2379871 – avc: denied { getattr } for pid=1215 comm="sshd-session" path="/var/lib/lastlog/lastlog2.db" dev="sda6" ino=117596106 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1

Bug 2379871 - avc: denied { getattr } for pid=1215 comm="sshd-session" path="/var/lib/lastlog/lastlog2.db" dev="sda6" ino=117596106 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1

Summary: avc: denied { getattr } for pid=1215 comm="sshd-session" path="/var/lib/lastl...

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (6):	2381604 2381605 2382114 2382125 2382390 2382553 (view as bug list)
Depends On:
Blocks:	2360108
TreeView+	depends on / blocked

Reported:	2025-07-14 08:04 UTC by Bruno Goncalves
Modified:	2025-08-05 07:56 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2025-08-05 07:56:27 UTC
Type:	---
Embargoed:
Dependent Products:
Flags:	zpytela: mirror+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 2788	0	None	None	None	2025-07-23 14:20:16 UTC
Red Hat Issue Tracker	FC-1807	0	None	None	None	2025-07-14 08:19:57 UTC

Description Bruno Goncalves 2025-07-14 08:04:25 UTC

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      34
selinux-policy-41.45-1.fc43.noarch
----
time->Mon Jul 14 03:57:25 2025
type=AVC msg=audit(1752465445.436:122): avc:  denied  { getattr } for  pid=1214 comm="sshd-session" path="/var/lib/lastlog/lastlog2.db" dev="dm-0" ino=25169447 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
----
time->Mon Jul 14 03:57:25 2025
type=AVC msg=audit(1752465445.436:123): avc:  denied  { read write } for  pid=1214 comm="sshd-session" name="lastlog2.db" dev="dm-0" ino=25169447 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
----
time->Mon Jul 14 03:57:25 2025
type=AVC msg=audit(1752465445.436:124): avc:  denied  { open } for  pid=1214 comm="sshd-session" path="/var/lib/lastlog/lastlog2.db" dev="dm-0" ino=25169447 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
----
time->Mon Jul 14 03:57:25 2025
type=AVC msg=audit(1752465445.436:125): avc:  denied  { lock } for  pid=1214 comm="sshd-session" path="/var/lib/lastlog/lastlog2.db" dev="dm-0" ino=25169447 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
----
time->Mon Jul 14 03:57:25 2025
type=AVC msg=audit(1752465445.436:126): avc:  denied  { create } for  pid=1214 comm="sshd-session" name="lastlog2.db-journal" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
----
time->Mon Jul 14 03:57:25 2025
type=AVC msg=audit(1752465445.436:127): avc:  denied  { setattr } for  pid=1214 comm="sshd-session" name="lastlog2.db-journal" dev="dm-0" ino=25169446 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
----
time->Mon Jul 14 03:57:25 2025
type=AVC msg=audit(1752465445.436:128): avc:  denied  { unlink } for  pid=1214 comm="sshd-session" name="lastlog2.db-journal" dev="dm-0" ino=25169446 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1


Reproducible: Always

Steps to Reproduce:
1.It seems easily reproducible when booting a machine using recent Fedora Rawhide composes

Comment 2 Zdenek Pytela 2025-07-14 08:19:27 UTC

Bruno,

I am pretty sure the denials were not in place on Friday. Does your modify any default pam or ssh related configuration?

And please provide:
$ rpm -qa util-linux* openssh liblastlog2

Comment 3 Milos Malik 2025-07-14 08:33:57 UTC

Seen on 1MT Fedora rawhide machine after doing "dnf update" and rebooting the machine:
----
type=PROCTITLE msg=audit(07/14/2025 04:30:45.942:127) : proctitle=sshd-session: root [priv] 
type=PATH msg=audit(07/14/2025 04:30:45.942:127) : item=0 name=/var/lib/lastlog/ inode=262583 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(07/14/2025 04:30:45.942:127) : cwd=/ 
type=SYSCALL msg=audit(07/14/2025 04:30:45.942:127) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55d92f9eb104 a2=O_RDWR|O_CREAT|O_NOFOLLOW|O_CLOEXEC a3=0x1a4 items=1 ppid=884 pid=918 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=sshd-session exe=/usr/libexec/openssh/sshd-session subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(07/14/2025 04:30:45.942:127) : avc:  denied  { create } for  pid=918 comm=sshd-session name=lastlog2.db scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0 
----

Comment 4 Milos Malik 2025-07-14 08:39:16 UTC

The following journal message matches the previous SELinux denial:

Jul 14 04:30:45 local-vm-name sshd-session[918]: pam_lastlog2(sshd:session): Cannot create/open database (/var/lib/lastlog/lastlog2.db): unable to open database file

Comment 5 Milos Malik 2025-07-14 08:43:32 UTC

# rpm -qf /usr/lib/systemd/system/lastlog2-import.service 
liblastlog2-2.41.1-10.fc43.x86_64
# rpm -qa --scripts | grep lastlog
    /usr/bin/authselect select local with-silent-lastlog --force --nobackup &> /dev/null
### Enable after completing migration to lastlog2
# %post -n liblastlog2
    /usr/lib/systemd/systemd-update-helper install-system-units lastlog2-import.service || : 
# %postun -n liblastlog2

Comment 6 Milos Malik 2025-07-14 12:59:20 UTC

# rpm -qf /usr/lib64/security/pam_lastlog2.so
liblastlog2-2.41.1-10.fc43.x86_64
# strings /usr/lib64/security/pam_lastlog2.so | grep ^/
/dev/
/var/lib/lastlog/lastlog2.db
#

Comment 7 Zdenek Dohnal 2025-07-14 14:06:39 UTC

The same issue encountered in Vim test suite in rawhide https://artifacts.dev.testing-farm.io/f887599f-ac91-4249-bdba-b2c7eafb62cd/work-public178qz597/plans/public/execute/data/guest/default-0/Regression/bz1490927-vim-dumps-core-when-system-reboots-4/checks/avc.txt .

Comment 8 Milos Malik 2025-07-16 11:32:50 UTC

Just for the sake of completeness, here are SELinux denials caught in permissive mode:
----
type=PROCTITLE msg=audit(07/16/2025 07:27:40.322:177) : proctitle=sshd-session: root [priv] 
type=PATH msg=audit(07/16/2025 07:27:40.322:177) : item=0 name=/var/lib/lastlog/lastlog2.db inode=2120 dev=fd:02 mode=file,644 ouid=root ogid=gdm rdev=00:00 obj=system_u:object_r:xdm_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(07/16/2025 07:27:40.322:177) : cwd=/ 
type=SYSCALL msg=audit(07/16/2025 07:27:40.322:177) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=AT_FDCWD a1=0x55bc96eb1c68 a2=0x7fff8b7f44e0 a3=0x100 items=1 ppid=937 pid=1635 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=sshd-session exe=/usr/libexec/openssh/sshd-session subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(07/16/2025 07:27:40.322:177) : avc:  denied  { getattr } for  pid=1635 comm=sshd-session path=/var/lib/lastlog/lastlog2.db dev="vda2" ino=2120 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(07/16/2025 07:27:40.322:178) : proctitle=sshd-session: root [priv] 
type=PATH msg=audit(07/16/2025 07:27:40.322:178) : item=0 name=/var/lib/lastlog/lastlog2.db inode=2120 dev=fd:02 mode=file,644 ouid=root ogid=gdm rdev=00:00 obj=system_u:object_r:xdm_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(07/16/2025 07:27:40.322:178) : cwd=/ 
type=SYSCALL msg=audit(07/16/2025 07:27:40.322:178) : arch=x86_64 syscall=openat success=yes exit=8 a0=AT_FDCWD a1=0x55bc96eb1404 a2=O_RDWR|O_CREAT|O_NOFOLLOW|O_CLOEXEC a3=0x1a4 items=1 ppid=937 pid=1635 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=sshd-session exe=/usr/libexec/openssh/sshd-session subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(07/16/2025 07:27:40.322:178) : avc:  denied  { open } for  pid=1635 comm=sshd-session path=/var/lib/lastlog/lastlog2.db dev="vda2" ino=2120 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=file permissive=1 
type=AVC msg=audit(07/16/2025 07:27:40.322:178) : avc:  denied  { read write } for  pid=1635 comm=sshd-session name=lastlog2.db dev="vda2" ino=2120 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(07/16/2025 07:27:40.323:179) : proctitle=sshd-session: root [priv] 
type=SYSCALL msg=audit(07/16/2025 07:27:40.323:179) : arch=x86_64 syscall=fcntl success=yes exit=0 a0=0x8 a1=F_SETLK a2=0x7fff8b7f55e0 a3=0x0 items=0 ppid=937 pid=1635 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=sshd-session exe=/usr/libexec/openssh/sshd-session subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(07/16/2025 07:27:40.323:179) : avc:  denied  { lock } for  pid=1635 comm=sshd-session path=/var/lib/lastlog/lastlog2.db dev="vda2" ino=2120 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(07/16/2025 07:27:40.323:180) : proctitle=sshd-session: root [priv] 
type=PATH msg=audit(07/16/2025 07:27:40.323:180) : item=1 name=/var/lib/lastlog/lastlog2.db-journal inode=2036 dev=fd:02 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(07/16/2025 07:27:40.323:180) : item=0 name=/var/lib/lastlog/ inode=1838 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(07/16/2025 07:27:40.323:180) : cwd=/ 
type=SYSCALL msg=audit(07/16/2025 07:27:40.323:180) : arch=x86_64 syscall=openat success=yes exit=10 a0=AT_FDCWD a1=0x55bc96eb1422 a2=O_RDWR|O_CREAT|O_NOFOLLOW|O_CLOEXEC a3=0x1a4 items=2 ppid=937 pid=1635 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=sshd-session exe=/usr/libexec/openssh/sshd-session subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(07/16/2025 07:27:40.323:180) : avc:  denied  { read write open } for  pid=1635 comm=sshd-session path=/var/lib/lastlog/lastlog2.db-journal dev="vda2" ino=2036 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1 
type=AVC msg=audit(07/16/2025 07:27:40.323:180) : avc:  denied  { create } for  pid=1635 comm=sshd-session name=lastlog2.db-journal scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(07/16/2025 07:27:40.323:181) : proctitle=sshd-session: root [priv] 
type=SYSCALL msg=audit(07/16/2025 07:27:40.323:181) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0xa a1=0x7fff8b7f5e00 a2=0x0 a3=0x1a4 items=0 ppid=937 pid=1635 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=sshd-session exe=/usr/libexec/openssh/sshd-session subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(07/16/2025 07:27:40.323:181) : avc:  denied  { getattr } for  pid=1635 comm=sshd-session path=/var/lib/lastlog/lastlog2.db-journal dev="vda2" ino=2036 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(07/16/2025 07:27:40.323:182) : proctitle=sshd-session: root [priv] 
type=PATH msg=audit(07/16/2025 07:27:40.323:182) : item=0 name=(null) inode=2036 dev=fd:02 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(07/16/2025 07:27:40.323:182) : cwd=/ 
type=SYSCALL msg=audit(07/16/2025 07:27:40.323:182) : arch=x86_64 syscall=fchown success=yes exit=0 a0=0xa a1=0x0 a2=0x2a a3=0x1a4 items=1 ppid=937 pid=1635 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=sshd-session exe=/usr/libexec/openssh/sshd-session subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(07/16/2025 07:27:40.323:182) : avc:  denied  { setattr } for  pid=1635 comm=sshd-session name=lastlog2.db-journal dev="vda2" ino=2036 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(07/16/2025 07:27:40.332:183) : proctitle=sshd-session: root [priv] 
type=PATH msg=audit(07/16/2025 07:27:40.332:183) : item=1 name=/var/lib/lastlog/lastlog2.db-journal inode=2036 dev=fd:02 mode=file,644 ouid=root ogid=gdm rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(07/16/2025 07:27:40.332:183) : item=0 name=/var/lib/lastlog/ inode=1838 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(07/16/2025 07:27:40.332:183) : cwd=/ 
type=SYSCALL msg=audit(07/16/2025 07:27:40.332:183) : arch=x86_64 syscall=unlink success=yes exit=0 a0=0x55bc96eb1422 a1=0x55bc96eb1422 a2=0x0 a3=0x0 items=2 ppid=937 pid=1635 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=sshd-session exe=/usr/libexec/openssh/sshd-session subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(07/16/2025 07:27:40.332:183) : avc:  denied  { unlink } for  pid=1635 comm=sshd-session name=lastlog2.db-journal dev="vda2" ino=2036 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1 
----

Apparently, SELinux label of the lastlog2.db file depends on the first process which creates it:

# ls -dlZ /var/lib/lastlog/
drwxr-xr-x. 2 root root system_u:object_r:var_lib_t:s0 4096 Jul 16 07:27 /var/lib/lastlog/
# ls -dlZ /var/lib/lastlog/lastlog2.db 
-rw-r--r--. 1 root gdm system_u:object_r:xdm_var_lib_t:s0 12288 Jul 16 07:27 /var/lib/lastlog/lastlog2.db
# restorecon -Rv /var/lib/
Relabeled /var/lib/lastlog/lastlog2.db from system_u:object_r:xdm_var_lib_t:s0 to system_u:object_r:var_lib_t:s0
#

Comment 9 Zdenek Pytela 2025-07-23 14:00:06 UTC

*** Bug 2381604 has been marked as a duplicate of this bug. ***

Comment 10 Zdenek Pytela 2025-07-23 14:00:20 UTC

*** Bug 2382114 has been marked as a duplicate of this bug. ***

Comment 11 Zdenek Pytela 2025-07-23 14:00:29 UTC

*** Bug 2382125 has been marked as a duplicate of this bug. ***

Comment 12 Zdenek Pytela 2025-07-23 14:00:37 UTC

*** Bug 2382390 has been marked as a duplicate of this bug. ***

Comment 13 Zdenek Pytela 2025-07-23 14:00:45 UTC

*** Bug 2382553 has been marked as a duplicate of this bug. ***

Comment 14 Zdenek Pytela 2025-07-23 14:01:26 UTC

*** Bug 2381605 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.