Bug 1461893 - selinux errors when logging in via ssh
selinux errors when logging in via ssh
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: container-selinux (Show other bugs)
7.4
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Lokesh Mandvekar
atomic-bugs@redhat.com
: Extras
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-15 10:21 EDT by Dominik Perpeet
Modified: 2017-07-05 17:09 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dominik Perpeet 2017-06-15 10:21:45 EDT
Description of problem:
Cockpit integration tests found an SELinux error in the latest 7.4 build (7.4 nightly + Extras compose) when logging in via ssh.

Version-Release number of selected component (if applicable):
According to lvrabec this is the relevant package:
Name        : container-selinux
Arch        : noarch
Epoch       : 2
Version     : 2.15
Release     : 1.git583ca40.el7

How reproducible:
Always

Steps to Reproduce:
1. Log in via ssh (I tried only key based)

Actual results:
Jun 15 07:16:24 localhost.localdomain kernel: type=1401 audit(1497525384.448:4): op=security_compute_av reason=bounds scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:svirt_lxc_net_t:s0-s0:c0.c1023 tclass=process perms=transition,sigchld,sigstop,signull,signal,getattr
Jun 15 07:16:24 localhost.localdomain kernel: type=1401 audit(1497525384.484:5): op=security_compute_av reason=bounds scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:svirt_lxc_net_t:s0-s0:c0.c1023 tclass=process perms=transition,sigchld,sigstop,signull,signal,getattr
Comment 4 Martin Pitt 2017-07-05 17:09:21 EDT
For the record, on current RHEL Atomic they look slightly differently:

type=1401 audit(1499275045.747:7): op=security_compute_av reason=bounds scontext=system_u:system_r:spc_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:svirt_lxc_net_t:s0-s0:c0.c1023 tclass=process perms=transition
type=1401 audit(1499275045.767:8): op=security_compute_av reason=bounds scontext=system_u:system_r:spc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:svirt_lxc_net_t:s0-s0:c0.c1023 tclass=process perms=transition
type=1401 audit(1499275045.913:9): op=security_compute_av reason=bounds scontext=system_u:system_r:spc_t:s0 tcontext=root:sysadm_r:svirt_lxc_net_t:s0 tclass=process perms=transition
type=1401 audit(1499275045.994:10): op=security_compute_av reason=bounds scontext=system_u:system_r:spc_t:s0 tcontext=root:system_r:svirt_lxc_net_t:s0 tclass=process perms=transition
type=1401 audit(1499275046.014:11): 
op=security_compute_av reason=bounds scontext=system_u:system_r:spc_t:s0 tcontext=root:unconfined_r:svirt_lxc_net_t:s0 tclass=process perms=transition

From https://fedorapeople.org/groups/cockpit/logs/pull-7148-20170705-165757-1548446a-verify-rhel-atomic/log.html#121

Note You need to log in before you can comment on or make changes to this bug.