Bug 448367 - SELinux is preventing sshd (sshd_t) "search" to <Neznámé> (crond_t).
SELinux is preventing sshd (sshd_t) "search" to <Neznámé> (crond_t).
Product: Fedora
Classification: Fedora
Component: cronie (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Marcela Mašláňová
Fedora Extras Quality Assurance
: SELinux
Depends On:
  Show dependency treegraph
Reported: 2008-05-26 05:43 EDT by Matěj Cepl
Modified: 2008-05-28 03:49 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-05-28 03:49:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
/var/log/audit/audit.log (4.02 MB, text/plain)
2008-05-26 11:24 EDT, Matěj Cepl
no flags Details

  None (edit)
Description Matěj Cepl 2008-05-26 05:43:19 EDT
Description of problem:

Absolutely no idea, how I deserved this -- what did I do to get this.


SELinux is preventing sshd (sshd_t) "search" to <Neznámé> (crond_t).

Podrobný popis:

SELinux denied access requested by sshd. It is not expected that this access is
required by sshd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                system_u:system_r:sshd_t:SystemLow-SystemHigh
Kontext cíle                 system_u:system_r:crond_t:SystemLow-SystemHigh
Objekty cíle                 None [ key ]
Zdroj                         sshd
Cesta zdroje                  /usr/sbin/sshd
Port                          <Neznámé>
Počítač                    hubmaier.ceplovi.cz
RPM balíčky zdroje          openssh-server-5.0p1-2.fc10
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.3.1-45.fc10
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall
Název počítače            hubmaier.ceplovi.cz
Platforma                     Linux hubmaier.ceplovi.cz
                              2.6.26-0.17.rc3.fc10.x86_64 #1 SMP Sun May 18
                              18:44:39 EDT 2008 x86_64 x86_64
Počet uporoznění           5
Poprvé viděno               St 21. květen 2008, 23:02:49 CEST
Naposledy viděno             Pá 23. květen 2008, 07:32:16 CEST
Místní ID                   30cbc996-27a8-4025-8aad-cffa4f396167
Čísla řádků              

Původní zprávy auditu      

host=hubmaier.ceplovi.cz type=AVC msg=audit(1211520736.490:3035): avc:  denied 
{ search } for  pid=1067 comm="sshd"
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=key

host=hubmaier.ceplovi.cz type=SYSCALL msg=audit(1211520736.490:3035):
arch=c000003e syscall=250 success=no exit=-13 a0=0 a1=fffffffd a2=0 a3=2b42280
items=0 ppid=19335 pid=1067 auid=4294967295 uid=500 gid=500 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd"
exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
Comment 1 Tomas Mraz 2008-05-26 06:05:19 EDT
Cronie must call setkeycreatecon() with the context it uses when calling
setexeccon(). This call has to be done before pam_open_session() is called.
Comment 2 Marcela Mašláňová 2008-05-26 08:45:29 EDT
Please try test package at http://mmaslano.fedorapeople.org/cronie/
Comment 3 Tomas Mraz 2008-05-26 09:53:09 EDT
Note that you'll have to restart the computer so the keyring is recreated for
the user. Also the cron job of the user must run before you log in to reproduce
the problem.
Comment 4 Matěj Cepl 2008-05-26 11:24:20 EDT
Created attachment 306685 [details]

Using local rebuild of the src.rpm from comment 2, I don't get AVC denial on
cronnie, but I get plenty of other AVC denials -- I have logged into slightly
after 17:00 CEST. And no I haven't heard any sound on the whole hour (which I
should). This is the output of crontab -e:
[matej@hubmaier ~]$ crontab -l

* 15 * * mon-fri curl -s
0 8-19 * * mon-fri  gst-launch filesrc
location=/home/matej/archiv/music/Pranks/Clock_Big_Ben_London.mp3 ! decodebin !
audioconvert ! volume volume=0.2 ! autoaudiosink >/dev/null 2>&1
# 10 4 * * * /home/matej/rpm/kompiliste/bitlbee/update.sh
[matej@hubmaier ~]$
Comment 5 Tomas Mraz 2008-05-26 12:05:19 EDT
The sound will not play when you're not logged in due to permissions on the
sound devices. And the AVCs seem to be unrelated. Verify that the user cron jobs
are still working and if so then this bug can be closed as fixed.
Comment 6 Daniel Walsh 2008-05-27 12:37:49 EDT
Matej you seem to have bitlbee attempting connects to lots of random ports.  Is
this expected behaviour?

Comment 7 Matěj Cepl 2008-05-27 16:17:15 EDT
(In reply to comment #6)
> Matej you seem to have bitlbee attempting connects to lots of random ports.  Is
> this expected behaviour?

Yes, it is, I have patched version of bitlbee doing file transfer and the file
transfer apparently makes connection totally randomly -- not sure how to make it
behave more sanely, and it doesn't matter that much for me. I just added

allow bitlbee_t port_t:tcp_socket name_connect;

to my bitlbeeFT policy module and will deal with that later.
Comment 8 Daniel Walsh 2008-05-27 16:31:11 EDT
So it is doing some kind of ftp transfer?
Comment 9 Matěj Cepl 2008-05-27 16:41:17 EDT
(In reply to comment #8)
> So it is doing some kind of ftp transfer?

Roughly speaking yes, it actually is more http connection between two Jabber
clients, but that probably doesn't make a difference for you.
Comment 10 Marcela Mašláňová 2008-05-28 03:49:29 EDT
This is fixed for cronie in next update. If your problem persist please open new
bug on appropriate component.

Note You need to log in before you can comment on or make changes to this bug.