Bug 543525 - AVC denials under RHTS (openssh/sshd/sanity test)
AVC denials under RHTS (openssh/sshd/sanity test)
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.4
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-12-02 10:31 EST by Miroslav Vadkerti
Modified: 2009-12-23 11:31 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-12-23 11:31:33 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Miroslav Vadkerti 2009-12-02 10:31:16 EST
Description of problem:
When running RHTS test (/CoreOS/openssh/sshd/sanity) with SELIUNX in enforcing mode I get the following AVC denials:
type=AVC msg=audit(1259764917.385:27): avc:  denied  { search } for  pid=3122 comm="ssh-keygen" name="selinux" dev=dm-0 ino=81199398 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
type=AVC msg=audit(1259764917.386:28): avc:  denied  { search } for  pid=3122 comm="ssh-keygen" name="/" dev=selinuxfs ino=329 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir
type=AVC msg=audit(1259764917.697:29): avc:  denied  { search } for  pid=3122 comm="ssh-keygen" name="home" dev=dm-0 ino=60358657 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1259764917.697:30): avc:  denied  { search } for  pid=3122 comm="ssh-keygen" name="home" dev=dm-0 ino=60358657 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1259764917.698:31): avc:  denied  { search } for  pid=3122 comm="ssh-keygen" name="home" dev=dm-0 ino=60358657 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1259764917.698:32): avc:  denied  { search } for  pid=3122 comm="ssh-keygen" name="home" dev=dm-0 ino=60358657 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1259764918.532:39): avc:  denied  { search } for  pid=3142 comm="ssh-keygen" name="selinux" dev=dm-0 ino=81199398 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
type=AVC msg=audit(1259764918.532:40): avc:  denied  { search } for  pid=3142 comm="ssh-keygen" name="/" dev=selinuxfs ino=329 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir
type=AVC msg=audit(1259764918.898:41): avc:  denied  { search } for  pid=3142 comm="ssh-keygen" name="home" dev=dm-0 ino=60358657 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1259764918.898:42): avc:  denied  { search } for  pid=3142 comm="ssh-keygen" name="home" dev=dm-0 ino=60358657 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1259764918.898:43): avc:  denied  { search } for  pid=3142 comm="ssh-keygen" name="home" dev=dm-0 ino=60358657 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1259764918.898:44): avc:  denied  { search } for  pid=3142 comm="ssh-keygen" name="home" dev=dm-0 ino=60358657 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1259764921.095:47): avc:  denied  { search } for  pid=3200 comm="ssh-keygen" name="selinux" dev=dm-0 ino=81199398 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
type=AVC msg=audit(1259764921.096:48): avc:  denied  { search } for  pid=3200 comm="ssh-keygen" name="/" dev=selinuxfs ino=329 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir
type=AVC msg=audit(1259764921.869:49): avc:  denied  { search } for  pid=3200 comm="ssh-keygen" name="root" dev=dm-0 ino=38830081 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1259764921.869:50): avc:  denied  { search } for  pid=3200 comm="ssh-keygen" name="root" dev=dm-0 ino=38830081 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1259764921.870:51): avc:  denied  { search } for  pid=3200 comm="ssh-keygen" name="root" dev=dm-0 ino=38830081 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1259764921.871:52): avc:  denied  { search } for  pid=3200 comm="ssh-keygen" name="root" dev=dm-0 ino=38830081 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir

Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. Run test /CoreOS/openssh/sshd/sanity with enabled SELINUX (it's disabled for now), see RHTS job https://rhts.redhat.com/cgi-bin/rhts/jobs.cgi?id=105338
  
Actual results:
AVC denials (have to run semodule -b enableaudit.pp to get them)

Expected results:
No AVC denials

Additional info:
These AVC denials appear only whe test is run in RHTS, manual runs (which run in other SELINU context) doesn't show these denials.

These denials also appear in RHEL6.
Comment 1 Miroslav Vadkerti 2009-12-02 10:33:51 EST
Example of failed RHEL6 job, AVC denials not shown:
http://rhts.redhat.com/cgi-bin/rhts/jobs.cgi?id=104047
Comment 2 Daniel Walsh 2009-12-02 13:24:18 EST
What is the goal of the test?  If it is to simulate a user running the test,then the test should be run with a runcon command 

runcon -t unconfined_t ssh-keygen

Currently you are running it via initrc which is causing a transition that simulates initrc running ssh-keygen
Comment 3 Miroslav Vadkerti 2009-12-02 14:00:17 EST
Thanks Dan, I will try it with this and report back.

Note You need to log in before you can comment on or make changes to this bug.