Bug 399031 - SELinux is preventing /usr/sbin/sshd (sshd_t) "setkeycreate" to <Unknown> (sshd_t)
Summary: SELinux is preventing /usr/sbin/sshd (sshd_t) "setkeycreate" to <Unknown> (ss...
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted   
(Show other bugs)
Version: rawhide
Hardware: x86_64
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-11-26 04:08 UTC by James Morris
Modified: 2008-01-30 19:05 UTC (History)
1 user (show)

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-30 19:05:25 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description James Morris 2007-11-26 04:08:10 UTC
Description of problem:
type=SYSCALL msg=audit(1196049769.496:25): arch=c000003e syscall=1 success=no
exit=-13 a0=4 a1=2aaaaad37250 a2=2a a3=65726379656b2f72 items=0 ppid=2358
pid=2716 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="sshd" exe="/usr/sbin/sshd"
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)



Version-Release number of selected component (if applicable):

kernel-2.6.24-0.42.rc3.git1.fc9
openssh-4.7p1-4.fc9
selinux-policy-targeted-3.0.8-56.fc8


How reproducible:


Steps to Reproduce:
1. Log in via sshh
2.
3.
  
Actual results:

AVC per above

Expected results:

Nothing special

Additional info:

Comment 1 Daniel Walsh 2007-11-26 15:40:46 UTC
selinux-policy-targeted-3.1.2.fc9

Comment 2 James Morris 2007-11-28 08:38:31 UTC
Still seeing the problem.

Additional Information        

Source Context                system_u:system_r:sshd_t:SystemLow-SystemHigh
Target Context                system_u:system_r:sshd_t:SystemLow-SystemHigh
Target Objects                None [ process ]
Affected RPM Packages         openssh-server-4.7p1-4.fc9 [application]
Policy RPM                    selinux-policy-3.1.2-1.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall
Host Name                     sdv
Platform                      Linux sdv 2.6.24-0.43.rc3.git1.fc9 #1 SMP Mon Nov
                              26 07:50:09 EST 2007 x86_64 x86_64
Alert Count                   13
First Seen                    Mon Nov 26 15:02:49 2007
Last Seen                     Wed Nov 28 19:36:28 2007
Local ID                      5617e447-1320-4ac1-9f78-43059fd1e357
Line Numbers                  

Raw Audit Messages            

avc: denied { setkeycreate } for comm=sshd egid=0 euid=0 exe=/usr/sbin/sshd
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=2761
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 suid=0 tclass=process
tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tty=(none) uid=0

Comment 3 Daniel Walsh 2007-11-28 10:23:29 UTC
Works for me.

audit2why < /tmp/t
avc:  denied  { setkeycreate } for comm=sshd egid=0 euid=0 exe=/usr/sbin/sshd
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=2761
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 suid=0 tclass=process
tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tty=(none) uid=0
        Was caused by:
                Unknown - would be allowed by active policy
                Possible mismatch between this policy and the one under which
the audit message was generated.
                Possible mismatch between current in-memory boolean settings vs.
permanent ones.



Comment 4 Daniel Cestari 2007-11-30 20:36:47 UTC
I confirm this happends on a f7 system updated to f8 with yum on a i686.

Everytime I log into ssh, it throws that.

Comment 5 Daniel Walsh 2007-12-03 02:22:41 UTC
Fixed in selinux-policy-3.0.8-63.fc8

Comment 6 Daniel Cestari 2007-12-03 03:22:28 UTC
The problem continuous with selinux-policy-3.0.8-63.fc8



Comment 7 Daniel Walsh 2007-12-03 17:59:32 UTC
Looks like it is there to me.

sesearch --allow | grep sshd_t | grep setkey
allow sshd_t sshd_t : process { fork sigchld signal setsched setexec setrlimit
setkeycreate }; 


Comment 8 James Morris 2007-12-14 05:28:11 UTC
Appears fixed with selinux-policy-targeted-3.2.3-1.fc9


Comment 9 Daniel Walsh 2008-01-30 19:05:25 UTC
Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.


Note You need to log in before you can comment on or make changes to this bug.