Bug 422771 - selinux exception on ssh startup
selinux exception on ssh startup
Status: CLOSED WORKSFORME
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
8
i686 Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-12-12 20:47 EST by John Mellor
Modified: 2008-02-01 17:00 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-01 17:00:23 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description John Mellor 2007-12-12 20:47:14 EST
Description of problem: selinux exception on ssh startup from cronjob.  System
is fully up-to-date.  Cronjob used to shutdown ssh when outside of hours
required, to reduce ssh-hacking window to a more manageable size.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.0.8-64.fc8

How reproducible: Every time

Steps to Reproduce:
1. Construct crontab to start/stop ssh when required.  e.g:
    30 08 * * 1-5 /etc/rc.d/init.d/sshd start
    30 17 * * 1-5 /etc/rc.d/init.d/sshd stop
2. Let it run for several days
  
Actual results:
See the following cut/paste from the setroubleshoot browser from a typical and
incorrect se exception that happens every day at 08:30:
=========
Summary
SELinux is preventing /usr/sbin/sshd (sshd_t) "read" to pipe (crond_t).
Detailed Description
SELinux denied access requested by /usr/sbin/sshd. It is not expected that this
access is required by /usr/sbin/sshd and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access
You can generate a local policy module to allow this access - see FAQ Or you can
disable SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a bug report against this package.
Additional Information
Source Context:  system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context:  system_u:system_r:crond_t:s0-s0:c0.c1023
Target Objects:  pipe [ fifo_file ]
Affected RPM Packages:  openssh-server-4.7p1-4.fc8 [application]
Policy RPM:  selinux-policy-3.0.8-64.fc8
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Permissive
Plugin Name:  plugins.catchall
Host Name:  mellor.kw.net
Platform:  Linux mellor.kw.net 2.6.23.8-63.fc8 #1 SMP Wed Nov 21 18:51:08 EST
2007 i686 athlon
Alert Count:  15
First Seen:  Mon 19 Nov 2007 08:30:01 AM EST
Last Seen:  Wed 12 Dec 2007 08:30:01 AM EST
Local ID:  a08c71f3-663c-4941-9e80-5afc6771f875
Line Numbers:  
Raw Audit Messages :avc: denied { read } for comm=sshd dev=pipefs egid=0 euid=0
exe=/usr/sbin/sshd exit=0 fsgid=0 fsuid=0 gid=0 items=0 path=pipe:[2088409]
pid=16104 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 suid=0 tclass=fifo_file
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tty=(none) uid=0 
=========

Expected results:
No exception should be triggered.  Ssh daemon should start cleanly.

Additional info:
Comment 1 John Mellor 2007-12-12 20:50:22 EST
The priority of this problem should perhaps be higher.  The only reason that it
works on my machine is that I am not using SE in enforcing mode.  In enforcing
mode, this is probably a showstopper.
Comment 2 Daniel Walsh 2007-12-13 14:37:47 EST
I don't think this would be blocked on  enforcing machine.  All that is
happening is the stdout/stdin/stderr of sshd is being redirected to a cron pipe.
 The kernel checks to see if the ssh can read that pipe,  it can not.  The
kernel closes the file descriptor and replaces it with one pointing at /dev/null
and ssh continues.

I will update the fedora 8 policy to allow this, but it can safely be ignored.
Fixed in selinux-policy-3.0.8-69.fc8
Comment 3 John Mellor 2007-12-25 08:58:47 EST
Not fixed in selinux-policy-3.0.8-69.fc8, same problem is still occurring after
update and reboot.
Comment 4 John Mellor 2008-01-14 22:05:22 EST
Fix presumably fails.

Problem still occurring as of 2008/01/14, using selinux-policy-3.0.8-73.fc8, as
shown by the following setroubleshoot browser output:

Summary
SELinux is preventing sshd (sshd_t) "write" to pipe (crond_t).

Detailed Description
SELinux denied access requested by sshd. It is not expected that this access is
required by sshd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access
You can generate a local policy module to allow this access - see FAQ Or you can
disable SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a bug report against this package.

Additional Information
Source Context:  system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context:  system_u:system_r:crond_t:s0-s0:c0.c1023
Target Objects:  pipe [ fifo_file ]
Affected RPM Packages:  
Policy RPM:  selinux-policy-3.0.8-73.fc8
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Permissive
Plugin Name:  plugins.catchall
Host Name:  mellor.kw.net
Platform:  Linux mellor.kw.net 2.6.23.8-63.fc8 #1 SMP Wed Nov 21 18:51:08 EST
2007 i686 athlon
Alert Count:  1
First Seen:  Mon 14 Jan 2008 08:30:01 AM EST
Last Seen:  Mon 14 Jan 2008 08:30:01 AM EST
Local ID:  f2023e02-bbcf-4294-9c1f-f3164a9eaec8
Line Numbers:  
Raw Audit Messages :avc: denied { write } for comm=sshd dev=pipefs
path=pipe:[1416330] pid=14057 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tclass=fifo_file tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 
Comment 5 Daniel Walsh 2008-01-15 09:58:38 EST
Well technically this is a different avc first one was for read, now you have a
new one for write.

Can be ignored.

Fixed in selinux-policy-3.0.8-77.fc8
Comment 6 John Mellor 2008-02-01 17:00:23 EST
Confirmed fixed, problem not occurring with selinux-policy-targeted-3.0.8-81.fc8

Note You need to log in before you can comment on or make changes to this bug.