Bug 1477613 - Update SELinux policy for SSH and Crypto policies
Update SELinux policy for SSH and Crypto policies
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 1479271
  Show dependency treegraph
 
Reported: 2017-08-02 09:23 EDT by Jakub Jelen
Modified: 2017-08-14 11:46 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-14 11:46:30 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jakub Jelen 2017-08-02 09:23:26 EDT
Description of problem:
The Crypto policies in server requires some changes in the SSHD server structure and we went a way of simple script instead of modification of the SSHD server itself.

From there we need to create a temporary files under /run/openssh/, but the sshd server is not allowed to read the files with the labels under this path.

So far, there is a hack in the PreStart script, that changes the label to etc_t from var_run_t so we can start the daemon.

ls -Z $SSHD_CONFIG_RUNTIME | grep -q var_run_t && chcon -t etc_t $SSHD_CONFIG_RUNTIME

Better solution would be to create a special label for this file (and directory) so it is accessible only by the SSHD.

The AVC we are getting without this workaround:
type=AVC msg=audit(1501604780.224:775): avc:  denied  { read } for  pid=2789 comm="sshd" name="sshd_config" dev="tmpfs" ino=59058 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0

Alternatively we can also create some policy for helper script /usr/libexec/openssh/sshd-pre

Version-Release number of selected component (if applicable):
Fedora 27

How reproducible:
always

Steps to Reproduce:
1. Install openssh
2. Remove the above workaround from /usr/libexec/openssh/sshd-pre
3. Remove /run/openssh/sshd_config
4. Restart the sshd service

Actual results:
The service fails, the above AVC is visible in the audit log

Expected results:
The service starts, no AVCs

Additional info:

https://fedoraproject.org/wiki/Changes/OpenSSH_Server_Crypto_Policy
Comment 1 Jakub Jelen 2017-08-14 11:46:30 EDT
Solved differently in the latest build. Closing this bug.

Note You need to log in before you can comment on or make changes to this bug.