Bug 403761 - Can't start sshd after f7 upgrade to f8
Can't start sshd after f7 upgrade to f8
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
8
i686 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-28 21:07 EST by Daniel Cestari
Modified: 2008-01-30 14:19 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-30 14:19:50 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Daniel Cestari 2007-11-28 21:07:49 EST
Description of problem:
Can't start sshd service after upgrading to fedora 8

Steps to Reproduce:
1. Install Fedora 7
2. Upgrade to F8
3. Try to start sshd
  
Actual results:
/usr/sbin/sshd: Permission denied

Expected results:
Start sshd: [OK]
Comment 1 Zing 2007-11-29 16:11:48 EST
same:

# service sshd start
Starting sshd: ./sshd: line 111: /usr/sbin/sshd: Permission denied
                                                           [FAILED]
# rpm -q openssh-server
openssh-server-4.7p1-4.fc8

# rpm -q selinux-policy-targeted
selinux-policy-targeted-3.0.8-58.fc8

setenforce 0 will allow ssh to start.  no avc messages (must be hidden or
something) btw.
Comment 2 Daniel Walsh 2007-11-30 09:11:35 EST
Execute 

# semanage user -a -P unconfined -R "unconfined_r system_r" -r s0-s0:c0.c1023
unconfined_u 
Logout and log back in.  Then it should work.

This should have happened on the install of the policy.

Comment 3 Daniel Cestari 2007-11-30 15:03:05 EST
That seams to solve the problem. Anyway, it should still be a bug since
selinux-policy's f8 version didn't do it.

Thanks!
Comment 4 Zing 2007-11-30 22:01:38 EST
That seems to work here to.

If the intent is to run this command on _upgrade_... in the postinstall
scriptlet then you'd want to change:

-if [ $1 = 1 ]; then
+if [ $1 -ge 2 ]; then

basically:

   1. When the first version of a package is installed, its %pre and %post
scripts will be passed an argument equal to 1.
   2. When the last version of a package is erased, its %preun and %postun
scripts will be passed an argument equal to 0. 

hope that clarifies what should happen and what should be fixed, because I'm
unsure what really needs to happen in the selinux rpm scripts.
Comment 5 Daniel Walsh 2007-12-01 08:01:26 EST
Fixed in selinux-policy-3.0.8-63.fc8
Comment 6 Zing 2007-12-02 21:02:58 EST
i think you meant to put comment #5 in some other bug?  this bug doesn't have
anything to do with labeling of hpijs.
Comment 7 Daniel Cestari 2007-12-02 22:19:01 EST
Also tested selinux-policy-3.0.8-63.fc8 and it doesn't fix the problem.
Comment 8 Daniel Walsh 2007-12-03 12:04:01 EST
Daniel did you log out and log back in, and then try to restart sshd?
Comment 9 Daniel Cestari 2007-12-04 13:03:12 EST
In fact I have restarted the computer several times after the upgrade, and still
doesn't let me start ssh unless I do "setenforce 0" first.
Comment 10 Daniel Walsh 2007-12-05 08:35:37 EST
Daniel.

Login as root and execute

# id -Z
# semanage login -l 

Did you execute

# semanage user -a -P unconfined -R "unconfined_r system_r" -r s0-s0:c0.c1023
unconfined_u
Comment 11 Daniel Cestari 2007-12-05 10:00:06 EST
Here they are,

# id -Z
user_u:system_r:unconfined_t

# semanage login -l

Nombre de Ingreso         Usuario SELinux           Rango MLS/MCS

__default__               user_u                    s0
root                      root                      SystemLow-SystemHigh


And I did execute it, but the problem persisted after rebooting.
Comment 12 Daniel Walsh 2007-12-06 11:14:48 EST
# semanage login -m -s unconfined_u __default__

Should fix you to default to the unconfined_u user.  Logout and log back in. 
And see if it works.

Could you show me 

# semanage user -l
Comment 13 Daniel Cestari 2007-12-06 17:51:55 EST
OK that first command (after login out and in) let me start sshd properly. But
I'm still getting the setkeycreate problem from bug #399031 .

As for your request:

# semanage user -l

                Etiquetado MLS/       MLS/
Usuario SELinux  Prefijo    Nivel MCS  Rango MCS                      Roles SELinux

root            sysadm     s0         SystemLow-SystemHigh           system_r
sysadm_r staff_r
staff_u         staff      s0         SystemLow-SystemHigh           sysadm_r
staff_r
sysadm_u        sysadm     s0         SystemLow-SystemHigh           sysadm_r
system_u        user       s0         SystemLow-SystemHigh           system_r
unconfined_u    unconfined s0         SystemLow-SystemHigh           system_r
unconfined_r
user_u          user       s0         s0                             system_r user_r
Comment 14 Daniel Walsh 2008-01-30 14:19:50 EST
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.

Note You need to log in before you can comment on or make changes to this bug.