Bug 1337856 - Upgrade to latest Fedora Atomic 23.122 breaks the sshd authentication via SSSD
Summary: Upgrade to latest Fedora Atomic 23.122 breaks the sshd authentication via SSSD
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: docker
Version: 25
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1403270 1415113 1595542
TreeView+ depends on / blocked
 
Reported: 2016-05-20 09:17 UTC by Jan Pazdziora
Modified: 2018-06-27 06:07 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1403270 (view as bug list)
Environment:
Last Closed: 2017-12-12 10:43:41 UTC
Type: Bug


Attachments (Terms of Use)

Description Jan Pazdziora 2016-05-20 09:17:17 UTC
Description of problem:

When SSSD container is used for authentication for example via sshd per http://www.projectatomic.io/blog/2015/12/fedora-atomic-sssd-container/, upgrade to Fedora Atomic 23.122 breaks the functionality.

Version-Release number of selected component (if applicable):

docker-selinux-1.9.1-9.gitee06d03.fc23.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. Have IPA server around, create host record for the Fedora Atomic host with OTP set.
2. Have user bob created in the IPA server.
3. On the Fedora Atomic host, run atomic install fedora/sssd --server ipa.example.test --domain example.test --password teslo
4. Run systemctl start sssd
5. Edit /etc/ssh/sshd_config and set PasswordAuthentication to yes.
6. Run systemctl restart sshd
7. Attempt to run ssh bob@atomic.example.test.

Actual results:

It fails.

Journal will say

host.example.test audit[1066]: AVC avc:  denied  { connectto } for  pid=1066 comm="sshd" path="/var/lib/sss/pipes/priv
ate/pam" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spc_t:s0 tclass=unix_stream_socket permissive=0

Expected results:

No error, authentication passes.

Additional info:

With docker-selinux-1.9.1-9.gitee06d03.fc23.x86_64 which is on the 23.122 ostree, sesearch --allow -s sshd_t -t spc_t -p connectto does not find anything.

It's a regression against for example ostree 23.53 with

-bash-4.3# rpm -q docker-selinux
docker-selinux-1.9.1-4.git6ec29ef.fc23.x86_64
-bash-4.3# sesearch --allow -s sshd_t -t spc_t -p connectto
Found 1 semantic av rules:
   allow domain spc_t : unix_stream_socket connectto ;

Comment 1 Jan Pazdziora 2016-05-20 09:18:59 UTC
On non-Atomic Fedora with docker-selinux-1.10.3-16.gita41254f.fc23.x86_64, the allow rule is back as well:

[root@machine ~]# rpm -q docker-selinux
docker-selinux-1.10.3-16.gita41254f.fc23.x86_64
[root@machine ~]# sesearch --allow -s sshd_t -t spc_t -p connectto
Found 1 semantic av rules:
   allow domain spc_t : unix_stream_socket connectto ; 

But we need the 1.9 policy fixed as well, unless Fedora Atomic is moving to 1.10 soon.

Comment 2 Daniel Walsh 2016-06-03 13:08:38 UTC
I think we are moving to docker-1.10,

Comment 3 Fedora Admin XMLRPC Client 2016-06-08 14:09:43 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 4 Fedora End Of Life 2016-11-25 09:06:00 UTC
This message is a reminder that Fedora 23 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 23. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '23'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 23 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 5 Tibor Dudlák 2016-12-08 12:41:17 UTC
Bug is still present on:

fedora-atomic:fedora-atomic/25/x86_64/docker-host
       Version: 25.42 (2016-11-16 10:26:30)

with:

docker-1.12.2-5.git8f1975c.fc25.x86_64

container-selinux-1.12.2-5.git8f1975c.fc25.x86_64

selinux-policy-3.13.1-224.fc25.noarch

seeing:

type=AVC msg=audit(1481200305.628:261): avc:  denied  { connectto } for  pid=3936 comm="sshd" path="/var/lib/sss/pipes/private/pam" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:container_runtime_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1481200305.629:262): avc:  denied  { connectto } for  pid=3936 comm="sshd" path="/var/lib/sss/pipes/private/pam" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:container_runtime_t:s0 tclass=unix_stream_socket permissive=0

Comment 6 Daniel Walsh 2016-12-08 13:08:04 UTC
This looks like the container is running as container_runtime_t not spc_t.  Are you running sssd in a confined container?

Comment 7 Tibor Dudlák 2016-12-08 14:28:44 UTC
In our case atomic runs:

docker run --rm=true --privileged --net=host -v /:/host -e NAME=${NAME} -e IMAGE=${IMAGE} -e HOST=/host ${IMAGE} /bin/install.sh

so I have run:

docker run --privileged --rm -ti fedora:25 bash

and I see process:

system_u:system_r:container_runtime_t:s0 root 4560 0.0  0.1 12556 3660 pts/1   Ss+  13:56   0:00 bash

when run without --privileged the type is:

system_u:system_r:container_t:s0:c844,c851 root 4922 0.2  0.1 12560 3656 pts/1 Ss+  14:26   0:00 bash

Did not spc_t get renamed to container_runtime_t lately?

Comment 8 Tibor Dudlák 2016-12-08 14:37:10 UTC
BTW we have same regression on RHEL 7.3.1

with:

rhel-atomic-host:rhel-atomic-host/7/x86_64/standard
       Version: 7.3.1 (2016-11-30 02:14:24)

docker-1.10.3-59.el7.x86_64 

container-selinux-1.10.3-59.el7.x86_64

selinux-policy-3.13.1-102.el7_3.7.noarch

seeing:

Dec 08 14:31:19 test1-rhel-7-3-1-atomic.example.test kernel: type=1400 audit(1481207479.847:5): avc:  denied  { connectto } for  pid=13179 comm="sshd" path="/var/lib/sss/pipes/private/pam" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:container_runtime_t:s0 tclass=unix_stream_socket
Dec 08 14:31:19 test1-rhel-7-3-1-atomic.example.test kernel: type=1400 audit(1481207479.867:6): avc:  denied  { connectto } for  pid=13179 comm="sshd" path="/var/lib/sss/pipes/private/pam" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:container_runtime_t:s0 tclass=unix_stream_socket

Would you like to track RHEL issue separately?

Comment 9 Tibor Dudlák 2016-12-09 14:54:46 UTC
Filed against RHEL: bug 1403270

Comment 10 Fedora End Of Life 2017-11-16 19:29:19 UTC
This message is a reminder that Fedora 25 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 25. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '25'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 25 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

Comment 11 Jan Pazdziora 2017-11-29 15:35:46 UTC
Tibor, could you please check if the issue is still present on Fedora 26?

Comment 12 Fedora End Of Life 2017-12-12 10:43:41 UTC
Fedora 25 changed to end-of-life (EOL) status on 2017-12-12. Fedora 25 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 13 Tibor Dudlák 2018-01-04 11:18:23 UTC
When i have run:

    atomic install fedora/sssd --server ipa.example.test --domain example.test --password 'someOTPpass'

then started service:

    systemctl start sssd

in file /etc/ssh/sshd_config is PasswordAuthentication set to yes and then run:

    systemctl restart sshd

Attempt to run ssh bob@atomic.example.test fails:

# systemctl status sshd
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2018-01-04 10:58:52 CET; 1h 1min ago
     Docs: man:sshd(8)
           man:sshd_config(5)
 Main PID: 5386 (sshd)
    Tasks: 1 (limit: 4915)
   Memory: 2.4M
      CPU: 369ms
   CGroup: /system.slice/sshd.service
           └─5386 /usr/sbin/sshd -D
Jan 04 11:51:15 host.example.com sshd[9342]: pam_sss(sshd:account): Access denied for user bob: 4 (System error)
Jan 04 11:51:15 host.example.com sshd[9320]: error: PAM: User account has expired for bob from 2620:52:0:25aa:21a:4aff:fe23:15a7
Jan 04 11:51:15 host.example.com sshd[9320]: fatal: monitor_read: unpermitted request 104
Jan 04 11:53:52 host.example.com sshd[9440]: Authorized to bob, krb5 principal bob@IPA.EXAMPLE.COM (ssh_gssapi_krb5_cmdok)
Jan 04 11:54:00 host.example.com sshd[9440]: pam_sss(sshd:account): Access denied for user bob: 4 (System error)
Jan 04 11:54:00 host.example.com sshd[9440]: fatal: Access denied for user bob by PAM account configuration [preauth]
Jan 04 11:59:14 host.example.com sshd[9585]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=2620:52:0:25aa:21a:4aff:fe23:15a7 user=bob
Jan 04 11:59:21 host.example.com sshd[9585]: pam_sss(sshd:account): Access denied for user bob: 4 (System error)
Jan 04 11:59:21 host.example.com sshd[9565]: error: PAM: User account has expired for bob from 2620:52:0:25aa:21a:4aff:fe23:15a7
Jan 04 11:59:21 host.example.com sshd[9565]: fatal: monitor_read: unpermitted request 104

kinit as bob works.

In audit log i do not see AVC denial:

type=CRYPTO_KEY_USER msg=audit(1515063550.484:2071): pid=9566 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:f9:9e:3d:16:26:fe:ee:f3:8a:41:08:52:c0:c2:f3:f5:41:38:c7:cb:88:da:d8:69:f4:76:9d:7d:8d:bb:b6:5c direction=? spid=9566 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1515063550.485:2072): pid=9566 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:ee:a4:e9:56:e9:38:b7:fe:2f:f9:62:c0:2c:54:a1:f2:7d:7a:d9:13:af:fe:ea:50:01:2a:d3:76:ab:83:ac:00 direction=? spid=9566 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1515063550.485:2073): pid=9566 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:c5:87:17:5b:56:40:de:1c:35:66:20:59:8a:2e:b0:f1:ba:a4:20:2f:48:34:ed:ff:ef:1d:8e:08:ef:5f:00:b4 direction=? spid=9566 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1515063550.486:2074): pid=9565 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=aes256-gcm@openssh.com ksize=256 mac=<implicit> pfs=curve25519-sha256@libssh.org spid=9566 suid=74 rport=36716 laddr=2620:52:0:25aa:21a:4aff:fe23:1297 lport=22  exe="/usr/sbin/sshd" hostname=? addr=2620:52:0:25aa:21a:4aff:fe23:15a7 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1515063550.487:2075): pid=9565 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=aes256-gcm@openssh.com ksize=256 mac=<implicit> pfs=curve25519-sha256@libssh.org spid=9566 suid=74 rport=36716 laddr=2620:52:0:25aa:21a:4aff:fe23:1297 lport=22  exe="/usr/sbin/sshd" hostname=? addr=2620:52:0:25aa:21a:4aff:fe23:15a7 terminal=? res=success'
type=USER_AUTH msg=audit(1515063550.743:2076): pid=9565 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=gssapi acct="bob" exe="/usr/sbin/sshd" hostname=? addr=2620:52:0:25aa:21a:4aff:fe23:15a7 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1515063551.837:2077): pid=9587 uid=175 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:authentication grantors=pam_succeed_if acct="ovirtagent" exe="/usr/sbin/userhelper" hostname=? addr=? terminal=? res=success'
type=USER_ACCT msg=audit(1515063551.837:2078): pid=9587 uid=175 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:accounting grantors=pam_permit acct="ovirtagent" exe="/usr/sbin/userhelper" hostname=? addr=? terminal=? res=success'
type=USER_AUTH msg=audit(1515063554.564:2079): pid=9585 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_succeed_if,pam_sss acct="bob" exe="/usr/sbin/sshd" hostname=2620:52:0:25aa:21a:4aff:fe23:15a7 addr=2620:52:0:25aa:21a:4aff:fe23:15a7 terminal=ssh res=success'
type=ROLE_ASSIGN msg=audit(1515063554.890:2080): pid=9589 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:spc_t:s0 msg='op=login-sename,role,range acct="bob" old-seuser=? old-role=? old-range=? new-seuser=unconfined_u new-role=system_r,unconfined_r new-range=s0-s0:c0.c1023 exe="/usr/libexec/sssd/selinux_child" hostname=? addr=? terminal=? res=success'
type=USER_ACCT msg=audit(1515063561.784:2081): pid=9585 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=? acct="bob" exe="/usr/sbin/sshd" hostname=2620:52:0:25aa:21a:4aff:fe23:15a7 addr=2620:52:0:25aa:21a:4aff:fe23:15a7 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1515063561.788:2082): pid=9565 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=challenge-response acct="bob" exe="/usr/sbin/sshd" hostname=? addr=2620:52:0:25aa:21a:4aff:fe23:15a7 terminal=ssh res=failed'
type=USER_ERR msg=audit(1515063561.789:2083): pid=9565 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident grantors=? acct="?" exe="/usr/sbin/sshd" hostname=2620:52:0:25aa:21a:4aff:fe23:15a7 addr=2620:52:0:25aa:21a:4aff:fe23:15a7 terminal=ssh res=failed'
type=CRYPTO_KEY_USER msg=audit(1515063561.791:2084): pid=9565 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:f9:9e:3d:16:26:fe:ee:f3:8a:41:08:52:c0:c2:f3:f5:41:38:c7:cb:88:da:d8:69:f4:76:9d:7d:8d:bb:b6:5c direction=? spid=9565 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1515063561.791:2085): pid=9565 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:ee:a4:e9:56:e9:38:b7:fe:2f:f9:62:c0:2c:54:a1:f2:7d:7a:d9:13:af:fe:ea:50:01:2a:d3:76:ab:83:ac:00 direction=? spid=9565 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1515063561.791:2086): pid=9565 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:c5:87:17:5b:56:40:de:1c:35:66:20:59:8a:2e:b0:f1:ba:a4:20:2f:48:34:ed:ff:ef:1d:8e:08:ef:5f:00:b4 direction=? spid=9565 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=USER_LOGIN msg=audit(1515063561.791:2087): pid=9565 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="bob" exe="/usr/sbin/sshd" hostname=? addr=2620:52:0:25aa:21a:4aff:fe23:15a7 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1515063561.908:2088): pid=9593 uid=175 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:authentication grantors=pam_succeed_if acct="ovirtagent" exe="/usr/sbin/userhelper" hostname=? addr=? terminal=? res=success'
type=USER_ACCT msg=audit(1515063561.909:2089): pid=9593 uid=175 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:accounting grantors=pam_permit acct="ovirtagent" exe="/usr/sbin/userhelper" hostname=? addr=? terminal=? res=success'

Selinux policy rule:

# sesearch --allow -s sshd_t -t spc_t -p connectto
allow domain spc_t:unix_stream_socket connectto;

Is there something I forgot Jan?


Note You need to log in before you can comment on or make changes to this bug.