Bug 462231 - SELinux is preventing sshd (sshd_t) "search" to <Unknown> (crond_t).
SELinux is preventing sshd (sshd_t) "search" to <Unknown> (crond_t).
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
12
All Linux
medium Severity medium
: ---
: ---
Assigned To: Kernel Maintainer List
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 513462
  Show dependency treegraph
 
Reported: 2008-09-14 12:00 EDT by Dave Jones
Modified: 2015-01-04 17:30 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-05 02:08:11 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dave Jones 2008-09-14 12:00:47 EDT
I have camE set up to scp a jpeg to localhost.  (It doesn't seem to offer a 'just save pics locally' mode).  Every time this happens, I get an AVC..

host=gelk.kernelslacker.org type=AVC msg=audit(1221407938.306:4261): avc: denied { search } for pid=18666 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=key 

host=gelk.kernelslacker.org type=SYSCALL msg=audit(1221407938.306:4261): arch=c000003e syscall=250 success=yes exit=1007585457 a0=0 a1=fffffffd a2=0 a3=35ec260 items=0 ppid=2448 pid=18666 auid=4294967295 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) 


selinux-policy-3.3.1-87.fc9
selinux-policy-targeted-3.3.1-87.fc9.noarch
Comment 1 Daniel Walsh 2008-09-15 13:54:04 EDT
You can just ignore this.

I have no idea of why it is happening.  Looks like sshd somehow has gotten seeing a key tab owned by crond_t.  I guess something in the kernel is looking through all of the keyrings context and generating these AVCs.
Comment 2 Daniel Walsh 2008-09-15 14:06:33 EDT
I can dontaudit or allow this,  But I think this could be a bug in the kernel.

Some api that sshd is calling is causing this avc to be triggered.
Comment 3 Dave Jones 2008-09-15 18:36:02 EDT
$ sudo grep 06f27a55-eba1-4903-be3b-372d535d92d6 /var/log/messages* | wc -l
19913

kind of hard to ignore.
hopefully I won't run out of diskspace before I get home :-)
Comment 4 Stephen Smalley 2008-09-16 09:37:16 EDT
I agree that it looks like a bug in the kernel keyring support - punting to David Howells for clarification.  SELinux labels keys based on their creator or based on the context the creator specified using setkeycreatecon(3).  I don't know why a key created by crond is being encountered by sshd on a lookup.

Possible workaround to silence the noise in the interim:
$ cat quietkey.te
policy_module(quietkey, 1.0)
require {
    type sshd_t;
    type crond_t;
}

dontaudit sshd_t crond_t:key search;
$ make -f /usr/share/selinux/devel/Makefile quietkey.pp
$ sudo semodule -i quietkey.pp
Comment 5 David Howells 2008-10-02 12:45:40 EDT
My guess is that the problem is not a kernel bug, but results from a feature mandated by Linus.

There are shared keyrings for each UID (user and user session keyrings), but these pick up the security label of whatever creates them and then are stuck with it, but such a keyring, once created, is automatically shared between all the processes that use that UID.

Does your /etc/pam.d/crond or /etc/pam.d/system-auth invoke pam_keyinit.so?
Comment 6 Daniel Walsh 2008-10-02 13:04:12 EDT
I am pretty sure they do.
Comment 7 Dave Jones 2008-10-02 14:06:39 EDT
crond doesn't, system-auth does
Comment 8 Daniel Walsh 2008-10-03 09:48:20 EDT
I just believe the kernel should not be reporting this as an AVC, it should be allowed.  If every keyring created for a user is going to require all domains that create keyrings to be able to search them, then there is little reason to deny.
Comment 9 Stephen Smalley 2008-10-03 09:55:48 EDT
Why isn't pam_keyinit using setkeycreatecon() to set the context for the key to something appropriate for the user whose keyring it is?
Comment 10 Stephen Smalley 2008-10-03 09:57:56 EDT
Also, if such sharing is mandated, how do we actually protect one program from misusing keys created by another program under the same uid?  Do we need per-context keyrings?
Comment 11 David Howells 2008-10-03 11:53:13 EDT
> Also, if such sharing is mandated, how do we actually protect one program
> from misusing keys created by another program under the same uid?  Do we
> need per-context keyrings?

The whole point of per-UID shared keyrings is that the keys in them are shared.  Misuse is something you might just have to live with.  If you don't want your keys to be misused, don't put them in the per-UID shared keyrings.

That said, any key that is in the per-UID shared keyring has all operations on it approved by SELinux.  That means a process can be restricted to only being able to find out the key ID of a key in one of these keyrings; the view, read, write, setattr, link and search attributes on a key can all be denied by SELinux, preventing a process from effectively doing anything with it.

There is, however, nothing to stop a process unlinking a specific key from those keyrings.  All that SELinux can see is that the keyring is being 'written'.  Also, there's nothing to stop a process finding the key ID by listing the keyring.  That's an all-or-nothing 'read' op on the keyring.  These two circumstances could be dealt with.

Another option is to make per-UID keyrings unavailable if SELINUX is enabled.  I'd need to check with Linus if he's happy to do this.  My original idea for how these might be used was for storing equivalent user identities, such as a SMB/CIFS/FAT/VFAT/NTFS user ID.  However, that's probably better stored in a session keyring.
Comment 12 Bug Zapper 2009-06-09 22:42:45 EDT
This message is a reminder that Fedora 9 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 9.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '9'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 9's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 9 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 13 Bug Zapper 2009-11-16 04:26:41 EST
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 14 Bug Zapper 2010-11-04 07:47:36 EDT
This message is a reminder that Fedora 12 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 12.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '12'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 12's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 12 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 15 Bug Zapper 2010-12-05 02:08:11 EST
Fedora 12 changed to end-of-life (EOL) status on 2010-12-02. Fedora 12 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.