Bug 477922 - SElinux-targeted policy reverts to broken SSH rules
SElinux-targeted policy reverts to broken SSH rules
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2008-12-25 09:30 EST by John Mellor
Modified: 2009-03-23 09:38 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-03-23 09:38:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
setroubleshoot output (2.88 KB, text/plain)
2008-12-25 09:32 EST, John Mellor
no flags Details

  None (edit)
Description John Mellor 2008-12-25 09:30:58 EST
Description of problem:
crontab not allowed to start ssh

Version-Release number of selected component (if applicable):

How reproducible:
every time

Steps to Reproduce:
1. add crontab entries to start/stop ssh to reduce hacker window on opportunity
2. watch, as SElinux policy denies ssh startup
Actual results:
ssh not started/stopped

Expected results:
normal ssh startup, as in F9

Additional info:
This is a rule reversion, as this same bug was already fixed in F8/F9 timeframe.

setroubleshoot output attached.
Comment 1 John Mellor 2008-12-25 09:32:15 EST
Created attachment 327837 [details]
setroubleshoot output
Comment 2 Daniel Walsh 2008-12-27 07:11:20 EST
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.5.13-37.fc10

This is actually a change in the kernel or in libc that is causing the problem.  This policy is not in F8 or F9, but that is not your problem.  :^)  So it is a regression and I will get the fix out for you.
Comment 3 John Mellor 2008-12-29 15:42:41 EST
Where do I get this new selinux-policy-3.5.13-37.fc10
 package?  It is not rolled out to updates-testing.
Comment 4 Daniel Walsh 2009-01-04 12:42:44 EST
You can download it from koji,   I will push out this update or a newer one once we get back to work tomorrow.
Comment 5 John Mellor 2009-03-21 14:41:34 EDT
Seems to be working properly now

Note You need to log in before you can comment on or make changes to this bug.