First Last Prev Next    This bug is not in your last search results.
Bug 477922 - SElinux-targeted policy reverts to broken SSH rules
SElinux-targeted policy reverts to broken SSH rules
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
10
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-12-25 09:30 EST by John Mellor
Modified: 2009-03-23 09:38 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-03-23 09:38:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
setroubleshoot output (2.88 KB, text/plain)
2008-12-25 09:32 EST, John Mellor 		no flags Details
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description John Mellor 2008-12-25 09:30:58 EST 
Description of problem:
crontab not allowed to start ssh

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.5.13-34.fc10.noarch

How reproducible:
every time

Steps to Reproduce:
1. add crontab entries to start/stop ssh to reduce hacker window on opportunity
2. watch, as SElinux policy denies ssh startup
  
Actual results:
ssh not started/stopped

Expected results:
normal ssh startup, as in F9

Additional info:
This is a rule reversion, as this same bug was already fixed in F8/F9 timeframe.

setroubleshoot output attached.
Comment 1 John Mellor 2008-12-25 09:32:15 EST 
Created attachment 327837 [details]
setroubleshoot output
Comment 2 Daniel Walsh 2008-12-27 07:11:20 EST 
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.5.13-37.fc10

This is actually a change in the kernel or in libc that is causing the problem.  This policy is not in F8 or F9, but that is not your problem.  :^)  So it is a regression and I will get the fix out for you.
Comment 3 John Mellor 2008-12-29 15:42:41 EST 
Where do I get this new selinux-policy-3.5.13-37.fc10
 package?  It is not rolled out to updates-testing.
Comment 4 Daniel Walsh 2009-01-04 12:42:44 EST 
You can download it from koji,   I will push out this update or a newer one once we get back to work tomorrow.
Comment 5 John Mellor 2009-03-21 14:41:34 EDT 
Seems to be working properly now
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.