Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 591680 - SELinux belet /usr/sbin/sshd "getattr" toegang on /sbin/shutdown.
SELinux belet /usr/sbin/sshd "getattr" toegang on /sbin/shutdown.
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
13
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:f92caddd084...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-12 16:07 EDT by Florian van Oudgaarden
Modified: 2010-05-28 14:02 EDT (History)
7 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-21.fc13
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-05-28 14:02:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Florian van Oudgaarden 2010-05-12 16:07:15 EDT
Samenvatting:

SELinux belet /usr/sbin/sshd "getattr" toegang on /sbin/shutdown.

Gedetailleerde omschrijving:

SELinux belette toegang gevraagd door sshd. Het wordt niet verwacht dat deze
toegang voor sshd nodig is en deze toegang kan een indringings poging aangeven.
Het is ook mogelijk dat de specifieke versie of configuratie van de toepassing
het veroorzaakt om extra toegang aan te vragen.

Teogang toestaan:

Je kunt een locale gedragslijn module maken om deze toegang toe te staan - zie
FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Dien a.u.b. een
fout rapport in.

Additionele informatie:

Bron context                  system_u:system_r:sshd_t:s0-s0:c0.c1023
Doel context                  system_u:object_r:shutdown_exec_t:s0
Doel objecten                 /sbin/shutdown [ file ]
Bron                          sshd
Bron pad                      /usr/sbin/sshd
Poort                         <Onbekend>
Host                          (verwijderd)
Bron RPM pakketten            openssh-server-5.4p1-1.fc13
Doel RPM pakketten            upstart-0.6.5-5.fc13
Gedragslijn RPM               selinux-policy-3.7.19-13.fc13
SELinux aangezet              True
Gedragslijn type              targeted
Enforcing modus               Enforcing
Pluginnaam                    catchall
Hostnaam                      (verwijderd)
Platform                      Linux tb-223976.tribase.nl 2.6.33.3-85.fc13.x86_64
                              #1 SMP Thu May 6 18:09:49 UTC 2010 x86_64 x86_64
Aantal waarschuwingen         2
Eerst gezien op               wo 05 mei 2010 15:18:23 CEST
Laatst gezien op              wo 12 mei 2010 17:26:31 CEST
Locale ID                     e5609ec4-2d28-47ca-93d3-cd06016a0d0f
Regelnummers                  

Onbewerkte audit boodschappen 

node=tb-223976.tribase.nl type=AVC msg=audit(1273677991.803:27922): avc:  denied  { getattr } for  pid=8987 comm="sshd" path="/sbin/shutdown" dev=dm-1 ino=1966132 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shutdown_exec_t:s0 tclass=file

node=tb-223976.tribase.nl type=SYSCALL msg=audit(1273677991.803:27922): arch=c000003e syscall=4 success=no exit=-13 a0=7ff097fdc5c0 a1=7fffa511e460 a2=7fffa511e460 a3=f items=0 ppid=1699 pid=8987 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,sshd,sshd_t,shutdown_exec_t,file,getattr
audit2allow suggests:

#============= sshd_t ==============
allow sshd_t shutdown_exec_t:file getattr;
Comment 1 Daniel Walsh 2010-05-12 16:31:38 EDT
What did you do to cause this AVC?
Comment 2 Jan-Frode Myklebust 2010-05-17 05:10:06 EDT
I can't read dutch that well, but I believe I'm seeing this same problem. Whenever someone tries to log in as user "shutdown", I'm getting this denial:

42. 17. mai 2010 02:57:26 sshd unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 4 file getattr system_u:object_r:shutdown_exec_t:s0 denied 390

and sshd is logging:

May 17 02:57:26 localhost sshd[3906]: User shutdown not allowed because shell /sbin/shutdown does not exist


So I guess sshd is trying to check if the users shell exists before it authenticates the user ?? Seems strange. 

BTW: It's 100% reproducible.. Just try "ssh shutdown@localhost".
Comment 3 Daniel Walsh 2010-05-17 08:37:04 EDT
So you have setup a user whos shell is /sbin/shutdown?
Comment 4 Jan-Frode Myklebust 2010-05-17 13:29:55 EDT
No, fedora-13-beta did that for me by default.
Comment 5 Jan-Frode Myklebust 2010-05-17 13:32:51 EDT
[root@localhost ~]# grep shutdown /etc/passwd /etc/shadow
/etc/passwd:shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
/etc/shadow:shutdown:*:14715:0:99999:7:::
Comment 6 Daniel Walsh 2010-05-17 16:37:47 EDT
Fixed in selinux-policy-3.7.19-18.fc13.noarch
Comment 7 Fedora Update System 2010-05-25 10:36:52 EDT
selinux-policy-3.7.19-21.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-21.fc13
Comment 8 Fedora Update System 2010-05-26 17:45:58 EDT
selinux-policy-3.7.19-21.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-21.fc13
Comment 9 Fedora Update System 2010-05-28 14:01:31 EDT
selinux-policy-3.7.19-21.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.