Description of problem: After upgrading to selinux-policy v3.14.6-7.fc33 (current Rawhide package) I am unable to login to the system over SSH when in enforcing mode using the targeted policy. The failure can be seen as a broken pipe (snippet below). # ssh localhost root@localhost's password: client_loop: send disconnect: Broken pipe Version-Release number of selected component (if applicable): selinux-policy-3.14.6-7.fc33.noarch How reproducible: Everytime Steps to Reproduce: 1. setenforce 1 2. ssh localhost
Hi Paul, With the same policy version ssh works for me, either for user root or non-root. Do you use confined users? Is there anything else special in your settings? Are there avc/user_avc/selinux_err denials logged?
Hi Zdenek, I can't believe I forgot to include the AVCs; I'm sorry about that! Here is a quick reproducer from my test system; this is a current Fedora Rawhide system if it helps better understand the bug. # ausearch -m AVC -i <no matches> # ssh root@localhost -- id -Z root@localhost's password: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 # ausearch -m AVC -i ---- type=AVC msg=audit(03/12/2020 14:35:36.375:195) : avc: denied { create } for pid=967 comm=sshd scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket permissive=1 ---- type=AVC msg=audit(03/12/2020 14:35:36.375:196) : avc: denied { bind } for pid=967 comm=sshd scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket permissive=1 # setenforce 1 # ssh root@localhost -- id -Z root@localhost's password: client_loop: send disconnect: Broken pipe # ausearch -m AVC -i ---- type=AVC msg=audit(03/12/2020 14:35:36.375:195) : avc: denied { create } for pid=967 comm=sshd scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket permissive=1 ---- type=AVC msg=audit(03/12/2020 14:35:36.375:196) : avc: denied { bind } for pid=967 comm=sshd scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket permissive=1 ---- type=AVC msg=audit(03/12/2020 14:35:59.935:220) : avc: denied { create } for pid=991 comm=sshd scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket permissive=0
Hi Paul! I expected also PR not only bugzilla ticket. Just kidding :P We want to look on it. @Jakub Are there any changes in sshd component in rawhide? Thanks, Lukas.
We also have a similar one for cockpit: https://bugzilla.redhat.com/show_bug.cgi?id=1812901 With full today rawhide update I also see the same error, suspecting some library. Investigating further.
Paul, could you please try to downgrade pam? Latest pam started to use selinux_check_access() instead of security_compute_av(). selinux_check_access() calls (void) avc_netlink_check_nb(); which matches on "netlink" substring with tclass
Ok, it's related to https://bugzilla.redhat.com/show_bug.cgi?id=1680961 and to the change I described in comment 5 The following rule should fix it: allow login_pgm self:netlink_selinux_socket manage_socket_perms; cil version: # cat > pamnetlink.cil <<EOF (allow login_pgm self (netlink_selinux_socket (create bind))) EOF # semodule -i pamnetlink.cil
allow login_pgm self:netlink_selinux_socket create_socket_perms; sorry
*** Bug 1812901 has been marked as a duplicate of this bug. ***
FYI the fix is going to be available soon - https://src.fedoraproject.org/rpms/selinux-policy/pull-request/54
A build for Fedora Rawhide is available: https://koji.fedoraproject.org/koji/taskinfo?taskID=42445203
I confirm selinux-policy-3.14.6-8.fc33 fixes it.
I can also confirm that selinux-policy-3.14.6-8.fc33 fixed the SSH login problem - thanks everyone!
*** Bug 1813388 has been marked as a duplicate of this bug. ***
pam-1.3.1-24.fc32, selinux-policy-3.14.5-30.fc32 has been pushed to the Fedora 32 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-d0986e01cd
FEDORA-2020-d0986e01cd has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-d0986e01cd
This problem affects fc31 with selinux-policy-3.14.4-50.fc31.noarch . This version was installed from fc31 updates-testing repo.
FEDORA-2020-d0986e01cd has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.