Bug 1482554 - SELinux is preventing SSHD to start from TCPD wrapper
Summary: SELinux is preventing SSHD to start from TCPD wrapper
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy   
(Show other bugs)
Version: 28
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-08-17 14:47 UTC by Jakub Jelen
Modified: 2018-03-26 22:31 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.14.1-18.fc28
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-03-26 22:31:56 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Jakub Jelen 2017-08-17 14:47:46 UTC
Description of problem:
OpenSSH is built with libwrap at this point. It will not the this way in future and for the ones who would like to make use of tcp_wrappers, they can use tcpd wrapper for "socket activated services". But this does not work with SELinux, because probably nobody tried yet

Version-Release number of selected component (if applicable):
*

How reproducible:
deterministic

Steps to Reproduce:
 * Disable sshd.service
    systemctl disable sshd

 * Copy the shipped sshd@.service to /etc/:
    cp {/usr/lib,/etc}/systemd/system/sshd@.service

 * Modify the ExecStart line in the above file under /ect/ from
    ExecStart=-/usr/sbin/sshd -i $OPTIONS

  to
    ExecStart=@-/usr/sbin/tcpd /usr/sbin/sshd -i $OPTIONS

 * Reload systemctl
    systemctl daemon-reload

 * Enable and start sshd.socket
    systemctl enable sshd.socket
    systemctl start sshd.socket

 * Verify that you can connect to new service (not working now, because it is blocked by SELinux).

Actual results:
The connection fails, AVCs appear.

Expected results:
Clients are able to connect to ssh.

Additional info:
I was able to make it working with the following SELinux modules:
 * Transition from tcpd_t to sshd_t
 * Allow sshd_t and sshd_net_t to read the socket passed from tcpd_t

[jjelen@t470s ~]$ cat mytcpd2.te 
policy_module(mytcpd2, 1.0.0)

gen_require(`
    type tcpd_t;
')

optional_policy(`
    ssh_domtrans(tcpd_t)
')

[jjelen@t470s ~]$ cat mytcpd.cil 
(allow init_t tcpd_t (tcp_socket (create setopt bind listen accept getattr)))
(allow sshd_t tcpd_t (tcp_socket (getattr read setopt write)))
(allow sshd_net_t tcpd_t (tcp_socket (read write)))

(allow tcpd_t ssh_port_t (tcp_socket (name_bind)))
(allow tcpd_t node_t (tcp_socket (node_bind)))
(allow tcpd_t tcpd_exec_t (file (execute_no_trans)))



It would be ideal to solve this somehow using a macro, because this will be needed for other services that currently use libwrap directly and they might stop doing so in close future. Most of the rules will be the same for them

Also it would make sense to gate this change by some SELinux boolean -- we probably do not want to allow that by default (can it be security problem?).

Comment 1 Fedora End Of Life 2018-02-20 15:25:00 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle.
Changing version to '28'.

Comment 2 Fedora Update System 2018-03-25 13:11:44 UTC
selinux-policy-3.14.1-17.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-b8cb71b345

Comment 3 Fedora Update System 2018-03-25 20:32:40 UTC
selinux-policy-3.14.1-17.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-b8cb71b345

Comment 4 Fedora Update System 2018-03-26 21:51:38 UTC
selinux-policy-3.14.1-18.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-7821b2e7c4

Comment 5 Fedora Update System 2018-03-26 22:31:56 UTC
selinux-policy-3.14.1-18.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.