Bug 222333 - lspp: error message and avc when starting sshd
lspp: error message and avc when starting sshd
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-01-11 13:43 EST by Linda Knippers
Modified: 2007-11-30 17:07 EST (History)
3 users (show)

See Also:
Fixed In Version: RC
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-02-07 21:14:42 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Linda Knippers 2007-01-11 13:43:21 EST
Description of problem:
When I boot a rhel5rcs6 ia64 box (don't think its related to ia64)
with the MLS policy in enforcing mode, I get an error message from 
the sshd init script and a couple of avcs.

Version-Release number of selected component (if applicable):
rhel5 snapshot 6
also running the lastest policy and tools from Dan's RHEL5 selinux
repo.  Also running the lspp.62 kernel.  However, this was also
seen running the stock snapshot 6 build with the MLS policy.

How reproducible:
very

Steps to Reproduce:
1.boot the system with the mls policy in enforcing mode
2.
3.
  
Actual results:
cp: cannot remove `/var/empty/sshd/etc/localtime': Permission denied
Starting sshd: [  OK  ]

Expected results:
No error

Additional info:

[root@cert-i4 init.d]# ls -ldZ !$
ls -ldZ /var/empty/sshd/etc
drwxr-xr-x  root root system_u:object_r:var_t:SystemLow /var/empty/sshd/etc

type=AVC msg=audit(1168539643.649:351): avc:  denied  { write } for  pid=1749
comm="cp" name="localtime" dev=dm-0 ino=1671338
scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:var_t:s0 tclass=file
type=SYSCALL msg=audit(1168539643.649:351): arch=c0000032 syscall=1028
success=no exit=-13 a0=6000000000011d70 a1=201 a2=0 a3=0 items=0 ppid=1741
pid=1749 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="cp" exe="/bin/cp"
subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1168539643.649:352): avc:  denied  { remove_name } for 
pid=1749 comm="cp" name="localtime" dev=dm-0 ino=1671338
scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:var_t:s0 tclass=dir
type=SYSCALL msg=audit(1168539643.649:352): arch=c0000032 syscall=1032
success=no exit=-13 a0=6000000000011d70 a1=201 a2=81a4 a3=c000000000000a99
items=0 ppid=1741 pid=1749 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) comm="cp" exe="/bin/cp"
subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)

audit2allow says this but I wonder if its really an MLS issue rather
than a TE issue.
allow initrc_t var_t:dir remove_name;
allow initrc_t var_t:file write;
Comment 3 Daniel Walsh 2007-01-11 15:24:28 EST
Fixed in selinux-policy-2.4.6-25
Comment 4 Jay Turner 2007-01-12 08:32:20 EST
QE ack for RHEL5.
Comment 5 Linda Knippers 2007-02-03 22:48:47 EST
I'm running the Jan 31 rc and I'm seeing this problem again, only now I'm
getting additional error messages from the sshd start script.  its
got selinux-policy-mls-2.4.6-30.el5 so shouldn't it have the fixes?


Generating SSH1 RSA host key: chmod: changing permissions of
`/etc/ssh/ssh_host_key': Permission denied
chmod: changing permissions of `/etc/ssh/ssh_host_key.pub': Permission denied
[  OK  ]
Generating SSH2 RSA host key: chmod: changing permissions of
`/etc/ssh/ssh_host_rsa_key': Permission denied
chmod: changing permissions of `/etc/ssh/ssh_host_rsa_key.pub': Permission denied
[  OK  ]
Generating SSH2 DSA host key: chmod: changing permissions of
`/etc/ssh/ssh_host_dsa_key': Permission denied
chmod: changing permissions of `/etc/ssh/ssh_host_dsa_key.pub': Permission denied
[  OK  ]
cp: cannot create regular file `/var/empty/sshd/etc/localtime': Permission denied
Starting sshd: [  OK  ]


AVCs:
type=AVC msg=audit(1170559562.079:279): avc:  denied  { setattr } for  pid=1715
comm="chmod" name="ssh_host_key" dev=dm-0 ino=2196745
scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:sshd_key_t:s0 tclass=file
type=SYSCALL msg=audit(1170559562.079:279): arch=c0000032 syscall=1038
success=no exit=-13 a0=60000000000050b0 a1=180 a2=12 a3=60000000000062d0 items=0
ppid=1706 pid=1715 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="chmod" exe="/bin/chmod"
subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1170559562.080:280): avc:  denied  { setattr } for  pid=1716
comm="chmod" name="ssh_host_key.pub" dev=dm-0 ino=2196746
scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:sshd_key_t:s0 tclass=file
type=SYSCALL msg=audit(1170559562.080:280): arch=c0000032 syscall=1038
success=no exit=-13 a0=60000000000050b0 a1=1a4 a2=12 a3=60000000000062d0 items=0
ppid=1706 pid=1716 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="chmod" exe="/bin/chmod"
subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1170559562.628:281): avc:  denied  { setattr } for  pid=1720
comm="chmod" name="ssh_host_rsa_key" dev=dm-0 ino=2196747
scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:sshd_key_t:s0 tclass=file
type=SYSCALL msg=audit(1170559562.628:281): arch=c0000032 syscall=1038
success=no exit=-13 a0=60000000000050b0 a1=180 a2=12 a3=60000000000062d0 items=0
ppid=1706 pid=1720 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="chmod" exe="/bin/chmod"
subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1170559562.629:282): avc:  denied  { setattr } for  pid=1721
comm="chmod" name="ssh_host_rsa_key.pub" dev=dm-0 ino=2196748
scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:sshd_key_t:s0 tclass=file
type=SYSCALL msg=audit(1170559562.629:282): arch=c0000032 syscall=1038
success=no exit=-13 a0=60000000000050b0 a1=1a4 a2=12 a3=60000000000062d0 items=0
ppid=1706 pid=1721 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="chmod" exe="/bin/chmod"
subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1170559562.909:283): avc:  denied  { setattr } for  pid=1724
comm="chmod" name="ssh_host_dsa_key" dev=dm-0 ino=2196750
scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:sshd_key_t:s0 tclass=file
type=SYSCALL msg=audit(1170559562.909:283): arch=c0000032 syscall=1038
success=no exit=-13 a0=60000000000050b0 a1=180 a2=12 a3=60000000000062d0 items=0
ppid=1706 pid=1724 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="chmod" exe="/bin/chmod"
subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1170559562.910:284): avc:  denied  { setattr } for  pid=1725
comm="chmod" name="ssh_host_dsa_key.pub" dev=dm-0 ino=2196752
scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:sshd_key_t:s0 tclass=file
type=SYSCALL msg=audit(1170559562.910:284): arch=c0000032 syscall=1038
success=no exit=-13 a0=60000000000050b0 a1=1a4 a2=12 a3=60000000000062d0 items=0
ppid=1706 pid=1725 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="chmod" exe="/bin/chmod"
subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1170559563.046:285): avc:  granted  { setfscreate } for 
pid=1727 comm="cp" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1170559563.046:285): arch=c0000032 syscall=1027
success=yes exit=30 a0=3 a1=6000000000011da0 a2=1e a3=c00000000000038b items=0
ppid=1706 pid=1727 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="cp" exe="/bin/cp"
subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1170559563.047:286): avc:  denied  { create } for  pid=1727
comm="cp" name="localtime" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:locale_t:s0 tclass=file
type=SYSCALL msg=audit(1170559563.047:286): arch=c0000032 syscall=1028
success=no exit=-13 a0=6000000000011d70 a1=41 a2=81a4 a3=0 items=0 ppid=1706
pid=1727 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="cp" exe="/bin/cp"
subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
Comment 6 Daniel Walsh 2007-02-05 16:45:01 EST
Fixed in selinux-policy-2.4.6-36
Comment 7 RHEL Product and Program Management 2007-02-07 21:14:42 EST
A package has been built which should help the problem described in 
this bug report. This report is therefore being closed with a resolution 
of CURRENTRELEASE. You may reopen this bug report if the solution does 
not work for you.

Note You need to log in before you can comment on or make changes to this bug.