This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1461893 - selinux errors when logging in via ssh
selinux errors when logging in via ssh
Status: ASSIGNED
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: container-selinux (Show other bugs)
7.4
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Lokesh Mandvekar
atomic-bugs@redhat.com
: Extras
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-15 10:21 EDT by Dominik Perpeet
Modified: 2017-10-11 12:46 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dominik Perpeet 2017-06-15 10:21:45 EDT
Description of problem:
Cockpit integration tests found an SELinux error in the latest 7.4 build (7.4 nightly + Extras compose) when logging in via ssh.

Version-Release number of selected component (if applicable):
According to lvrabec this is the relevant package:
Name        : container-selinux
Arch        : noarch
Epoch       : 2
Version     : 2.15
Release     : 1.git583ca40.el7

How reproducible:
Always

Steps to Reproduce:
1. Log in via ssh (I tried only key based)

Actual results:
Jun 15 07:16:24 localhost.localdomain kernel: type=1401 audit(1497525384.448:4): op=security_compute_av reason=bounds scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:svirt_lxc_net_t:s0-s0:c0.c1023 tclass=process perms=transition,sigchld,sigstop,signull,signal,getattr
Jun 15 07:16:24 localhost.localdomain kernel: type=1401 audit(1497525384.484:5): op=security_compute_av reason=bounds scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:svirt_lxc_net_t:s0-s0:c0.c1023 tclass=process perms=transition,sigchld,sigstop,signull,signal,getattr
Comment 4 Martin Pitt 2017-07-05 17:09:21 EDT
For the record, on current RHEL Atomic they look slightly differently:

type=1401 audit(1499275045.747:7): op=security_compute_av reason=bounds scontext=system_u:system_r:spc_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:svirt_lxc_net_t:s0-s0:c0.c1023 tclass=process perms=transition
type=1401 audit(1499275045.767:8): op=security_compute_av reason=bounds scontext=system_u:system_r:spc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:svirt_lxc_net_t:s0-s0:c0.c1023 tclass=process perms=transition
type=1401 audit(1499275045.913:9): op=security_compute_av reason=bounds scontext=system_u:system_r:spc_t:s0 tcontext=root:sysadm_r:svirt_lxc_net_t:s0 tclass=process perms=transition
type=1401 audit(1499275045.994:10): op=security_compute_av reason=bounds scontext=system_u:system_r:spc_t:s0 tcontext=root:system_r:svirt_lxc_net_t:s0 tclass=process perms=transition
type=1401 audit(1499275046.014:11): 
op=security_compute_av reason=bounds scontext=system_u:system_r:spc_t:s0 tcontext=root:unconfined_r:svirt_lxc_net_t:s0 tclass=process perms=transition

From https://fedorapeople.org/groups/cockpit/logs/pull-7148-20170705-165757-1548446a-verify-rhel-atomic/log.html#121
Comment 5 Daniel Walsh 2017-10-09 08:34:15 EDT
Dominick the messages you are showing are not SELinux errors (avc.

Martin did you see anything actually break?  These all seem to be bounds checks not AVC's
Comment 6 Martin Pitt 2017-10-09 09:11:16 EDT
@Daniel: No, the actual tests seem fine, we just get these unexpected journal messages. Should these just be ignored?
Comment 7 Daniel Walsh 2017-10-09 11:05:08 EDT
Yes I believe so.  We should be handling bounds checking better in future versions of RHEL selinux policy and tool chain.

Note You need to log in before you can comment on or make changes to this bug.