Bug 459510 - SELinux is preventing /usr/sbin/sshd (sshd_t) "append" to (var_log_t).
SELinux is preventing /usr/sbin/sshd (sshd_t) "append" to (var_log_t).
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-08-19 11:49 EDT by David Lee Lambert
Modified: 2008-08-29 12:49 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-08-29 12:49:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description David Lee Lambert 2008-08-19 11:49:32 EDT
Description of problem:

sshd won't start with SELinux enabled.

Version-Release number of selected component (if applicable):

  Affected RPM Packages:  openssh-server-4.7p1-2.fc8 [application]
  Policy RPM:  selinux-policy-3.0.8-44.fc8
  Selinux Enabled:  True
  Policy Type:  targeted
  MLS Enabled:  True
  Enforcing Mode:  Enforcing

Steps to Reproduce:

1.  /etc/init.d/sshd start
Actual results:

Starting sshd: /etc/init.d/sshd: line 111: /usr/sbin/sshd: Permission denied

Expected results:

Daemon should start
Comment 1 Daniel Walsh 2008-08-20 07:11:25 EDT
What is the AVC you are seeing?

grep avc /var/log/audit/audit.log

I no of no log file that ssh would need to append to.

You should also update to the latest selinux policy for fc8

yum -y upgrade selinux-policy

You might want to update all of your system

yum -y upgrade
Comment 2 David Lee Lambert 2008-08-20 10:23:17 EDT
type=AVC msg=audit(1219161384.508:133): avc:  denied  { append } for  pid=23367 comm="sshd" name="btmp" dev=dm-0 ino=851979 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1219161384.604:134): avc:  denied  { getattr } for  pid=23367 comm="sshd" path="/var/log/btmp" dev=dm-0 ino=851979 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file

sshd is also configured to log via syslog;  but I believe it writes to /dev/log,  context "unconfined_u:object_r:devlog_t:s0", so that can't be the problem here.

This is after a "yum -y upgrade" and "yum remove openssh-server; yum install openssh-server".
Comment 3 Daniel Walsh 2008-08-29 12:49:09 EDT
restorecon /var/log/btmp

Should fix.  Some how this got the wrong context on it.  Did someone/process delete and recreate the file?

Note You need to log in before you can comment on or make changes to this bug.