Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1448959 - STIG for RHEL 7 Server Running GUIs triggers AVC for sshd
STIG for RHEL 7 Server Running GUIs triggers AVC for sshd
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.3
x86_64 Linux
unspecified Severity high
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-05-08 16:50 EDT by Thomas Kent
Modified: 2018-04-10 08:32 EDT (History)
9 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-174.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-04-10 08:29:42 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0763 None None None 2018-04-10 08:32 EDT

  None (edit)
Description Thomas Kent 2017-05-08 16:50:15 EDT 
Description of problem:
When applying the security profile "STIG for Red Hat Enterprise Linux 7 Server Running GUIs" during install, the /etc/ssh/sshd_config file has an error put into it, preventing the sshd service from starting. After correcting this, a SELinux error is encountered whenever a user logs in over ssh that is not present in the baseline.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
Install from rhel-server-7.3-x86_64-dvd.iso into VirtualBox 5.1.8 VM (4GB Ram, 8GB Drive, NAT)
Software Selection - Server With GUI (no additional packages)
Security Policy - STIG for Red Hat Enterprise Linux 7 Server Running GUIs
Automatic Partitioning
Set Root Password
Create admin user
Reboot
Accept License

Login, Open Terminal
$ sudo systemctl status sshd
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: activating (auto-restart) (Result: exit-code) since Wed 2017-04-05 12:53:41 EDT; 15s ago
     Docs: man:sshd(8)
           man:sshd_config(5)
  Process: 12473 ExecStart=/usr/sbin/sshd $OPTIONS (code=exited, status=255)

Apr 05 12:53:41 localhost.localdomain systemd[1]: sshd.service: control proce...
Apr 05 12:53:41 localhost.localdomain systemd[1]: Failed to start OpenSSH ser...
Apr 05 12:53:41 localhost.localdomain systemd[1]: Unit sshd.service entered f...
Apr 05 12:53:41 localhost.localdomain systemd[1]: sshd.service failed.
Hint: Some lines were ellipsized, use -l to show in full.


$ sudo grep sshd /var/log/messages
Apr 5 12:52:27 localhost sshd-keygen: Generating SSH2 RSA host key: [ OK ]
Apr 5 12:52:27 localhost sshd-keygen: Generating SSH2 ECDSA host key: [ OK ]
Apr 5 12:52:27 localhost sshd-keygen: Generating SSH2 ED25519 host key: [ OK ]
Apr 5 12:52:28 localhost audispd: node=localhost.localdomain type=SERVICE_START msg=audit(1491411147.534:190): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sshd-keygen comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Apr 5 12:52:35 localhost sshd: /etc/ssh/sshd_config line 169: Bad SSH2 cipher spec 'aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbcMACs'.
Apr 5 12:52:35 localhost systemd: sshd.service: control process exited, code=exited status=255

$ sudo tail -n 4 /etc/ssh/sshd_config
PermitUserEnvironment no
# Per CCE: Set Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc in /etc/ssh/sshd_config
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbcMACs hmac-sha2-512,hmac-sha2-256,hmac-sha1

**** As you can see, the line break between the Ciphers and MACs lines has been removed! Thus the invalid Cipher.
After fixing the bad line....

$ sudo tail -n 4 /etc/ssh/sshd_config
PermitUserEnvironment no
# Per CCE: Set Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc in /etc/ssh/sshd_config
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1


$ sudo systemctl start sshd

$ ssh localhost
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is [fingerprint].
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
You are accessing a U.S. Government (USG) Information System (IS) that is
...


**** Now works, but causes (should this be a separate bug report?) a SELinux error:

SELinux is preventing /usr/sbin/sshd from using the signull access on a process.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that sshd should be allowed signull access on processes labeled xdm_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sshd' --raw | audit2allow -M my-sshd
# semodule -i my-sshd.pp

Additional Information:
Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Objects Unknown [ process ]
Source sshd
Source Path /usr/sbin/sshd
Port <Unknown>
Host localhost.localdomain
Source RPM Packages openssh-server-6.6.1p1-31.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-102.el7.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 3.10.0-514.el7.x86_64
                              #1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64 x86_64
Alert Count 1
First Seen 2017-04-05 13:45:37 EDT
Last Seen 2017-04-05 13:45:37 EDT
Local ID bfb2f588-1126-4b83-bb9d-7a7000486a00

Raw Audit Messages
type=AVC msg=audit(1491414337.884:827): avc: denied { signull } for pid=13574 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process


type=SYSCALL msg=audit(1491414337.884:827): arch=x86_64 syscall=kill success=no exit=EACCES a0=2db1 a1=0 a2=7 a3=7 items=0 ppid=12743 pid=13574 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=8 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)

Hash: sshd,sshd_t,xdm_t,process,signull


This has also been filed against CentOS: https://bugs.centos.org/view.php?id=13088
Comment 2 Thomas Kent 2017-05-25 08:44:49 EDT 
This is probably related to:
https://bugzilla.redhat.com/show_bug.cgi?id=1415152
Comment 3 Marek Haicman 2017-07-21 10:31:16 EDT 
You are right Thomas, SSHD config issue is the one you linked. I am moving it to selinux for investigation of the second finding.
Comment 4 Miroslav Grepl 2017-07-27 06:03:52 EDT 
Thomas,
could you run

# ausearch -c 'sshd' --raw | audit2allow -M my-sshd
# semodule -i my-sshd.pp

to see if it works with this fix.

Thank you.
Comment 5 Thomas Kent 2017-07-31 11:44:36 EDT 
(In reply to Miroslav Grepl from comment #4)
> Thomas,
> could you run
> 
> # ausearch -c 'sshd' --raw | audit2allow -M my-sshd
> # semodule -i my-sshd.pp
> 
> to see if it works with this fix.
> 
> Thank you.

That seems to fix the remaining issue.
Comment 10 errata-xmlrpc 2018-04-10 08:29:42 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.