Bug 591680 - SELinux belet /usr/sbin/sshd "getattr" toegang on /sbin/shutdown.
Summary: SELinux belet /usr/sbin/sshd "getattr" toegang on /sbin/shutdown.
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 13
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
Whiteboard: setroubleshoot_trace_hash:f92caddd084...
Depends On:
TreeView+ depends on / blocked
Reported: 2010-05-12 20:07 UTC by Florian van Oudgaarden
Modified: 2010-05-28 18:02 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.7.19-21.fc13
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-05-28 18:02:18 UTC
Type: ---

Attachments (Terms of Use)

Description Florian van Oudgaarden 2010-05-12 20:07:15 UTC

SELinux belet /usr/sbin/sshd "getattr" toegang on /sbin/shutdown.

Gedetailleerde omschrijving:

SELinux belette toegang gevraagd door sshd. Het wordt niet verwacht dat deze
toegang voor sshd nodig is en deze toegang kan een indringings poging aangeven.
Het is ook mogelijk dat de specifieke versie of configuratie van de toepassing
het veroorzaakt om extra toegang aan te vragen.

Teogang toestaan:

Je kunt een locale gedragslijn module maken om deze toegang toe te staan - zie
FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Dien a.u.b. een
fout rapport in.

Additionele informatie:

Bron context                  system_u:system_r:sshd_t:s0-s0:c0.c1023
Doel context                  system_u:object_r:shutdown_exec_t:s0
Doel objecten                 /sbin/shutdown [ file ]
Bron                          sshd
Bron pad                      /usr/sbin/sshd
Poort                         <Onbekend>
Host                          (verwijderd)
Bron RPM pakketten            openssh-server-5.4p1-1.fc13
Doel RPM pakketten            upstart-0.6.5-5.fc13
Gedragslijn RPM               selinux-policy-3.7.19-13.fc13
SELinux aangezet              True
Gedragslijn type              targeted
Enforcing modus               Enforcing
Pluginnaam                    catchall
Hostnaam                      (verwijderd)
Platform                      Linux tb-223976.tribase.nl
                              #1 SMP Thu May 6 18:09:49 UTC 2010 x86_64 x86_64
Aantal waarschuwingen         2
Eerst gezien op               wo 05 mei 2010 15:18:23 CEST
Laatst gezien op              wo 12 mei 2010 17:26:31 CEST
Locale ID                     e5609ec4-2d28-47ca-93d3-cd06016a0d0f

Onbewerkte audit boodschappen 

node=tb-223976.tribase.nl type=AVC msg=audit(1273677991.803:27922): avc:  denied  { getattr } for  pid=8987 comm="sshd" path="/sbin/shutdown" dev=dm-1 ino=1966132 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shutdown_exec_t:s0 tclass=file

node=tb-223976.tribase.nl type=SYSCALL msg=audit(1273677991.803:27922): arch=c000003e syscall=4 success=no exit=-13 a0=7ff097fdc5c0 a1=7fffa511e460 a2=7fffa511e460 a3=f items=0 ppid=1699 pid=8987 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)

Hash String generated from  catchall,sshd,sshd_t,shutdown_exec_t,file,getattr
audit2allow suggests:

#============= sshd_t ==============
allow sshd_t shutdown_exec_t:file getattr;

Comment 1 Daniel Walsh 2010-05-12 20:31:38 UTC
What did you do to cause this AVC?

Comment 2 Jan-Frode Myklebust 2010-05-17 09:10:06 UTC
I can't read dutch that well, but I believe I'm seeing this same problem. Whenever someone tries to log in as user "shutdown", I'm getting this denial:

42. 17. mai 2010 02:57:26 sshd unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 4 file getattr system_u:object_r:shutdown_exec_t:s0 denied 390

and sshd is logging:

May 17 02:57:26 localhost sshd[3906]: User shutdown not allowed because shell /sbin/shutdown does not exist

So I guess sshd is trying to check if the users shell exists before it authenticates the user ?? Seems strange. 

BTW: It's 100% reproducible.. Just try "ssh shutdown@localhost".

Comment 3 Daniel Walsh 2010-05-17 12:37:04 UTC
So you have setup a user whos shell is /sbin/shutdown?

Comment 4 Jan-Frode Myklebust 2010-05-17 17:29:55 UTC
No, fedora-13-beta did that for me by default.

Comment 5 Jan-Frode Myklebust 2010-05-17 17:32:51 UTC
[root@localhost ~]# grep shutdown /etc/passwd /etc/shadow

Comment 6 Daniel Walsh 2010-05-17 20:37:47 UTC
Fixed in selinux-policy-3.7.19-18.fc13.noarch

Comment 7 Fedora Update System 2010-05-25 14:36:52 UTC
selinux-policy-3.7.19-21.fc13 has been submitted as an update for Fedora 13.

Comment 8 Fedora Update System 2010-05-26 21:45:58 UTC
selinux-policy-3.7.19-21.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-21.fc13

Comment 9 Fedora Update System 2010-05-28 18:01:31 UTC
selinux-policy-3.7.19-21.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.