1448959 – STIG for RHEL 7 Server Running GUIs triggers AVC for sshd

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1448959 - STIG for RHEL 7 Server Running GUIs triggers AVC for sshd

Summary: STIG for RHEL 7 Server Running GUIs triggers AVC for sshd

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.3
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-05-08 20:50 UTC by Thomas Kent
Modified:	2018-04-10 12:32 UTC (History)
CC List:	9 users (show)
Fixed In Version:	selinux-policy-3.13.1-174.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-10 12:29:42 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:0763	0	None	None	None	2018-04-10 12:32:07 UTC

Description Thomas Kent 2017-05-08 20:50:15 UTC

Description of problem:
When applying the security profile "STIG for Red Hat Enterprise Linux 7 Server Running GUIs" during install, the /etc/ssh/sshd_config file has an error put into it, preventing the sshd service from starting. After correcting this, a SELinux error is encountered whenever a user logs in over ssh that is not present in the baseline.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
Install from rhel-server-7.3-x86_64-dvd.iso into VirtualBox 5.1.8 VM (4GB Ram, 8GB Drive, NAT)
Software Selection - Server With GUI (no additional packages)
Security Policy - STIG for Red Hat Enterprise Linux 7 Server Running GUIs
Automatic Partitioning
Set Root Password
Create admin user
Reboot
Accept License

Login, Open Terminal
$ sudo systemctl status sshd
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: activating (auto-restart) (Result: exit-code) since Wed 2017-04-05 12:53:41 EDT; 15s ago
     Docs: man:sshd(8)
           man:sshd_config(5)
  Process: 12473 ExecStart=/usr/sbin/sshd $OPTIONS (code=exited, status=255)

Apr 05 12:53:41 localhost.localdomain systemd[1]: sshd.service: control proce...
Apr 05 12:53:41 localhost.localdomain systemd[1]: Failed to start OpenSSH ser...
Apr 05 12:53:41 localhost.localdomain systemd[1]: Unit sshd.service entered f...
Apr 05 12:53:41 localhost.localdomain systemd[1]: sshd.service failed.
Hint: Some lines were ellipsized, use -l to show in full.


$ sudo grep sshd /var/log/messages
Apr 5 12:52:27 localhost sshd-keygen: Generating SSH2 RSA host key: [ OK ]
Apr 5 12:52:27 localhost sshd-keygen: Generating SSH2 ECDSA host key: [ OK ]
Apr 5 12:52:27 localhost sshd-keygen: Generating SSH2 ED25519 host key: [ OK ]
Apr 5 12:52:28 localhost audispd: node=localhost.localdomain type=SERVICE_START msg=audit(1491411147.534:190): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sshd-keygen comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Apr 5 12:52:35 localhost sshd: /etc/ssh/sshd_config line 169: Bad SSH2 cipher spec 'aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbcMACs'.
Apr 5 12:52:35 localhost systemd: sshd.service: control process exited, code=exited status=255

$ sudo tail -n 4 /etc/ssh/sshd_config
PermitUserEnvironment no
# Per CCE: Set Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc in /etc/ssh/sshd_config
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbcMACs hmac-sha2-512,hmac-sha2-256,hmac-sha1

**** As you can see, the line break between the Ciphers and MACs lines has been removed! Thus the invalid Cipher.
After fixing the bad line....

$ sudo tail -n 4 /etc/ssh/sshd_config
PermitUserEnvironment no
# Per CCE: Set Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc in /etc/ssh/sshd_config
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1


$ sudo systemctl start sshd

$ ssh localhost
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is [fingerprint].
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
You are accessing a U.S. Government (USG) Information System (IS) that is
...


**** Now works, but causes (should this be a separate bug report?) a SELinux error:

SELinux is preventing /usr/sbin/sshd from using the signull access on a process.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that sshd should be allowed signull access on processes labeled xdm_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sshd' --raw | audit2allow -M my-sshd
# semodule -i my-sshd.pp

Additional Information:
Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Objects Unknown [ process ]
Source sshd
Source Path /usr/sbin/sshd
Port <Unknown>
Host localhost.localdomain
Source RPM Packages openssh-server-6.6.1p1-31.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-102.el7.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 3.10.0-514.el7.x86_64
                              #1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64 x86_64
Alert Count 1
First Seen 2017-04-05 13:45:37 EDT
Last Seen 2017-04-05 13:45:37 EDT
Local ID bfb2f588-1126-4b83-bb9d-7a7000486a00

Raw Audit Messages
type=AVC msg=audit(1491414337.884:827): avc: denied { signull } for pid=13574 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process


type=SYSCALL msg=audit(1491414337.884:827): arch=x86_64 syscall=kill success=no exit=EACCES a0=2db1 a1=0 a2=7 a3=7 items=0 ppid=12743 pid=13574 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=8 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)

Hash: sshd,sshd_t,xdm_t,process,signull


This has also been filed against CentOS: https://bugs.centos.org/view.php?id=13088

Comment 2 Thomas Kent 2017-05-25 12:44:49 UTC

This is probably related to:
https://bugzilla.redhat.com/show_bug.cgi?id=1415152

Comment 3 Marek Haicman 2017-07-21 14:31:16 UTC

You are right Thomas, SSHD config issue is the one you linked. I am moving it to selinux for investigation of the second finding.

Comment 4 Miroslav Grepl 2017-07-27 10:03:52 UTC

Thomas,
could you run

# ausearch -c 'sshd' --raw | audit2allow -M my-sshd
# semodule -i my-sshd.pp

to see if it works with this fix.

Thank you.

Comment 5 Thomas Kent 2017-07-31 15:44:36 UTC

(In reply to Miroslav Grepl from comment #4)
> Thomas,
> could you run
> 
> # ausearch -c 'sshd' --raw | audit2allow -M my-sshd
> # semodule -i my-sshd.pp
> 
> to see if it works with this fix.
> 
> Thank you.

That seems to fix the remaining issue.

Comment 10 errata-xmlrpc 2018-04-10 12:29:42 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763

Note You need to log in before you can comment on or make changes to this bug.