Bug 1584167 - SELinux prevents sshd from reading the file /run/cockpit/active.motd
Summary: SELinux prevents sshd from reading the file /run/cockpit/active.motd
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 28
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:1eaac0650fa1d3a1e082ef33636...
Depends On:
Blocks: 1591381
TreeView+ depends on / blocked
 
Reported: 2018-05-30 12:25 UTC by Stephen Gallagher
Modified: 2018-10-05 16:01 UTC (History)
18 users (show)

Fixed In Version: selinux-policy-3.14.1-36.fc28 selinux-policy-3.14.2-35.fc29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-05 16:01:36 UTC
Type: ---


Attachments (Terms of Use)

Description Stephen Gallagher 2018-05-30 12:25:52 UTC
Description of problem:
I updated to Cockpit 169 which added support for setting an /etc/motd.d/cockpit file that informs users about the admin console.

When logging in, I received an SELinux denial disallowing SSHD from accessing "active.motd".
SELinux is preventing sshd from 'read' accesses on the file active.motd.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that sshd should be allowed read access on the active.motd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sshd' --raw | audit2allow -M my-sshd
# semodule -X 300 -i my-sshd.pp

Additional Information:
Source Context                system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_run_t:s0
Target Objects                active.motd [ file ]
Source                        sshd
Source Path                   sshd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.1-25.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.16.11-300.fc28.x86_64 #1 SMP Tue
                              May 22 18:29:09 UTC 2018 x86_64 x86_64
Alert Count                   3
First Seen                    2018-05-30 08:20:40 EDT
Last Seen                     2018-05-30 08:23:25 EDT
Local ID                      bbf2455c-f5c5-4002-9359-524692b6e716

Raw Audit Messages
type=AVC msg=audit(1527683005.630:732): avc:  denied  { read } for  pid=16693 comm="sshd" name="active.motd" dev="tmpfs" ino=136336 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0


Hash: sshd,sshd_t,var_run_t,file,read

Version-Release number of selected component:
selinux-policy-3.14.1-25.fc28.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.16.11-300.fc28.x86_64
type:           libreport

Comment 1 Lukas Vrabec 2018-05-30 22:31:35 UTC
Hi cockpit folks, 

How you're moving cockpit file? SELinux context should be etc_t not var_run_t. Could somebody look at it? 

THanks,
Lukas.

Comment 2 Martin Pitt 2018-06-14 15:31:03 UTC
/etc/motd.d/cockpit is a symlink to /run/cockpit/motd. The content is generated dynamically by cockpit.socket and systemd-tmpfiles, depending on whether cockpit is enabled or disabled. So I believe run_t is correct.

Comment 3 Martin Pitt 2018-06-26 11:48:01 UTC
Forgot to reassign back.

Comment 4 Stephen Gallagher 2018-06-28 19:19:23 UTC
Lukas, can we get an update here? The Cockpit and OpenSSH bits to enable this are headed to stable soon in F28 and it would be nice if SELinux wasn't blocking it.

Comment 5 Lukas Vrabec 2018-07-03 13:45:33 UTC
Hi, 

Stephen if you label /run/cockpit/motd as etc_t, is it working? 

# semanage fcontext -a -t etc_t /var/run/cockpit/motd
# restorecon -Rv /var/run/cockpit/motd 

Thanks,
Lukas.

Comment 6 Stephen Gallagher 2018-07-03 13:53:29 UTC
I tested by doing `sudo chcon -t etc_t /run/cockpit/motd`

rather than semanage (because if it didn't work, I don't like to diverge from standard). This worked just fine and I got no denial when SSHing in.

Comment 7 Lukas Vrabec 2018-07-03 13:54:59 UTC
Sure, it's up to you if you'll use chcon or semanage (in semanage you can use -d to remove it ;))

Will add label for /var/run/cockpit/motd

Comment 8 Milos Malik 2018-07-13 07:13:15 UTC
----
type=PROCTITLE msg=audit(07/13/2018 08:56:55.622:200) : proctitle=sshd: root [priv] 
type=PATH msg=audit(07/13/2018 08:56:55.622:200) : item=0 name=cockpit inode=22178 dev=00:16 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(07/13/2018 08:56:55.622:200) : cwd=/ 
type=SYSCALL msg=audit(07/13/2018 08:56:55.622:200) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0x6 a1=0x563ec7e42bf3 a2=O_RDONLY a3=0x0 items=1 ppid=759 pid=1154 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(07/13/2018 08:56:55.622:200) : avc:  denied  { read } for  pid=1154 comm=sshd name=active.motd dev="tmpfs" ino=22178 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0 
----

# find /run/ -inum 22178
/run/cockpit/active.motd
# ls -l /run/cockpit/
total 4
-rw-r--r--. 1 root root 71 Jul 13 09:02 active.motd
lrwxrwxrwx. 1 root root 37 Jul 13 09:02 motd -> /usr/share/cockpit/motd/inactive.motd
# matchpathcon /run/cockpit/active.motd 
/run/cockpit/active.motd	system_u:object_r:var_run_t:s0
# matchpathcon /run/cockpit/motd 
/run/cockpit/motd	system_u:object_r:var_run_t:s0
#

What about assigning a better label to the /run/cockpit/ directory and to everything inside it?

Comment 9 Martin Pitt 2018-07-17 07:00:46 UTC
I'm afraid I'm not following. Was "chcon -t etc_t /run/cockpit/motd" (or the equivalent semanage) for testing, or a proposal for production? It sounds odd to me to label a file in /run with "etc_t". So is that something which we need to fix in Cockpit at file creation, or in the SELinux policy? Thanks!

Comment 10 Dave Crown 2018-07-17 21:09:14 UTC
Description of problem:
I ssh'ed to my workstation

Version-Release number of selected component:
selinux-policy-3.14.1-32.fc28.noarch

Additional info:
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.17.5-200.fc28.x86_64
type:           libreport

Comment 11 Fedora Update System 2018-07-25 22:26:44 UTC
selinux-policy-3.14.1-36.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b

Comment 12 Fedora Update System 2018-07-26 16:29:20 UTC
selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b

Comment 13 Fedora Update System 2018-07-29 03:21:11 UTC
selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 14 Jason Harris 2018-09-01 12:56:09 UTC
Hello,

I wanted to say that this is still present in:

selinux-policy-3.14.1-40.fc28.noarch.  

I am mentioning this here because the update system requested any further instances of this issue should be posted here.

I should also mention that I run SSH over a non-standard port for security reasons, and selinux has been updated to take that into account.  This is the only message about SSH that SELINUX is still complaining about regularly.

Please let me know if I should open a separate bug report, or if this one needs to be re-opened.

I am pulling this message from Cockpit, using the cockpit-selinux add-on in Fedora 28:

type=AVC msg=audit(1535776582.454:278): avc: denied { read } for pid=1418 comm="sshd" name="active.motd" dev="tmpfs" ino=26865 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0

SELinux is preventing sshd from read access on the file active.motd.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that sshd should be allowed read access on the active.motd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sshd' --raw | audit2allow -M my-sshd
# semodule -X 300 -i my-sshd.pp


Additional Information:
Source Context                system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_run_t:s0
Target Objects                active.motd [ file ]
Source                        sshd
Source Path                   sshd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages
Target RPM Packages
Policy RPM                    selinux-policy-3.14.1-40.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     mediasrv.micronnet.net
Platform                      Linux mediasrv.micronnet.net
                              4.17.19-200.fc28.x86_64 #1 SMP Fri Aug 24 15:47:41
                              UTC 2018 x86_64 x86_64
Alert Count                   10
First Seen                    2018-08-31 20:24:29 CDT
Last Seen                     2018-08-31 23:36:22 CDT
Local ID                      b45d0b3d-2c4b-46ef-9b6b-85bfc72353e9

Raw Audit Messages
type=AVC msg=audit(1535776582.454:278): avc:  denied  { read } for  pid=1418 comm="sshd" name="active.motd" dev="tmpfs" ino=26865 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0


Hash: sshd,sshd_t,var_run_t,file,read

Comment 15 Christopher Engelhard 2018-09-13 17:12:11 UTC
Hi,
this issue is also present in 

selinux-policy-3.14.1-42.fc28

I also had this issue in 3.14.1-40 (just didn't get around to reporting it) and I'm running SSHD on the standard port 22, with no modifications to selinux, so it's not due to Jason's modifications.

Setting selinux to permissive shows that sshd is also being denied 'open' and 'getaddr' access to /run/cockpit/active.motd, in addition to 'read'. These three are the only selinux messages sshd produces on my system.


If I can provide further info, or testing, please let me know.

Christopher

Comment 16 Adam Williamson 2018-09-19 23:14:38 UTC
Still seeing this on current F29 also.

Comment 17 Adam Williamson 2018-09-19 23:15:14 UTC
time->Wed Sep 19 16:13:28 2018
type=AVC msg=audit(1537398808.024:204): avc:  denied  { read } for  pid=916 comm="sshd" name="active.motd" dev="tmpfs" ino=22367 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0

Comment 18 Adam Williamson 2018-09-19 23:15:30 UTC
That's with selinux-policy-targeted-3.14.2-34.fc29.noarch .

Comment 19 Daniel Walsh 2018-09-20 12:18:49 UTC
Looks like their is labeling for /var/run/cockpit-ws but not /var/run/cockpit.  Should add labeling for it also and then cause transitons to happen for this directory.

Comment 20 Lukas Vrabec 2018-09-20 12:21:53 UTC
Yeah, I created new update for this.

Comment 21 Stephen Gallagher 2018-09-20 12:42:00 UTC
Is this part of https://bodhi.fedoraproject.org/updates/FEDORA-2018-d4ddac7543 ? That update is not marked as fixing this bug.

Comment 22 Fedora Update System 2018-09-23 18:59:19 UTC
selinux-policy-3.14.2-35.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-d4ddac7543

Comment 23 Fedora Update System 2018-10-05 16:01:36 UTC
selinux-policy-3.14.2-35.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.