Bug 364971 - /usr/sbin/sshd: Permission denied
/usr/sbin/sshd: Permission denied
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
x86_64 Linux
low Severity urgent
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
: Reopened
: 367191 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2007-11-02 21:52 EDT by John Poelstra
Modified: 2008-01-30 14:06 EST (History)
4 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-01-30 14:06:25 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description John Poelstra 2007-11-02 21:52:34 EDT
Description of problem:

Install F8 x86_64 RC5 to hardisk from USB key.  Reboot box and try to enable sshd

(1007)[root@localhost:~]# setenforce 1
(1008)[root@localhost:~]# service sshd start
Starting sshd: /etc/init.d/sshd: line 113: /usr/sbin/sshd: Permission denied
(1009)[root@localhost:~]# rpm -qa | grep selinux
(1010)[root@localhost:~]# setenforce 0
(1011)[root@localhost:~]# service sshd start
Starting sshd:                                             [  OK  ]

type=SELINUX_ERR msg=audit(1194053949.966:55): security_compute_sid:  invalid
context unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 for
tcontext=system_u:object_r:sshd_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1194053949.966:55): arch=c000003e syscall=59 success=yes
exit=0 a0=6fdb80 a1=6ff080 a2=6da5f0 a3=0 items=0 ppid=3497 pid=3506 auid=500
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="sshd"
exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)

This error is not picked up by setroubleshoot.
Comment 1 John Poelstra 2007-11-04 22:03:11 EST
Re-ran entire scenario and reproduced the problem again.

This time I was very careful to do nothing except try to start sshd after install.

Steps to reproduce:

1) boot x86_64 live image from USB key on desktop box
2) double-click desktop icon to install to harddisk
3) complete installation
4) reboot computer
5) answer firstboot questions accepting all defaults (except I turned the
firewall off).
6) create new user
7) login as new user
8) su -
9) # service sshd start
Generating SSH1 RSA host key:                              [  OK  ]
Generating SSH2 RSA host key:                              [  OK  ]
Generating SSH2 DSA host key:                              [  OK  ]
Starting sshd: /etc/init.d/sshd: line 113: /usr/sbin/sshd: Permission denied
From /var/log/audit/audit.log
type=SELINUX_ERR msg=audit(1194228419.395:22): security_compute_sid:  invalid
context unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 for
tcontext=system_u:object_r:sshd_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1194228419.395:22): arch=c000003e syscall=59 success=no
exit=-13 a0=6fdb80 a1=6fed70 a2=6da5f0 a3=0 items=0 ppid=2653 pid=2674 auid=500
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="sshd"
exe="/bin/bash" subj=unconfined_u:system_r:initrc_t:s0 key=(null)

Nothing in /var/log/messages

# rpm -qa | grep ssh
Comment 2 Daniel Walsh 2007-11-05 11:41:15 EST
semanage user -l | grep unconfined_u
Comment 3 Daniel Walsh 2007-11-05 11:42:00 EST
semanage user -m -R "unconfined_r system_r" unconfined_u 

Should fix, but this is what was supposed to be there.
Comment 4 John Poelstra 2007-11-05 13:37:37 EST
doesn't fix the problem

$ su -
(1060)[root@localhost:~]# service sshd start
Starting sshd: /etc/init.d/sshd: line 113: /usr/sbin/sshd: Permission denied
(1061)[root@localhost:~]# semanage user -l | grep unconfined_u
unconfined_u    unconfined s0         s0                             system_r
(1062)[root@localhost:~]# semanage user -m -R "unconfined_r system_r" unconfined_u
(1063)[root@localhost:~]# service sshd start
Starting sshd: /etc/init.d/sshd: line 113: /usr/sbin/sshd: Permission denied
Comment 5 Daniel Walsh 2007-11-05 15:31:16 EST
I was wrong 

# semanage user -m -r s0-s0:c0.c1023 unconfined_u
Log out 
Log back in.
Should now work.  This change will be in first update to F8

fixed in selinux-policy-3.0.8-45
Comment 6 Tomas Mraz 2007-11-05 18:39:46 EST
*** Bug 367191 has been marked as a duplicate of this bug. ***
Comment 7 Mike A. Harris 2007-11-09 03:14:32 EST
Any ETA on when the selinux-policy with this fix will be released?  I don't need
it, but a lot of others are asking about it so I thought I'd ask.

Comment 8 Daniel Walsh 2007-11-12 09:42:15 EST
selinux-policy-3.0.8-47 has been pushed to stable release.
Comment 9 Mike A. Harris 2007-11-12 10:27:46 EST
Confirmed to solve the problem.  Thanks.
Comment 10 Need Real Name 2007-11-14 20:04:00 EST
I have updated to selinux-policy-3.0.8-47.fc8 and when I run "service sshd
start" under enforcing, I still get the error:

Starting sshd: /etc/init.d/sshd: line 113: /usr/sbin/sshd: Permission denied

The syslog shows:
setroubleshoot: #012    SELinux is preventing the /usr/sbin/sshd (sshd_t) from
binding to port 9445.#012     For complete SELinux messages. run sealert -l

sealert shows: 
Source Context                system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:port_t:s0
Target Objects                None [ tcp_socket ]
Affected RPM Packages         openssh-server-4.7p1-2.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-44.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.inetd_bind_ports
Host Name                     xxxx.yyyy
Platform                      Linux xxxx.yyyy #1 SMP Tue
                              Oct 30 13:55:12 EDT 2007 i686 i686
Alert Count                   1
First Seen                    Wed Nov 14 19:31:15 2007
Last Seen                     Wed Nov 14 19:31:15 2007
Local ID                      ee4a216c-a935-4f86-8f70-6c71ab915896
Line Numbers

Raw Audit Messages

avc: denied { name_bind } for comm=sshd egid=501 euid=501 exe=/usr/sbin/sshd
exit=0 fsgid=501 fsuid=501 gid=501 items=0 pid=3921
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 sgid=501 src=9445
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 suid=501 tclass=tcp_socket
tcontext=system_u:object_r:port_t:s0 tty=(none) uid=501
Comment 11 Need Real Name 2007-11-14 20:12:03 EST
oops... I just realized that the syslog and sealert that I gave in the previous
message were from BEFORE upgrading the selinux policy.

However, I *still* get the same error when trying to restart 'sshd' though I no
longer get any syslog selinux messages. However, when I set selinux to
permissive, everything works, so this is still an selinux problem, I think.
Comment 12 Daniel Walsh 2007-11-15 08:59:26 EST
Why is sshd trying to bind to port 9445?

Could you attach the output of 

# semanage user -l
# semanage login -l
Comment 13 Mike A. Harris 2007-11-16 16:37:59 EST
sshd works fine for me and a number of other on x86_64 after the update.

AFAICS, the bug is fixed.  Anyone having problems still is probably experiencing
some other bug FWIW.

Comment 14 Christopher Stone 2007-12-10 14:55:50 EST
Hi, I just upgraded from F-7 to F-8 and I am experiencing problems similar to
this bug.

# rpm -q selinux-policy-targeted
^^ using latest version

# service xinetd start
Starting xinetd: /bin/bash: /usr/sbin/xinetd: Permission denied
Dec 10 11:53:36 localhost kernel: audit(1197316416.341:10):
security_compute_sid:  invalid context user_u:system_r:inetd_t:s0-s0:c0.c1023
for scontext=user_u:system_r:initrc_t:s0
tcontext=system_u:object_r:inetd_exec_t:s0 tclass=process

I also get problems with sshd after reading this bug I tried it and got:
Dec 10 11:45:34 localhost kernel: audit(1197315934.073:8): security_compute_sid:
 invalid context user_u:system_r:sshd_t:s0-s0:c0.c1023 for
scontext=user_u:system_r:initrc_t:s0 tcontext=system_u:object_r:sshd_exec_t:s0
Comment 15 Daniel Walsh 2007-12-10 16:15:05 EST

# semanage login -m -s unconfined_u __default__

Log all the way out, log back in and see if you can start the process.
Comment 16 Christopher Stone 2007-12-10 16:57:49 EST
# semanage login -m -s unconfined_u __default__
libsemanage.validate_handler: selinux user unconfined_u does not exist No such
file or directory.
libsemanage.validate_handler: seuser mapping [__default__ -> (unconfined_u, s0)]
is invalid No such file or directory.
libsemanage.dbase_llist_iterate: could not iterate over records No such file or
/usr/sbin/semanage: Could not modify login mapping for __default__

Pasting this output before logging out...
Comment 17 Christopher Stone 2007-12-10 17:16:46 EST
Error still persists after completely logging out from KDE and also after a
complete reboot.
Comment 18 Daniel Walsh 2007-12-10 17:33:52 EST
Ok the post install was supposed to do the following.

semanage user -a -P unconfined -R "unconfined_r system_r" -r s0-s0:c0.c1023
semanage login -m -s unconfined_u -r s0-s0:c0.c1023 __default__

Could you try that.
Comment 19 Christopher Stone 2007-12-10 17:50:24 EST
This fixes the problem for me, not sure why that wasn't run when I did the
upgrade.  Thanks for the help.
Comment 20 Daniel Walsh 2007-12-12 17:05:47 EST
Fixed in selinux-policy-3.0.8-68
Comment 21 Daniel Walsh 2008-01-30 14:06:25 EST
Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.

Note You need to log in before you can comment on or make changes to this bug.