Bug 358761 - SELinux is preventing /usr/sbin/sshd (sshd_t) "read" to <Unknown> (var_lib_t).
SELinux is preventing /usr/sbin/sshd (sshd_t) "read" to <Unknown> (var_lib_t).
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Josef Kubin
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2007-10-30 14:29 EDT by Duncan Innes
Modified: 2008-03-05 17:17 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-03-05 17:17:13 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Duncan Innes 2007-10-30 14:29:19 EDT
Description of problem:
I've installed freenx on a machine which is using ssh for connections.  Whenever
I try and make a connection to this machine via a NoMachine client, this error
comes up on the setroubleshoot browser.  All the relevant keys are in place
between the two machines.

I get the same error when trying to ssh onto the same machine using ssh keys
rather than logging in with a password.

I can ssh onto the machine using password authentication, but as soon as a key
is used for authentication, SELinux denies access.

Version-Release number of selected component (if applicable): 3.0.8-36.fc8

How reproducible: Every time

Steps to Reproduce:
1. ssh to the machine using key access
Actual results: SELinux denial

Expected results: Connection to establish using ssh keys

Additional info:
Comment 1 Duncan Innes 2007-10-30 15:01:36 EDT
I changed the booleans for SSH under SELinux Administration

* Allow ssh logins as sysadm_r:sysadm_t
* Allow ssh to run ssh-keysign

and now get an extra error:

SELinux is preventing /usr/sbin/sshd (sshd_t) "getattr" to
/var/lib/nxserver/home/.ssh/authorized_keys (var_lib_t).

This is when making an NXClient connection to the machine or ssh'ing to the
machine as the nx user (I think - I've only managed to replicate this part twice
Comment 2 Duncan Innes 2007-10-30 15:02:41 EDT
When I say I changed the booleans in SELinux Administration - they didn't have a
tick in the box and I selected them so they both have ticks in the box.
Comment 3 Daniel Walsh 2007-10-30 16:35:01 EDT
The easiest solution is just to modify the policy

grep ssh /var/log/audit/audit.log | audit2allow -M myssh
semodule -i myssh.pp

Should fix

A bettter long term solution would be to get a policy for freenix.
Comment 4 Josef Kubin 2008-01-16 08:40:30 EST
in updated fixed as of selinux-policy-3.0.8-77
feel free to use my packages, until they will be publicly available
Comment 5 Daniel Walsh 2008-03-05 17:17:13 EST
Bugs have been in modified for over one month.  Closing as fixed in current
release please reopen if the problem still persists.

Note You need to log in before you can comment on or make changes to this bug.