Bug 399031 - SELinux is preventing /usr/sbin/sshd (sshd_t) "setkeycreate" to <Unknown> (sshd_t)
SELinux is preventing /usr/sbin/sshd (sshd_t) "setkeycreate" to <Unknown> (ss...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
x86_64 Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-25 23:08 EST by James Morris
Modified: 2008-01-30 14:05 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-30 14:05:25 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description James Morris 2007-11-25 23:08:10 EST
Description of problem:
type=SYSCALL msg=audit(1196049769.496:25): arch=c000003e syscall=1 success=no
exit=-13 a0=4 a1=2aaaaad37250 a2=2a a3=65726379656b2f72 items=0 ppid=2358
pid=2716 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="sshd" exe="/usr/sbin/sshd"
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)



Version-Release number of selected component (if applicable):

kernel-2.6.24-0.42.rc3.git1.fc9
openssh-4.7p1-4.fc9
selinux-policy-targeted-3.0.8-56.fc8


How reproducible:


Steps to Reproduce:
1. Log in via sshh
2.
3.
  
Actual results:

AVC per above

Expected results:

Nothing special

Additional info:
Comment 1 Daniel Walsh 2007-11-26 10:40:46 EST
selinux-policy-targeted-3.1.2.fc9
Comment 2 James Morris 2007-11-28 03:38:31 EST
Still seeing the problem.

Additional Information        

Source Context                system_u:system_r:sshd_t:SystemLow-SystemHigh
Target Context                system_u:system_r:sshd_t:SystemLow-SystemHigh
Target Objects                None [ process ]
Affected RPM Packages         openssh-server-4.7p1-4.fc9 [application]
Policy RPM                    selinux-policy-3.1.2-1.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall
Host Name                     sdv
Platform                      Linux sdv 2.6.24-0.43.rc3.git1.fc9 #1 SMP Mon Nov
                              26 07:50:09 EST 2007 x86_64 x86_64
Alert Count                   13
First Seen                    Mon Nov 26 15:02:49 2007
Last Seen                     Wed Nov 28 19:36:28 2007
Local ID                      5617e447-1320-4ac1-9f78-43059fd1e357
Line Numbers                  

Raw Audit Messages            

avc: denied { setkeycreate } for comm=sshd egid=0 euid=0 exe=/usr/sbin/sshd
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=2761
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 suid=0 tclass=process
tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tty=(none) uid=0
Comment 3 Daniel Walsh 2007-11-28 05:23:29 EST
Works for me.

audit2why < /tmp/t
avc:  denied  { setkeycreate } for comm=sshd egid=0 euid=0 exe=/usr/sbin/sshd
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=2761
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 suid=0 tclass=process
tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tty=(none) uid=0
        Was caused by:
                Unknown - would be allowed by active policy
                Possible mismatch between this policy and the one under which
the audit message was generated.
                Possible mismatch between current in-memory boolean settings vs.
permanent ones.

Comment 4 Daniel Cestari 2007-11-30 15:36:47 EST
I confirm this happends on a f7 system updated to f8 with yum on a i686.

Everytime I log into ssh, it throws that.
Comment 5 Daniel Walsh 2007-12-02 21:22:41 EST
Fixed in selinux-policy-3.0.8-63.fc8
Comment 6 Daniel Cestari 2007-12-02 22:22:28 EST
The problem continuous with selinux-policy-3.0.8-63.fc8

Comment 7 Daniel Walsh 2007-12-03 12:59:32 EST
Looks like it is there to me.

sesearch --allow | grep sshd_t | grep setkey
allow sshd_t sshd_t : process { fork sigchld signal setsched setexec setrlimit
setkeycreate }; 
Comment 8 James Morris 2007-12-14 00:28:11 EST
Appears fixed with selinux-policy-targeted-3.2.3-1.fc9
Comment 9 Daniel Walsh 2008-01-30 14:05:25 EST
Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.

Note You need to log in before you can comment on or make changes to this bug.