Bug 453554 - Selinux in enforced mode prevents login via ssh since Jun 12th update
Selinux in enforced mode prevents login via ssh since Jun 12th update
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
9
x86_64 Linux
low Severity high
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-07-01 05:56 EDT by Phil Stewart
Modified: 2008-07-07 12:27 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-07 12:27:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
avcs from /var/log/audit/audit.log (2.81 KB, application/octet-stream)
2008-07-02 09:47 EDT, Phil Stewart
no flags Details
semodule has unknown options user and login (1.46 KB, application/octet-stream)
2008-07-03 05:14 EDT, Phil Stewart
no flags Details
Output from semanage (643 bytes, application/octet-stream)
2008-07-03 05:17 EDT, Phil Stewart
no flags Details
Output of semanage -l (1.19 KB, application/octet-stream)
2008-07-03 11:30 EDT, Phil Stewart
no flags Details

  None (edit)
Description Phil Stewart 2008-07-01 05:56:56 EDT
Description of problem: Since the Jun 12th update to selinux, although I can
successfully pass the ssh password request, as soon as I get through, I'm kicked
out with the error:

Last login: Fri Jun 13 10:42:30 2008 from xxx.xxx.xxx.xxx
/bin/bash: Permission denied
Connection to localhost closed.


Version-Release number of selected component (if applicable): 69.fc9


How reproducible:
Log in using ssh.

Steps to Reproduce:
1.Connect using ssh and enter password
2.
3.
  
Actual results:

Last login: Fri Jun 13 10:42:30 2008 from xxx.xxx.xxx.xxx
/bin/bash: Permission denied
Connection to localhost closed.

Expected results:

bash shell

Additional info:

var/log/secure:

Jun 13 10:43:51 purkinje sshd[3667]: Accepted password for phil from
xxx.xxx.xxx.xxx port 57220 ssh2
Jun 13 10:43:51 purkinje sshd[3667]: pam_unix(sshd:session): session opened for
user phil by (uid=0)
Jun 13 10:43:51 purkinje sshd[3667]: error: ssh_selinux_setup_pty:
security_compute_relabel: Invalid argument
Jun 13 10:43:51 purkinje sshd[3667]: pam_unix(sshd:session): session closed for
user phil
Comment 1 Phil Stewart 2008-07-01 05:59:37 EDT
Setting selinux to permissive mode allows successful login, but is not desirable.
Comment 2 Daniel Walsh 2008-07-01 10:03:36 EDT
Check the context on the home directory

restorecon -R -v /home
Comment 3 Phil Stewart 2008-07-01 11:04:58 EDT
[root@purkinje ~]# restorecon -R -v /home
restorecon:  unable to stat file /home/phil/.gvfs: Permission denied

Same error as before when attempting login.
Comment 4 Josef Kubin 2008-07-01 13:14:04 EDT
Did you try:
# setenforce 0
# restorecon -R -v /home
# setenforce 1
Comment 5 Phil Stewart 2008-07-02 05:50:01 EDT
Just tried now, no change.
Also installed today's updates (incl. selinux), no change.
Decided to check that it wasn't just my user, created a new user, no access
either, same error.
Comment 6 Daniel Walsh 2008-07-02 09:37:33 EDT
Please attach the avcs in /var/log/audit/audit.log
Comment 7 Phil Stewart 2008-07-02 09:47:57 EDT
Created attachment 310791 [details]
avcs from /var/log/audit/audit.log

obscured hostname and username after attempting ssh login
Comment 8 Daniel Walsh 2008-07-02 14:47:04 EDT
Please attach the output of 

# semodule user -l
# semoduel login -l
Comment 9 Daniel Walsh 2008-07-02 16:13:40 EDT
#semanage user -a -S targeted -P user -R "unconfined_r system_r" -r
#s0-s0:c0.c1023 unconfined_u 
#semanage login -m -S targeted  -s "unconfined_u" -r s0-s0:c0.c1023 __default__
#semanage login -m -S targeted  -s "unconfined_u" -r s0-s0:c0.c1023 root
#semanage user -a -S targeted  -P user -R guest_r guest_u
#semanage user -a -S targeted  -P user -R xguest_r xguest_u 

I have a failing these commands failed to execute on update.

If you execute them now and try to login, it should work.
Comment 10 Phil Stewart 2008-07-03 05:14:48 EDT
Created attachment 310900 [details]
semodule has unknown options user and login

Both commands fail to execute because of unknown options, user and login.
Comment 11 Phil Stewart 2008-07-03 05:17:13 EDT
Created attachment 310901 [details]
Output from semanage

All commands execute fine but won't work. Tried restorecon again. Still no joy.
Comment 12 Daniel Walsh 2008-07-03 11:22:08 EDT
Sorry meant to say

# semanage user -l
# semanage login -l
Comment 13 Phil Stewart 2008-07-03 11:30:04 EDT
Created attachment 310934 [details]
Output of semanage -l
Comment 14 Daniel Walsh 2008-07-03 16:09:05 EDT
# ls -lZ /etc/pam.d/sshd*
Does you sshd include pam_selinux?

# grep ssh /etc/selinux/targeted/contexts/users/unconfined_u 
system_r:sshd_t:s0		unconfined_r:unconfined_t:s0
 
Comment 15 Phil Stewart 2008-07-04 05:31:50 EDT
[root@purkinje ~]# ls -lZ /etc/pam.d/sshd*
-rw-r--r--  root root system_u:object_r:etc_t:s0       /etc/pam.d/sshd
-rw-r--r--  root root system_u:object_r:etc_t:s0       /etc/pam.d/sshd.rpmnew

[root@purkinje ~]# grep ssh /etc/selinux/targeted/contexts/users/unconfined_u
system_r:sshd_t:s0		unconfined_r:unconfined_t:s0
Comment 16 Daniel Walsh 2008-07-07 11:09:47 EDT
Phil, I think there is a line in rpmnew file that needs to be added to your sshd
file.

You need the two pam_selinux lines?

Comment 17 Phil Stewart 2008-07-07 11:19:50 EDT
Daniel,

I'm not sure I understand but are you saying I should only have one item in
/etc/pam.d/sshd* (I assume the first) and any differences in the two files
should be merged?

I don't know if I need the two or not, I haven't done that on purpose!

I diffed the two files:

[root@purkinje ~]# diff /etc/pam.d/sshd /etc/pam.d/sshd.rpmnew 
2d1
< auth	   required	pam_abl.so config=/etc/security/pam_abl.conf
7c6,7
< session    optional     pam_keyinit.so force revoke
---
> # pam_selinux.so close should be the first session rule
> session    required     pam_selinux.so close
9a10,12
> # pam_selinux.so open should only be followed by sessions to be executed in
the user context
> session    required     pam_selinux.so open env_params
> session    optional     pam_keyinit.so force revoke
Comment 18 Phil Stewart 2008-07-07 11:25:17 EDT
Daniel,

I thought I might as well try it anyway and it works!

Thank you so much for your help.

Best regards,

Phil
Comment 19 Daniel Walsh 2008-07-07 12:27:45 EDT
SELinux support used to be directly in sshd, but it has been moved directly into
pam.   So if the pam.d files did not update properly you end up with this
problem.  This was done by others, so I was originally confused.  Sorry about
taking so long to figure it out.  


Note You need to log in before you can comment on or make changes to this bug.