1334800 – Wrong SELinux label on /etc/group after installation of latest nightly compose

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1334800 - Wrong SELinux label on /etc/group after installation of latest nightly compose

Summary: Wrong SELinux label on /etc/group after installation of latest nightly compose

Keywords:
Status:	CLOSED DUPLICATE of bug 1333952
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	anaconda
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Anaconda Maintenance Team
QA Contact:	Release Test Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-05-10 14:34 UTC by Luiz Capitulino
Modified:	2016-05-13 22:39 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-05-13 22:39:54 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1333952	0	urgent	CLOSED	Wrong SELinux label on /etc/group after installation	2021-02-22 00:41:40 UTC

Internal Links: 1333952

Description Luiz Capitulino 2016-05-10 14:34:46 UTC

Description of problem:

Did a minimal RHEL7.3 nightly build compose installation on a virtual machine. Then tried to connect via ssh:

~/ ssh root.122.166
Connection reset by 192.168.122.166 port 22
~/ 

On debugging, I found this on /var/log/messages:

May 10 09:09:37 localhost sshd[10404]: error: bad permissions: ignore key: /etc/ssh/ssh_host_ecdsa_key
May 10 09:09:37 localhost sshd[10404]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key
May 10 09:09:37 localhost sshd[10404]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
May 10 09:09:37 localhost sshd[10404]: error: @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
May 10 09:09:37 localhost sshd[10404]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
May 10 09:09:37 localhost sshd[10404]: error: Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open.
May 10 09:09:37 localhost sshd[10404]: error: It is required that your private key files are NOT accessible by others.
May 10 09:09:37 localhost sshd[10404]: error: This private key will be ignored.
May 10 09:09:37 localhost sshd[10404]: error: bad permissions: ignore key: /etc/ssh/ssh_host_ed25519_key
May 10 09:09:37 localhost sshd[10404]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key

Here's the original permissions:

total 292
drwxr-xr-x.  2 root root   4096 May 10 09:08 .
drwxr-xr-x. 77 root root   8192 May 10 09:08 ..
-rw-r--r--.  1 root root 242153 Apr  1 10:03 moduli
-rw-r--r--.  1 root root   2208 Apr  1 10:03 ssh_config
-rw-------.  1 root root   4361 Apr  1 10:03 sshd_config
-rw-r-----.  1 root root    227 May 10 09:08 ssh_host_ecdsa_key
-rw-r--r--.  1 root root    162 May 10 09:08 ssh_host_ecdsa_key.pub
-rw-r-----.  1 root root    387 May 10 09:08 ssh_host_ed25519_key
-rw-r--r--.  1 root root     82 May 10 09:08 ssh_host_ed25519_key.pub
-rw-r-----.  1 root root   1675 May 10 09:08 ssh_host_rsa_key
-rw-r--r--.  1 root root    382 May 10 09:08 ssh_host_rsa_key.pub

I compared this to other already installed systems, and the private keys have a "ssh_keys" group. I've tried doing this change but still got the same error. I was only able to fix it by dropping the read permission from the private keys.


Version-Release number of selected component (if applicable):

openssh-server-6.6.1p1-26.el7.x86_64
libssh2-1.4.3-10.el7_2.1.x86_64
openssh-6.6.1p1-26.el7.x86_64
openssh-clients-6.6.1p1-26.el7.x86_64



How reproducible:


Steps to Reproduce:
1. Do a fresh RHEL7.3 nightly compose minimal installation
2. Try to login via ssh

Actual results:

I get a socket read error.


Expected results:

I get a login prompt


Additional info:

The same error happens if I do "ssh localhost" in the VM.

Comment 1 Jakub Jelen 2016-05-10 14:47:29 UTC

It looks like your compose is somehow broken. The permissions are alright, but the private keys should be owned by the group  ssh_keys, which is probably not there during the key creation. Can you verify that?

    # grep ssh_keys /etc/group
    ssh_keys:x:999:

If the group is there, then the sshd-keygen failed to set the keys in correct way, you should see some logs from the first boot, but what else can go wrong in?

   chgrp ssh_keys /path/to/private_key

If the group is missing, it check why it is not here. It is created in spec file %pre section using

   getent group ssh_keys >/dev/null || groupadd -r ssh_keys || :


I didn't notice this behavior with composes for example in Beaker.

Comment 2 Petr Lautrbach 2016-05-10 14:58:04 UTC

It could be a bug caused by rebased SELinux userspace which should be fixed in lorax - https://bugzilla.redhat.com/show_bug.cgi?id=1332147

I'm not sure when the latest lorax will be in the compose but please try the latest compose and in the mean time to relabel your filesystem:

# fixfiles onboot && reboot

Comment 4 Luiz Capitulino 2016-05-10 15:42:03 UTC

- The group is there:

[root@localhost ~]# grep ssh_keys /etc/group
ssh_keys:x:999:
[root@localhost ~]# 

- Contrary to what I said in the description, changing the private keys' group by hand to ssh_keys does fix it too

- Running "fixfiles onboot && reboot" didn't fix it

I've opened this BZ because I thought I was seeing a new important issue. If you guys are certain this is rather a nightly compose problem that will be fixed in later composes, then I'd be okay with closing this as NOTABUG.

Comment 6 Jakub Jelen 2016-05-10 16:38:06 UTC

I would double check why it does not change the group during key generation. Few things to check:

 * Remove the host keys:  rm -f /etc/ssh_host_*
 * Restart the sshd service
 * Check if the keys have correct group
 * Check if there are some AVCs ?

Check once more the same with SELinux in permissive. It might really be related to some SELinux change. Any AVCs? Does it work?

If you can not reproduce it with above (after the boot sequence), you might try to boot with debug kernel argument and see what is systemd doing with these services at first boot. Or with selinux=0. Still a lot of possibilities, but probably not openssh fault.

Comment 7 Luiz Capitulino 2016-05-11 15:59:01 UTC

Yes, I think it's selinux. I did the following:

# rm -f /etc/ssh/ssh_host_*
# systemctl restart sshd

Same problem (all file's group is "root"). Then checked /var/log/messages:

May 11 09:41:37 localhost systemd: Stopping OpenSSH server daemon...
May 11 09:41:37 localhost systemd: Stopping OpenSSH Server Key Generation...
May 11 09:41:37 localhost systemd: Starting OpenSSH Server Key Generation...
May 11 09:41:37 localhost sshd-keygen: Generating SSH2 RSA host key: chgrp: invalid group: ‘ssh_keys’
May 11 09:41:37 localhost kernel: type=1400 audit(1462977697.297:35): avc:  denied  { read } for  pid=10402 comm="chgrp" name="group" dev="dm-0" ino=9036568 scontext=system_u:system_r:sshd_keygen_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file
May 11 09:41:37 localhost sshd-keygen: [  OK  ]
May 11 09:41:37 localhost sshd-keygen: Generating SSH2 ECDSA host key: chgrp: invalid group: ‘ssh_keys’
May 11 09:41:37 localhost kernel: type=1400 audit(1462977697.350:36): avc:  denied  { read } for  pid=10408 comm="chgrp" name="group" dev="dm-0" ino=9036568 scontext=system_u:system_r:sshd_keygen_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file
May 11 09:41:37 localhost sshd-keygen: [  OK  ]
May 11 09:41:37 localhost sshd-keygen: Generating SSH2 ED25519 host key: chgrp: invalid group: ‘ssh_keys’
May 11 09:41:37 localhost kernel: type=1400 audit(1462977697.362:37): avc:  denied  { read } for  pid=10416 comm="chgrp" name="group" dev="dm-0" ino=9036568 scontext=system_u:system_r:sshd_keygen_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file

Then I did:

# echo 0 > /sys/fs/selinux/enforce
# rm -f /etc/ssh/ssh_host_*
# systemctl restart sshd

Works.

Comment 8 Jakub Jelen 2016-05-11 16:28:46 UTC

Yes. You are right. Thank you for checking.

Please, add a note what selinux-policy version you have compose and we can move the problem to this component.

I added Lukas into CC to have a look, if it is a regression in policy or problem related to the userspace rebase.

Comment 9 Luiz Capitulino 2016-05-11 18:08:33 UTC

It is selinux-policy-3.13.1-71.el7.

Comment 10 Petr Lautrbach 2016-05-11 19:08:06 UTC

Can you see any AVC denied message in /var/log/audit/audit.log when you do it? Could you please attach them?

You can use the following command to check if any AVC denied messaged occurred in last 10 minutes:

# ausearch -m avc -m user_avc -ts recent

Comment 11 Luiz Capitulino 2016-05-11 19:30:56 UTC

Petr,

/var/log/audit/audit.log is empty and ausearch returns <no matches>. The avc failures are written to /var/log/messages.

I suspected the reason could be that auditd is not running. And I was right:

● auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Wed 2016-05-11 14:16:36 CDT; 5min ago
  Process: 602 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
  Process: 601 ExecStart=/sbin/auditd -n (code=exited, status=6)
 Main PID: 601 (code=exited, status=6)

May 11 14:16:36 localhost.localdomain augenrules[602]: enabled 0
May 11 14:16:36 localhost.localdomain augenrules[602]: flag 1
May 11 14:16:36 localhost.localdomain augenrules[602]: pid 0
May 11 14:16:36 localhost.localdomain augenrules[602]: rate_limit 0
May 11 14:16:36 localhost.localdomain augenrules[602]: backlog_limit 320
May 11 14:16:36 localhost.localdomain augenrules[602]: lost 13
May 11 14:16:36 localhost.localdomain augenrules[602]: backlog 0
May 11 14:16:36 localhost.localdomain systemd[1]: Failed to start Security Auditing Service.
May 11 14:16:36 localhost.localdomain systemd[1]: Unit auditd.service entered failed state.
May 11 14:16:36 localhost.localdomain systemd[1]: auditd.service failed.

Don't you want to give this a try? It's very simple to reproduce. All you have to do is to install latest RHEL7.3 on a VM and check the file permissions in /etc/ssh. I'm installing the VM with:

# virt-install -n RHEL7-ssh-test \
               --os-variant=rhel7 --vcpus=2 \
               --disk path=/var/lib/libvirt/images/rhel72.img,bus=virtio,size=10 \
               --graphics type=spice,listen=0.0.0.0 \
               --memory 2048 \
              -l <address of nightly compose>

Comment 13 Jakub Jelen 2016-05-12 09:22:04 UTC

I missed few details in the AVC. Can you check the selinux context of the group file and the keys?

    ls -Z /etc/group /etc/passwd /etc/shadow
    ls -Z /etc/ssh/ssh_host_*

From the discussion with Lukas it looks really like mislabeled /etc/group file (should have  passwd_file_t  type) and then  chgrp is failing to set correct group for the keys.

Comment 14 Luiz Capitulino 2016-05-12 14:28:06 UTC

# cd /etc
# ls -Z group passwd shadow

-rw-r--r--. root root system_u:object_r:shadow_t:s0    group
-rw-r--r--. root root system_u:object_r:passwd_file_t:s0 passwd
----------. root root system_u:object_r:shadow_t:s0    shadow

# cd /etc/ssh
# ls -la -Z

drwxr-xr-x. root root system_u:object_r:etc_t:s0       .
drwxr-xr-x. root root system_u:object_r:etc_t:s0       ..
-rw-r--r--. root root system_u:object_r:etc_t:s0       moduli
-rw-r--r--. root root system_u:object_r:etc_t:s0       ssh_config
-rw-------. root root system_u:object_r:etc_t:s0       sshd_config
-rw-r-----. root root system_u:object_r:sshd_key_t:s0  ssh_host_ecdsa_key
-rw-r--r--. root root system_u:object_r:sshd_key_t:s0  ssh_host_ecdsa_key.pub
-rw-r-----. root root system_u:object_r:sshd_key_t:s0  ssh_host_ed25519_key
-rw-r--r--. root root system_u:object_r:sshd_key_t:s0  ssh_host_ed25519_key.pub
-rw-r-----. root root system_u:object_r:sshd_key_t:s0  ssh_host_rsa_key
-rw-r--r--. root root system_u:object_r:sshd_key_t:s0  ssh_host_rsa_key.pub

Comment 15 Lukas Vrabec 2016-05-12 15:08:02 UTC

Hi Luiz, 

File /etc/group is mislabeled. So if you run: 
# restorecon -R -v /etc 

what is output of this command?

Comment 16 Luiz Capitulino 2016-05-12 15:40:42 UTC

restorecon reset /etc/group context system_u:object_r:shadow_t:s0->system_u:object_r:passwd_file_t:s0
restorecon reset /etc/grub.d/00_tuned context system_u:object_r:usr_t:s0->system_u:object_r:etc_t:s0

Comment 17 Jakub Jelen 2016-05-12 16:43:51 UTC

Thank you. So there are two problems:

1) We have wrong label on /etc/group after installation for some reason
   (other services will probably have the same problem)
2) Fixfiles didn't fix that

Policy seems to be ok since it was fixed by the restorecon (Lukas pointed that it might not be true).

We can not reproduce it with the same compose in beaker, nor with existing updated installations. I just installed your compose in virt-manager and I see the same results as you do. There must be some difference between manual install and beaker kickstart.

But it is probably beyond my knowledge to go further in this investigation. Petr, what do you think about this?

Comment 18 Jakub Jelen 2016-05-13 13:17:04 UTC

I tried the

    fixfiles onboot && reboot

and it fixed the group on my install.

So we are left with the problem of installer (or something) setting wrong initial context of this file. We should probably get Anaconda maintainers in the loop.

Moving to anaconda component and renaming to express the actual problem. Luiz, please adjust it if I missed something.

Comment 19 Luiz Capitulino 2016-05-13 13:20:49 UTC

Your description is very accurate. You guys did a great job debugging this issue.

Comment 20 Brian Lane 2016-05-13 22:39:54 UTC


*** This bug has been marked as a duplicate of bug 1333952 ***

Note You need to log in before you can comment on or make changes to this bug.