Description of problem: selinux exception on ssh startup from cronjob. System is fully up-to-date. Cronjob used to shutdown ssh when outside of hours required, to reduce ssh-hacking window to a more manageable size. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.0.8-64.fc8 How reproducible: Every time Steps to Reproduce: 1. Construct crontab to start/stop ssh when required. e.g: 30 08 * * 1-5 /etc/rc.d/init.d/sshd start 30 17 * * 1-5 /etc/rc.d/init.d/sshd stop 2. Let it run for several days Actual results: See the following cut/paste from the setroubleshoot browser from a typical and incorrect se exception that happens every day at 08:30: ========= Summary SELinux is preventing /usr/sbin/sshd (sshd_t) "read" to pipe (crond_t). Detailed Description SELinux denied access requested by /usr/sbin/sshd. It is not expected that this access is required by /usr/sbin/sshd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package. Additional Information Source Context: system_u:system_r:sshd_t:s0-s0:c0.c1023 Target Context: system_u:system_r:crond_t:s0-s0:c0.c1023 Target Objects: pipe [ fifo_file ] Affected RPM Packages: openssh-server-4.7p1-4.fc8 [application] Policy RPM: selinux-policy-3.0.8-64.fc8 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Permissive Plugin Name: plugins.catchall Host Name: mellor.kw.net Platform: Linux mellor.kw.net 2.6.23.8-63.fc8 #1 SMP Wed Nov 21 18:51:08 EST 2007 i686 athlon Alert Count: 15 First Seen: Mon 19 Nov 2007 08:30:01 AM EST Last Seen: Wed 12 Dec 2007 08:30:01 AM EST Local ID: a08c71f3-663c-4941-9e80-5afc6771f875 Line Numbers: Raw Audit Messages :avc: denied { read } for comm=sshd dev=pipefs egid=0 euid=0 exe=/usr/sbin/sshd exit=0 fsgid=0 fsuid=0 gid=0 items=0 path=pipe:[2088409] pid=16104 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 suid=0 tclass=fifo_file tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tty=(none) uid=0 ========= Expected results: No exception should be triggered. Ssh daemon should start cleanly. Additional info:
The priority of this problem should perhaps be higher. The only reason that it works on my machine is that I am not using SE in enforcing mode. In enforcing mode, this is probably a showstopper.
I don't think this would be blocked on enforcing machine. All that is happening is the stdout/stdin/stderr of sshd is being redirected to a cron pipe. The kernel checks to see if the ssh can read that pipe, it can not. The kernel closes the file descriptor and replaces it with one pointing at /dev/null and ssh continues. I will update the fedora 8 policy to allow this, but it can safely be ignored. Fixed in selinux-policy-3.0.8-69.fc8
Not fixed in selinux-policy-3.0.8-69.fc8, same problem is still occurring after update and reboot.
Fix presumably fails. Problem still occurring as of 2008/01/14, using selinux-policy-3.0.8-73.fc8, as shown by the following setroubleshoot browser output: Summary SELinux is preventing sshd (sshd_t) "write" to pipe (crond_t). Detailed Description SELinux denied access requested by sshd. It is not expected that this access is required by sshd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package. Additional Information Source Context: system_u:system_r:sshd_t:s0-s0:c0.c1023 Target Context: system_u:system_r:crond_t:s0-s0:c0.c1023 Target Objects: pipe [ fifo_file ] Affected RPM Packages: Policy RPM: selinux-policy-3.0.8-73.fc8 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Permissive Plugin Name: plugins.catchall Host Name: mellor.kw.net Platform: Linux mellor.kw.net 2.6.23.8-63.fc8 #1 SMP Wed Nov 21 18:51:08 EST 2007 i686 athlon Alert Count: 1 First Seen: Mon 14 Jan 2008 08:30:01 AM EST Last Seen: Mon 14 Jan 2008 08:30:01 AM EST Local ID: f2023e02-bbcf-4294-9c1f-f3164a9eaec8 Line Numbers: Raw Audit Messages :avc: denied { write } for comm=sshd dev=pipefs path=pipe:[1416330] pid=14057 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=fifo_file tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023
Well technically this is a different avc first one was for read, now you have a new one for write. Can be ignored. Fixed in selinux-policy-3.0.8-77.fc8
Confirmed fixed, problem not occurring with selinux-policy-targeted-3.0.8-81.fc8