Bug 465283 - SELinux denials on remote root login
SELinux denials on remote root login
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: openssh (Show other bugs)
10
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
: Reopened, SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-02 11:38 EDT by Orion Poplawski
Modified: 2008-11-30 00:39 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-30 00:39:38 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
output from SEtroubleshoot (2.53 KB, text/plain)
2008-11-18 09:22 EST, Matěj Cepl
no flags Details

  None (edit)
Description Orion Poplawski 2008-10-02 11:38:12 EDT
Description of problem:

Logging in as root via ssh.

/var/log/messages:Oct  2 09:11:23 test kernel: type=1400 audit(1222960283.046:4): avc:  denied  { search } for  pid=2594 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_crond_t:s0-s0:c0.c1023 tclass=key
/var/log/secure:Oct  2 09:11:23 test sshd[2594]: Accepted publickey for root from 192.168.0.72 port 34507 ssh2
/var/log/secure:Oct  2 09:11:23 test sshd[2594]: pam_unix(sshd:session): session opened for user root by (uid=0)

Version-Release number of selected component (if applicable):
openssh-5.1p1-2.fc10.i386
selinux-policy-3.5.9-4.fc10.noarch
Comment 1 Daniel Walsh 2008-10-02 11:53:22 EDT
This is a kernel bug, but I will get rid of the avc for now.

Fixed in selinux-policy-3.5.9-5.fc10.noarch
Comment 2 Matěj Cepl 2008-11-18 09:22:37 EST
Created attachment 323900 [details]
output from SEtroubleshoot

Happens again with

[matej@hubmaier ~]$ rpm -q openssh selinux-policy-targeted kernel
openssh-5.1p1-3.fc10.x86_64
selinux-policy-targeted-3.5.13-18.fc10.noarch
kernel-2.6.27.5-94.fc10.x86_64
kernel-2.6.27.4-79.fc10.x86_64
kernel-2.6.27.5-101.fc10.x86_64
kernel-2.6.27.5-109.fc10.x86_64
[matej@hubmaier ~]$ uname -r
2.6.27.5-109.fc10.x86_64
[matej@hubmaier ~]$
Comment 3 Daniel Walsh 2008-11-18 13:43:19 EST
Well I run this under audit2allow on selinux-policy-targeted-3.5.13-21.fc10.noarch

and it says it should be allowed.
Comment 4 Bug Zapper 2008-11-25 22:28:21 EST
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle.
Changing version to '10'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 5 Orion Poplawski 2008-11-30 00:39:38 EST
I don't see this anymore.

Note You need to log in before you can comment on or make changes to this bug.