Bug 477922 - SElinux-targeted policy reverts to broken SSH rules
Summary: SElinux-targeted policy reverts to broken SSH rules
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 10
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-12-25 14:30 UTC by John Mellor
Modified: 2009-03-23 13:38 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2009-03-23 13:38:35 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
setroubleshoot output (2.88 KB, text/plain)
2008-12-25 14:32 UTC, John Mellor
no flags Details

Description John Mellor 2008-12-25 14:30:58 UTC
Description of problem:
crontab not allowed to start ssh

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.5.13-34.fc10.noarch

How reproducible:
every time

Steps to Reproduce:
1. add crontab entries to start/stop ssh to reduce hacker window on opportunity
2. watch, as SElinux policy denies ssh startup
  
Actual results:
ssh not started/stopped

Expected results:
normal ssh startup, as in F9

Additional info:
This is a rule reversion, as this same bug was already fixed in F8/F9 timeframe.

setroubleshoot output attached.

Comment 1 John Mellor 2008-12-25 14:32:15 UTC
Created attachment 327837 [details]
setroubleshoot output

Comment 2 Daniel Walsh 2008-12-27 12:11:20 UTC
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.5.13-37.fc10

This is actually a change in the kernel or in libc that is causing the problem.  This policy is not in F8 or F9, but that is not your problem.  :^)  So it is a regression and I will get the fix out for you.

Comment 3 John Mellor 2008-12-29 20:42:41 UTC
Where do I get this new selinux-policy-3.5.13-37.fc10
 package?  It is not rolled out to updates-testing.

Comment 4 Daniel Walsh 2009-01-04 17:42:44 UTC
You can download it from koji,   I will push out this update or a newer one once we get back to work tomorrow.

Comment 5 John Mellor 2009-03-21 18:41:34 UTC
Seems to be working properly now


Note You need to log in before you can comment on or make changes to this bug.