567129 – allow sshd_t user_devpts_t:chr_file setattr; needed for sshd to work

Bug 567129 - allow sshd_t user_devpts_t:chr_file setattr; needed for sshd to work

Summary: allow sshd_t user_devpts_t:chr_file setattr; needed for sshd to work

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	openssh
Sub Component:
Version:	13
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Jan F. Chadima
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	567707 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-02-21 19:44 UTC by Bruno Wolff III
Modified:	2010-02-24 17:02 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2010-02-24 17:02:01 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Bruno Wolff III 2010-02-21 19:44:37 UTC

Description of problem:
After a recent upgrade (I am not sure if it was selinux-policy or open ssh), ssh connections to the upgraded machines started failing after a password was entered. Switching to permissive prevented the issue. Looking at the audit, I found that adding the rule:
allow sshd_t user_devpts_t:chr_file setattr;
made things work again.

Version-Release number of selected component (if applicable):
openssh-server-5.3p1-22.fc13.i686
selinux-policy-targeted-3.7.9-4.fc13.noarch

How reproducible:
100%

Steps to Reproduce:
1. ssh to the affected server while it is running in enforcing mode
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Daniel Walsh 2010-02-22 20:20:42 UTC

Fixed in selinux-policy-3.7.10-2.fc13

Comment 2 Bruno Wolff III 2010-02-23 17:44:41 UTC

I tested selinux-policy-targeted-3.7.10-2.fc13.noarch and I am still seeing what looks like the same problem:
type=AVC msg=audit(1266946901.773:210): avc:  denied  { setattr } for  pid=5050 comm="sshd" name="7" dev=devpts ino=10 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file

Comment 3 Daniel Walsh 2010-02-23 18:30:36 UTC

Shoot lets try again.

Fixed in selinux-policy-3.7.10-3.fc13

Comment 4 Daniel Walsh 2010-02-23 18:31:16 UTC

*** Bug 567707 has been marked as a duplicate of this bug. ***

Comment 5 Bruno Wolff III 2010-02-23 22:12:37 UTC

selinux-policy-targeted-3.7.10-3.fc13.noarch does seem to fix the problem.
Thanks!

Comment 6 Vaclav "sHINOBI" Misek 2010-02-24 16:05:45 UTC

I can confirm the fix with selinux-policy-targeted-3.7.10-3.fc13.

Note You need to log in before you can comment on or make changes to this bug.