Bug 1477613 - Update SELinux policy for SSH and Crypto policies
Summary: Update SELinux policy for SSH and Crypto policies
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
Depends On:
Blocks: 1479271
TreeView+ depends on / blocked
Reported: 2017-08-02 13:23 UTC by Jakub Jelen
Modified: 2017-08-14 15:46 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-08-14 15:46:30 UTC
Type: Bug

Attachments (Terms of Use)

Description Jakub Jelen 2017-08-02 13:23:26 UTC
Description of problem:
The Crypto policies in server requires some changes in the SSHD server structure and we went a way of simple script instead of modification of the SSHD server itself.

From there we need to create a temporary files under /run/openssh/, but the sshd server is not allowed to read the files with the labels under this path.

So far, there is a hack in the PreStart script, that changes the label to etc_t from var_run_t so we can start the daemon.

ls -Z $SSHD_CONFIG_RUNTIME | grep -q var_run_t && chcon -t etc_t $SSHD_CONFIG_RUNTIME

Better solution would be to create a special label for this file (and directory) so it is accessible only by the SSHD.

The AVC we are getting without this workaround:
type=AVC msg=audit(1501604780.224:775): avc:  denied  { read } for  pid=2789 comm="sshd" name="sshd_config" dev="tmpfs" ino=59058 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0

Alternatively we can also create some policy for helper script /usr/libexec/openssh/sshd-pre

Version-Release number of selected component (if applicable):
Fedora 27

How reproducible:

Steps to Reproduce:
1. Install openssh
2. Remove the above workaround from /usr/libexec/openssh/sshd-pre
3. Remove /run/openssh/sshd_config
4. Restart the sshd service

Actual results:
The service fails, the above AVC is visible in the audit log

Expected results:
The service starts, no AVCs

Additional info:


Comment 1 Jakub Jelen 2017-08-14 15:46:30 UTC
Solved differently in the latest build. Closing this bug.

Note You need to log in before you can comment on or make changes to this bug.