Bug 567129 - allow sshd_t user_devpts_t:chr_file setattr; needed for sshd to work
allow sshd_t user_devpts_t:chr_file setattr; needed for sshd to work
Product: Fedora
Classification: Fedora
Component: openssh (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Jan F. Chadima
Fedora Extras Quality Assurance
: SELinux
: 567707 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2010-02-21 14:44 EST by Bruno Wolff III
Modified: 2010-02-24 12:02 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-02-24 12:02:01 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Bruno Wolff III 2010-02-21 14:44:37 EST
Description of problem:
After a recent upgrade (I am not sure if it was selinux-policy or open ssh), ssh connections to the upgraded machines started failing after a password was entered. Switching to permissive prevented the issue. Looking at the audit, I found that adding the rule:
allow sshd_t user_devpts_t:chr_file setattr;
made things work again.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. ssh to the affected server while it is running in enforcing mode
Actual results:

Expected results:

Additional info:
Comment 1 Daniel Walsh 2010-02-22 15:20:42 EST
Fixed in selinux-policy-3.7.10-2.fc13
Comment 2 Bruno Wolff III 2010-02-23 12:44:41 EST
I tested selinux-policy-targeted-3.7.10-2.fc13.noarch and I am still seeing what looks like the same problem:
type=AVC msg=audit(1266946901.773:210): avc:  denied  { setattr } for  pid=5050 comm="sshd" name="7" dev=devpts ino=10 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file
Comment 3 Daniel Walsh 2010-02-23 13:30:36 EST
Shoot lets try again.

Fixed in selinux-policy-3.7.10-3.fc13
Comment 4 Daniel Walsh 2010-02-23 13:31:16 EST
*** Bug 567707 has been marked as a duplicate of this bug. ***
Comment 5 Bruno Wolff III 2010-02-23 17:12:37 EST
selinux-policy-targeted-3.7.10-3.fc13.noarch does seem to fix the problem.
Comment 6 Vaclav "sHINOBI" Misek 2010-02-24 11:05:45 EST
I can confirm the fix with selinux-policy-targeted-3.7.10-3.fc13.

Note You need to log in before you can comment on or make changes to this bug.