Description of problem: I updated to Cockpit 169 which added support for setting an /etc/motd.d/cockpit file that informs users about the admin console. When logging in, I received an SELinux denial disallowing SSHD from accessing "active.motd". SELinux is preventing sshd from 'read' accesses on the file active.motd. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sshd should be allowed read access on the active.motd file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sshd' --raw | audit2allow -M my-sshd # semodule -X 300 -i my-sshd.pp Additional Information: Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023 Target Context system_u:object_r:var_run_t:s0 Target Objects active.motd [ file ] Source sshd Source Path sshd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.1-25.fc28.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.16.11-300.fc28.x86_64 #1 SMP Tue May 22 18:29:09 UTC 2018 x86_64 x86_64 Alert Count 3 First Seen 2018-05-30 08:20:40 EDT Last Seen 2018-05-30 08:23:25 EDT Local ID bbf2455c-f5c5-4002-9359-524692b6e716 Raw Audit Messages type=AVC msg=audit(1527683005.630:732): avc: denied { read } for pid=16693 comm="sshd" name="active.motd" dev="tmpfs" ino=136336 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0 Hash: sshd,sshd_t,var_run_t,file,read Version-Release number of selected component: selinux-policy-3.14.1-25.fc28.noarch Additional info: component: selinux-policy reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.16.11-300.fc28.x86_64 type: libreport
Hi cockpit folks, How you're moving cockpit file? SELinux context should be etc_t not var_run_t. Could somebody look at it? THanks, Lukas.
/etc/motd.d/cockpit is a symlink to /run/cockpit/motd. The content is generated dynamically by cockpit.socket and systemd-tmpfiles, depending on whether cockpit is enabled or disabled. So I believe run_t is correct.
Forgot to reassign back.
Lukas, can we get an update here? The Cockpit and OpenSSH bits to enable this are headed to stable soon in F28 and it would be nice if SELinux wasn't blocking it.
Hi, Stephen if you label /run/cockpit/motd as etc_t, is it working? # semanage fcontext -a -t etc_t /var/run/cockpit/motd # restorecon -Rv /var/run/cockpit/motd Thanks, Lukas.
I tested by doing `sudo chcon -t etc_t /run/cockpit/motd` rather than semanage (because if it didn't work, I don't like to diverge from standard). This worked just fine and I got no denial when SSHing in.
Sure, it's up to you if you'll use chcon or semanage (in semanage you can use -d to remove it ;)) Will add label for /var/run/cockpit/motd
---- type=PROCTITLE msg=audit(07/13/2018 08:56:55.622:200) : proctitle=sshd: root [priv] type=PATH msg=audit(07/13/2018 08:56:55.622:200) : item=0 name=cockpit inode=22178 dev=00:16 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(07/13/2018 08:56:55.622:200) : cwd=/ type=SYSCALL msg=audit(07/13/2018 08:56:55.622:200) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0x6 a1=0x563ec7e42bf3 a2=O_RDONLY a3=0x0 items=1 ppid=759 pid=1154 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/13/2018 08:56:55.622:200) : avc: denied { read } for pid=1154 comm=sshd name=active.motd dev="tmpfs" ino=22178 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0 ---- # find /run/ -inum 22178 /run/cockpit/active.motd # ls -l /run/cockpit/ total 4 -rw-r--r--. 1 root root 71 Jul 13 09:02 active.motd lrwxrwxrwx. 1 root root 37 Jul 13 09:02 motd -> /usr/share/cockpit/motd/inactive.motd # matchpathcon /run/cockpit/active.motd /run/cockpit/active.motd system_u:object_r:var_run_t:s0 # matchpathcon /run/cockpit/motd /run/cockpit/motd system_u:object_r:var_run_t:s0 # What about assigning a better label to the /run/cockpit/ directory and to everything inside it?
I'm afraid I'm not following. Was "chcon -t etc_t /run/cockpit/motd" (or the equivalent semanage) for testing, or a proposal for production? It sounds odd to me to label a file in /run with "etc_t". So is that something which we need to fix in Cockpit at file creation, or in the SELinux policy? Thanks!
Description of problem: I ssh'ed to my workstation Version-Release number of selected component: selinux-policy-3.14.1-32.fc28.noarch Additional info: reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.17.5-200.fc28.x86_64 type: libreport
selinux-policy-3.14.1-36.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b
selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b
selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Hello, I wanted to say that this is still present in: selinux-policy-3.14.1-40.fc28.noarch. I am mentioning this here because the update system requested any further instances of this issue should be posted here. I should also mention that I run SSH over a non-standard port for security reasons, and selinux has been updated to take that into account. This is the only message about SSH that SELINUX is still complaining about regularly. Please let me know if I should open a separate bug report, or if this one needs to be re-opened. I am pulling this message from Cockpit, using the cockpit-selinux add-on in Fedora 28: type=AVC msg=audit(1535776582.454:278): avc: denied { read } for pid=1418 comm="sshd" name="active.motd" dev="tmpfs" ino=26865 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0 SELinux is preventing sshd from read access on the file active.motd. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sshd should be allowed read access on the active.motd file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sshd' --raw | audit2allow -M my-sshd # semodule -X 300 -i my-sshd.pp Additional Information: Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023 Target Context system_u:object_r:var_run_t:s0 Target Objects active.motd [ file ] Source sshd Source Path sshd Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.1-40.fc28.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name mediasrv.micronnet.net Platform Linux mediasrv.micronnet.net 4.17.19-200.fc28.x86_64 #1 SMP Fri Aug 24 15:47:41 UTC 2018 x86_64 x86_64 Alert Count 10 First Seen 2018-08-31 20:24:29 CDT Last Seen 2018-08-31 23:36:22 CDT Local ID b45d0b3d-2c4b-46ef-9b6b-85bfc72353e9 Raw Audit Messages type=AVC msg=audit(1535776582.454:278): avc: denied { read } for pid=1418 comm="sshd" name="active.motd" dev="tmpfs" ino=26865 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0 Hash: sshd,sshd_t,var_run_t,file,read
Hi, this issue is also present in selinux-policy-3.14.1-42.fc28 I also had this issue in 3.14.1-40 (just didn't get around to reporting it) and I'm running SSHD on the standard port 22, with no modifications to selinux, so it's not due to Jason's modifications. Setting selinux to permissive shows that sshd is also being denied 'open' and 'getaddr' access to /run/cockpit/active.motd, in addition to 'read'. These three are the only selinux messages sshd produces on my system. If I can provide further info, or testing, please let me know. Christopher
Still seeing this on current F29 also.
time->Wed Sep 19 16:13:28 2018 type=AVC msg=audit(1537398808.024:204): avc: denied { read } for pid=916 comm="sshd" name="active.motd" dev="tmpfs" ino=22367 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0
That's with selinux-policy-targeted-3.14.2-34.fc29.noarch .
Looks like their is labeling for /var/run/cockpit-ws but not /var/run/cockpit. Should add labeling for it also and then cause transitons to happen for this directory.
Yeah, I created new update for this.
Is this part of https://bodhi.fedoraproject.org/updates/FEDORA-2018-d4ddac7543 ? That update is not marked as fixing this bug.
selinux-policy-3.14.2-35.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-d4ddac7543
selinux-policy-3.14.2-35.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.