Description of problem: When SSSD container is used for authentication for example via sshd per http://www.projectatomic.io/blog/2015/12/fedora-atomic-sssd-container/, upgrade to Fedora Atomic 23.122 breaks the functionality. Version-Release number of selected component (if applicable): docker-selinux-1.9.1-9.gitee06d03.fc23.x86_64 How reproducible: Deterministic. Steps to Reproduce: 1. Have IPA server around, create host record for the Fedora Atomic host with OTP set. 2. Have user bob created in the IPA server. 3. On the Fedora Atomic host, run atomic install fedora/sssd --server ipa.example.test --domain example.test --password teslo 4. Run systemctl start sssd 5. Edit /etc/ssh/sshd_config and set PasswordAuthentication to yes. 6. Run systemctl restart sshd 7. Attempt to run ssh bob.test. Actual results: It fails. Journal will say host.example.test audit[1066]: AVC avc: denied { connectto } for pid=1066 comm="sshd" path="/var/lib/sss/pipes/priv ate/pam" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spc_t:s0 tclass=unix_stream_socket permissive=0 Expected results: No error, authentication passes. Additional info: With docker-selinux-1.9.1-9.gitee06d03.fc23.x86_64 which is on the 23.122 ostree, sesearch --allow -s sshd_t -t spc_t -p connectto does not find anything. It's a regression against for example ostree 23.53 with -bash-4.3# rpm -q docker-selinux docker-selinux-1.9.1-4.git6ec29ef.fc23.x86_64 -bash-4.3# sesearch --allow -s sshd_t -t spc_t -p connectto Found 1 semantic av rules: allow domain spc_t : unix_stream_socket connectto ;
On non-Atomic Fedora with docker-selinux-1.10.3-16.gita41254f.fc23.x86_64, the allow rule is back as well: [root@machine ~]# rpm -q docker-selinux docker-selinux-1.10.3-16.gita41254f.fc23.x86_64 [root@machine ~]# sesearch --allow -s sshd_t -t spc_t -p connectto Found 1 semantic av rules: allow domain spc_t : unix_stream_socket connectto ; But we need the 1.9 policy fixed as well, unless Fedora Atomic is moving to 1.10 soon.
I think we are moving to docker-1.10,
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
This message is a reminder that Fedora 23 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 23. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '23'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 23 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Bug is still present on: fedora-atomic:fedora-atomic/25/x86_64/docker-host Version: 25.42 (2016-11-16 10:26:30) with: docker-1.12.2-5.git8f1975c.fc25.x86_64 container-selinux-1.12.2-5.git8f1975c.fc25.x86_64 selinux-policy-3.13.1-224.fc25.noarch seeing: type=AVC msg=audit(1481200305.628:261): avc: denied { connectto } for pid=3936 comm="sshd" path="/var/lib/sss/pipes/private/pam" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:container_runtime_t:s0 tclass=unix_stream_socket permissive=0 type=AVC msg=audit(1481200305.629:262): avc: denied { connectto } for pid=3936 comm="sshd" path="/var/lib/sss/pipes/private/pam" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:container_runtime_t:s0 tclass=unix_stream_socket permissive=0
This looks like the container is running as container_runtime_t not spc_t. Are you running sssd in a confined container?
In our case atomic runs: docker run --rm=true --privileged --net=host -v /:/host -e NAME=${NAME} -e IMAGE=${IMAGE} -e HOST=/host ${IMAGE} /bin/install.sh so I have run: docker run --privileged --rm -ti fedora:25 bash and I see process: system_u:system_r:container_runtime_t:s0 root 4560 0.0 0.1 12556 3660 pts/1 Ss+ 13:56 0:00 bash when run without --privileged the type is: system_u:system_r:container_t:s0:c844,c851 root 4922 0.2 0.1 12560 3656 pts/1 Ss+ 14:26 0:00 bash Did not spc_t get renamed to container_runtime_t lately?
BTW we have same regression on RHEL 7.3.1 with: rhel-atomic-host:rhel-atomic-host/7/x86_64/standard Version: 7.3.1 (2016-11-30 02:14:24) docker-1.10.3-59.el7.x86_64 container-selinux-1.10.3-59.el7.x86_64 selinux-policy-3.13.1-102.el7_3.7.noarch seeing: Dec 08 14:31:19 test1-rhel-7-3-1-atomic.example.test kernel: type=1400 audit(1481207479.847:5): avc: denied { connectto } for pid=13179 comm="sshd" path="/var/lib/sss/pipes/private/pam" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:container_runtime_t:s0 tclass=unix_stream_socket Dec 08 14:31:19 test1-rhel-7-3-1-atomic.example.test kernel: type=1400 audit(1481207479.867:6): avc: denied { connectto } for pid=13179 comm="sshd" path="/var/lib/sss/pipes/private/pam" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:container_runtime_t:s0 tclass=unix_stream_socket Would you like to track RHEL issue separately?
Filed against RHEL: bug 1403270
This message is a reminder that Fedora 25 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 25. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '25'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 25 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Tibor, could you please check if the issue is still present on Fedora 26?
Fedora 25 changed to end-of-life (EOL) status on 2017-12-12. Fedora 25 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.
When i have run: atomic install fedora/sssd --server ipa.example.test --domain example.test --password 'someOTPpass' then started service: systemctl start sssd in file /etc/ssh/sshd_config is PasswordAuthentication set to yes and then run: systemctl restart sshd Attempt to run ssh bob.test fails: # systemctl status sshd ● sshd.service - OpenSSH server daemon Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2018-01-04 10:58:52 CET; 1h 1min ago Docs: man:sshd(8) man:sshd_config(5) Main PID: 5386 (sshd) Tasks: 1 (limit: 4915) Memory: 2.4M CPU: 369ms CGroup: /system.slice/sshd.service └─5386 /usr/sbin/sshd -D Jan 04 11:51:15 host.example.com sshd[9342]: pam_sss(sshd:account): Access denied for user bob: 4 (System error) Jan 04 11:51:15 host.example.com sshd[9320]: error: PAM: User account has expired for bob from 2620:52:0:25aa:21a:4aff:fe23:15a7 Jan 04 11:51:15 host.example.com sshd[9320]: fatal: monitor_read: unpermitted request 104 Jan 04 11:53:52 host.example.com sshd[9440]: Authorized to bob, krb5 principal bob.COM (ssh_gssapi_krb5_cmdok) Jan 04 11:54:00 host.example.com sshd[9440]: pam_sss(sshd:account): Access denied for user bob: 4 (System error) Jan 04 11:54:00 host.example.com sshd[9440]: fatal: Access denied for user bob by PAM account configuration [preauth] Jan 04 11:59:14 host.example.com sshd[9585]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=2620:52:0:25aa:21a:4aff:fe23:15a7 user=bob Jan 04 11:59:21 host.example.com sshd[9585]: pam_sss(sshd:account): Access denied for user bob: 4 (System error) Jan 04 11:59:21 host.example.com sshd[9565]: error: PAM: User account has expired for bob from 2620:52:0:25aa:21a:4aff:fe23:15a7 Jan 04 11:59:21 host.example.com sshd[9565]: fatal: monitor_read: unpermitted request 104 kinit as bob works. In audit log i do not see AVC denial: type=CRYPTO_KEY_USER msg=audit(1515063550.484:2071): pid=9566 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:f9:9e:3d:16:26:fe:ee:f3:8a:41:08:52:c0:c2:f3:f5:41:38:c7:cb:88:da:d8:69:f4:76:9d:7d:8d:bb:b6:5c direction=? spid=9566 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success' type=CRYPTO_KEY_USER msg=audit(1515063550.485:2072): pid=9566 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:ee:a4:e9:56:e9:38:b7:fe:2f:f9:62:c0:2c:54:a1:f2:7d:7a:d9:13:af:fe:ea:50:01:2a:d3:76:ab:83:ac:00 direction=? spid=9566 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success' type=CRYPTO_KEY_USER msg=audit(1515063550.485:2073): pid=9566 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:c5:87:17:5b:56:40:de:1c:35:66:20:59:8a:2e:b0:f1:ba:a4:20:2f:48:34:ed:ff:ef:1d:8e:08:ef:5f:00:b4 direction=? spid=9566 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success' type=CRYPTO_SESSION msg=audit(1515063550.486:2074): pid=9565 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=aes256-gcm ksize=256 mac=<implicit> pfs=curve25519-sha256 spid=9566 suid=74 rport=36716 laddr=2620:52:0:25aa:21a:4aff:fe23:1297 lport=22 exe="/usr/sbin/sshd" hostname=? addr=2620:52:0:25aa:21a:4aff:fe23:15a7 terminal=? res=success' type=CRYPTO_SESSION msg=audit(1515063550.487:2075): pid=9565 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=aes256-gcm ksize=256 mac=<implicit> pfs=curve25519-sha256 spid=9566 suid=74 rport=36716 laddr=2620:52:0:25aa:21a:4aff:fe23:1297 lport=22 exe="/usr/sbin/sshd" hostname=? addr=2620:52:0:25aa:21a:4aff:fe23:15a7 terminal=? res=success' type=USER_AUTH msg=audit(1515063550.743:2076): pid=9565 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=gssapi acct="bob" exe="/usr/sbin/sshd" hostname=? addr=2620:52:0:25aa:21a:4aff:fe23:15a7 terminal=ssh res=failed' type=USER_AUTH msg=audit(1515063551.837:2077): pid=9587 uid=175 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:authentication grantors=pam_succeed_if acct="ovirtagent" exe="/usr/sbin/userhelper" hostname=? addr=? terminal=? res=success' type=USER_ACCT msg=audit(1515063551.837:2078): pid=9587 uid=175 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:accounting grantors=pam_permit acct="ovirtagent" exe="/usr/sbin/userhelper" hostname=? addr=? terminal=? res=success' type=USER_AUTH msg=audit(1515063554.564:2079): pid=9585 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_succeed_if,pam_sss acct="bob" exe="/usr/sbin/sshd" hostname=2620:52:0:25aa:21a:4aff:fe23:15a7 addr=2620:52:0:25aa:21a:4aff:fe23:15a7 terminal=ssh res=success' type=ROLE_ASSIGN msg=audit(1515063554.890:2080): pid=9589 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:spc_t:s0 msg='op=login-sename,role,range acct="bob" old-seuser=? old-role=? old-range=? new-seuser=unconfined_u new-role=system_r,unconfined_r new-range=s0-s0:c0.c1023 exe="/usr/libexec/sssd/selinux_child" hostname=? addr=? terminal=? res=success' type=USER_ACCT msg=audit(1515063561.784:2081): pid=9585 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=? acct="bob" exe="/usr/sbin/sshd" hostname=2620:52:0:25aa:21a:4aff:fe23:15a7 addr=2620:52:0:25aa:21a:4aff:fe23:15a7 terminal=ssh res=failed' type=USER_AUTH msg=audit(1515063561.788:2082): pid=9565 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=challenge-response acct="bob" exe="/usr/sbin/sshd" hostname=? addr=2620:52:0:25aa:21a:4aff:fe23:15a7 terminal=ssh res=failed' type=USER_ERR msg=audit(1515063561.789:2083): pid=9565 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident grantors=? acct="?" exe="/usr/sbin/sshd" hostname=2620:52:0:25aa:21a:4aff:fe23:15a7 addr=2620:52:0:25aa:21a:4aff:fe23:15a7 terminal=ssh res=failed' type=CRYPTO_KEY_USER msg=audit(1515063561.791:2084): pid=9565 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:f9:9e:3d:16:26:fe:ee:f3:8a:41:08:52:c0:c2:f3:f5:41:38:c7:cb:88:da:d8:69:f4:76:9d:7d:8d:bb:b6:5c direction=? spid=9565 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success' type=CRYPTO_KEY_USER msg=audit(1515063561.791:2085): pid=9565 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:ee:a4:e9:56:e9:38:b7:fe:2f:f9:62:c0:2c:54:a1:f2:7d:7a:d9:13:af:fe:ea:50:01:2a:d3:76:ab:83:ac:00 direction=? spid=9565 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success' type=CRYPTO_KEY_USER msg=audit(1515063561.791:2086): pid=9565 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:c5:87:17:5b:56:40:de:1c:35:66:20:59:8a:2e:b0:f1:ba:a4:20:2f:48:34:ed:ff:ef:1d:8e:08:ef:5f:00:b4 direction=? spid=9565 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success' type=USER_LOGIN msg=audit(1515063561.791:2087): pid=9565 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="bob" exe="/usr/sbin/sshd" hostname=? addr=2620:52:0:25aa:21a:4aff:fe23:15a7 terminal=ssh res=failed' type=USER_AUTH msg=audit(1515063561.908:2088): pid=9593 uid=175 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:authentication grantors=pam_succeed_if acct="ovirtagent" exe="/usr/sbin/userhelper" hostname=? addr=? terminal=? res=success' type=USER_ACCT msg=audit(1515063561.909:2089): pid=9593 uid=175 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:accounting grantors=pam_permit acct="ovirtagent" exe="/usr/sbin/userhelper" hostname=? addr=? terminal=? res=success' Selinux policy rule: # sesearch --allow -s sshd_t -t spc_t -p connectto allow domain spc_t:unix_stream_socket connectto; Is there something I forgot Jan?