Sammanfattning: SELinux is preventing /usr/sbin/sshd "sys_nice" access . Detaljerad beskrivning: [SELinux är i tillåtande läge. Denna åtkomst nekades inte.] SELinux denied access requested by sshd. It is not expected that this access is required by sshd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Att tillåta åtkomst: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Ytterligare information: Källkontext system_u:system_r:sshd_t:s0-s0:c0.c1023 Målkontext system_u:system_r:sshd_t:s0-s0:c0.c1023 Målobjekt None [ capability ] Källa sshd Källsökväg /usr/sbin/sshd Port <Okänd> Värd (removed) Käll-RPM-paket openssh-server-5.2p1-31.fc12 Mål-RPM-paket Policy-RPM selinux-policy-3.6.32-89.fc12 SELinux aktiverat True Policytyp targeted Verkställande läge Permissive Insticksmodulnamn catchall Värdnamn (removed) Plattform Linux grommit.se 2.6.31.12-174.2.22.fc12.x86_64 #1 SMP Fri Feb 19 18:55:03 UTC 2010 x86_64 x86_64 Antal larm 5 Först sedd mån 22 feb 2010 12.35.21 Senast sedd mån 22 feb 2010 20.36.41 Lokalt ID eb805309-147d-4f94-91de-75adebfd2954 Radnummer Råa granskningsmeddelanden node=grommit.se type=AVC msg=audit(1266867401.810:598): avc: denied { sys_nice } for pid=8656 comm="sshd" capability=23 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=capability node=grommit.se type=SYSCALL msg=audit(1266867401.810:598): arch=c000003e syscall=144 success=yes exit=128 a0=21d0 a1=0 a2=7fffb278f330 a3=7fffb278f090 items=0 ppid=1523 pid=8656 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) Hash String generated from catchall,sshd,sshd_t,sshd_t,capability,sys_nice audit2allow suggests: #============= sshd_t ============== allow sshd_t self:capability sys_nice;
Might not be a bug. Did a restorecon -R -v . on the file system but could not see any relevant files with affected/changed labels but since then no further reports so far. I suspected sshd when reading .ssh/authorized_keys but I don't really understand this.
No this is not related to labels. But it seems legit. Could sshd be setting the priority of login sessions? Miroslav add sys_nice to ssh_server_templat
>Could sshd be setting the priority of login sessions? Yes, I believe it can be. My guess is that it happens with ssh login using RSA-public key authentication instead of password. I quite sure it started when I configured this when setting up a reverse tunnel from another host.
Fixed in selinux-policy-3.6.32-92.fc12
selinux-policy-3.6.32-92.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-92.fc12
selinux-policy-3.6.32-92.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-2953
selinux-policy-3.6.32-92.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.