Bug 543525 - AVC denials under RHTS (openssh/sshd/sanity test)
Summary: AVC denials under RHTS (openssh/sshd/sanity test)
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.4
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-12-02 15:31 UTC by Miroslav Vadkerti
Modified: 2009-12-23 16:31 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-12-23 16:31:33 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Miroslav Vadkerti 2009-12-02 15:31:16 UTC 
Description of problem:
When running RHTS test (/CoreOS/openssh/sshd/sanity) with SELIUNX in enforcing mode I get the following AVC denials:
type=AVC msg=audit(1259764917.385:27): avc:  denied  { search } for  pid=3122 comm="ssh-keygen" name="selinux" dev=dm-0 ino=81199398 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
type=AVC msg=audit(1259764917.386:28): avc:  denied  { search } for  pid=3122 comm="ssh-keygen" name="/" dev=selinuxfs ino=329 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir
type=AVC msg=audit(1259764917.697:29): avc:  denied  { search } for  pid=3122 comm="ssh-keygen" name="home" dev=dm-0 ino=60358657 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1259764917.697:30): avc:  denied  { search } for  pid=3122 comm="ssh-keygen" name="home" dev=dm-0 ino=60358657 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1259764917.698:31): avc:  denied  { search } for  pid=3122 comm="ssh-keygen" name="home" dev=dm-0 ino=60358657 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1259764917.698:32): avc:  denied  { search } for  pid=3122 comm="ssh-keygen" name="home" dev=dm-0 ino=60358657 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1259764918.532:39): avc:  denied  { search } for  pid=3142 comm="ssh-keygen" name="selinux" dev=dm-0 ino=81199398 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
type=AVC msg=audit(1259764918.532:40): avc:  denied  { search } for  pid=3142 comm="ssh-keygen" name="/" dev=selinuxfs ino=329 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir
type=AVC msg=audit(1259764918.898:41): avc:  denied  { search } for  pid=3142 comm="ssh-keygen" name="home" dev=dm-0 ino=60358657 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1259764918.898:42): avc:  denied  { search } for  pid=3142 comm="ssh-keygen" name="home" dev=dm-0 ino=60358657 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1259764918.898:43): avc:  denied  { search } for  pid=3142 comm="ssh-keygen" name="home" dev=dm-0 ino=60358657 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1259764918.898:44): avc:  denied  { search } for  pid=3142 comm="ssh-keygen" name="home" dev=dm-0 ino=60358657 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1259764921.095:47): avc:  denied  { search } for  pid=3200 comm="ssh-keygen" name="selinux" dev=dm-0 ino=81199398 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
type=AVC msg=audit(1259764921.096:48): avc:  denied  { search } for  pid=3200 comm="ssh-keygen" name="/" dev=selinuxfs ino=329 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir
type=AVC msg=audit(1259764921.869:49): avc:  denied  { search } for  pid=3200 comm="ssh-keygen" name="root" dev=dm-0 ino=38830081 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1259764921.869:50): avc:  denied  { search } for  pid=3200 comm="ssh-keygen" name="root" dev=dm-0 ino=38830081 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1259764921.870:51): avc:  denied  { search } for  pid=3200 comm="ssh-keygen" name="root" dev=dm-0 ino=38830081 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1259764921.871:52): avc:  denied  { search } for  pid=3200 comm="ssh-keygen" name="root" dev=dm-0 ino=38830081 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir

Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. Run test /CoreOS/openssh/sshd/sanity with enabled SELINUX (it's disabled for now), see RHTS job https://rhts.redhat.com/cgi-bin/rhts/jobs.cgi?id=105338
  
Actual results:
AVC denials (have to run semodule -b enableaudit.pp to get them)

Expected results:
No AVC denials

Additional info:
These AVC denials appear only whe test is run in RHTS, manual runs (which run in other SELINU context) doesn't show these denials.

These denials also appear in RHEL6.
Comment 1 Miroslav Vadkerti 2009-12-02 15:33:51 UTC 
Example of failed RHEL6 job, AVC denials not shown:
http://rhts.redhat.com/cgi-bin/rhts/jobs.cgi?id=104047
Comment 2 Daniel Walsh 2009-12-02 18:24:18 UTC 
What is the goal of the test?  If it is to simulate a user running the test,then the test should be run with a runcon command 

runcon -t unconfined_t ssh-keygen

Currently you are running it via initrc which is causing a transition that simulates initrc running ssh-keygen
Comment 3 Miroslav Vadkerti 2009-12-02 19:00:17 UTC 
Thanks Dan, I will try it with this and report back.
Note You need to log in before you can comment on or make changes to this bug.