 9ce8c9e84a78ca7dc5a02019a3d58113c10aad62
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Wed Feb 10 10:17:40 2016 +0100

    Add interface ssh_getattr_server_keys() interface. rhbz#1299106
Comment 3 Jakub Filak 2016-02-12 01:47:01 EST
Description of problem:
Upgraded, rebooted, autorelabeled my Rawhide box.

Version-Release number of selected component:
selinux-policy-3.13.1-169.fc24.noarch

Additional info:
reporter:       libreport-2.6.4.2.g18a1
hashmarkername: setroubleshoot
kernel:         4.5.0-0.rc3.git1.2.fc24.x86_64
type:           libreport
Comment 4 Jan Kurik 2016-02-24 10:48:19 EST
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase
Comment 5 Fedora Update System 2016-03-11 04:56:28 EST
selinux-policy-3.13.1-178.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-1350c96015
Comment 6 Fedora Update System 2016-03-11 14:26:07 EST
selinux-policy-3.13.1-178.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-1350c96015
Comment 7 Fedora Update System 2016-03-16 09:42:42 EDT
selinux-policy-3.13.1-179.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-8f142bb969
Comment 8 Fedora Update System 2016-03-18 10:58:59 EDT
selinux-policy-3.13.1-179.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-8f142bb969
Comment 9 Fedora Update System 2016-03-23 12:55:04 EDT
selinux-policy-3.13.1-179.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.