Bug 652438 - SELinux is preventing /usr/sbin/sshd "search" entry on /etc/samba.
SELinux is preventing /usr/sbin/sshd "search" entry on /etc/samba.
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: openssh (Show other bugs)
14
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Jan F. Chadima
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:cd4347496e1...
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-11-11 15:58 EST by Michael Gruys
Modified: 2011-02-25 07:40 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-02-25 07:40:32 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
/etc/nsswitch.conf (1.68 KB, text/plain)
2010-11-17 01:10 EST, Michael Gruys
no flags Details
/etc/pam.d/sshd (575 bytes, text/plain)
2010-11-17 01:11 EST, Michael Gruys
no flags Details

  None (edit)
Description Michael Gruys 2010-11-11 15:58:37 EST
Samenvatting:

SELinux belet /usr/sbin/sshd "search" toegang on /etc/samba.

Gedetailleerde omschrijving:

SELinux belette toegang gevraagd door sshd. Het wordt niet verwacht dat deze
toegang voor sshd nodig is en deze toegang kan een indringing poging aangeven.
Het is ook mogelijk dat de specifieke versie of configuratie van de toepassing
het veroorzaakt om extra toegang aan te vragen.

Toegang toestaan:

Je kunt een locale tactiek module maken om deze toegang toe te staan - zie FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Dien a.u.b. een fout
rapport in.

Extra informatie:

Bron context                  system_u:system_r:sshd_t:s0-s0:c0.c1023
Doel context                  system_u:object_r:samba_etc_t:s0
Doel objecten                 /etc/samba [ dir ]
Bron                          sshd
Bron pad                      /usr/sbin/sshd
Poort                         <Onbekend>
Host                          (verwijderd)
Bron RPM pakketten            openssh-server-5.5p1-23.fc14.2
Doel RPM pakketten            samba-common-3.5.6-69.fc14
Tactiek RPM                   selinux-policy-3.9.7-7.fc14
SELinux aangezet              True
Tactiek type                  targeted
Afdwingende mode              Enforcing
Plug-in naam                  catchall
Host naam                     (verwijderd)
Platform                      Linux (verwijderd) 2.6.35.6-48.fc14.i686.PAE #1 SMP Fri
                              Oct 22 15:27:53 UTC 2010 i686 i686
Aantal waarschuwingen         20
Eerst gezien op               zo 07 nov 2010 02:32:12 CET
Laatst gezien op              do 11 nov 2010 21:56:11 CET
Locale ID                     8c139fce-9fb8-46ad-8640-b0d7e51f83ee
Regel nummers                 

Onbewerkte audit boodschappen 

node=(verwijderd) type=AVC msg=audit(1289508971.200:41101): avc:  denied  { search } for  pid=22509 comm="sshd" name="samba" dev=dm-0 ino=61228 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_etc_t:s0 tclass=dir

node=(verwijderd) type=SYSCALL msg=audit(1289508971.200:41101): arch=40000003 syscall=5 success=no exit=-13 a0=b7760870 a1=8000 a2=0 a3=0 items=0 ppid=2072 pid=22509 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,sshd,sshd_t,samba_etc_t,dir,search
audit2allow suggests:

#============= sshd_t ==============
allow sshd_t samba_etc_t:dir search;
Comment 1 Miroslav Grepl 2010-11-12 06:04:35 EST
Did you setup ssh and Samba to play together?

Or any chance you were sitting in /etc/samba directory when you started/restarted sshd daemon using

/etc/init.d/sshd restart
Comment 2 Daniel Walsh 2010-11-12 09:29:53 EST
Or is /etc/samba listed as a homedir in /etc/passwd?
Comment 3 Michael Gruys 2010-11-12 15:01:07 EST
(In reply to comment #2)
> Or is /etc/samba listed as a homedir in /etc/passwd?

No. It is not mentioned in /etc/passwd
Comment 4 Michael Gruys 2010-11-12 15:05:51 EST
(In reply to comment #1)
> Did you setup ssh and Samba to play together?
> 
How can I see that? 

> Or any chance you were sitting in /etc/samba directory when you
> started/restarted sshd daemon using
> 
> /etc/init.d/sshd restart

I do not think that. I suspect fail2ban is causing this message. I have no ssh daemon started stopped or restart at the moment of the message.

I do not know what info further is needed to solve this issue?
Comment 5 Daniel Walsh 2010-11-15 11:16:43 EST
Has it happened again?
Comment 6 Michael Gruys 2010-11-15 11:19:03 EST
Not anymore.
Comment 7 Daniel Walsh 2010-11-15 11:21:03 EST
Ok reopen if it happens again.
Comment 8 Michael Gruys 2010-11-16 12:27:02 EST
I'm sorry to report this, but it happened again today...
Please let me know what additional info you further need.

Note:
I can only change the status to "assigned" and not choose it to "reopen".
Comment 9 Daniel Walsh 2010-11-16 13:00:29 EST
Is
Comment 10 Daniel Walsh 2010-11-16 13:01:24 EST
Can you guys think of any reason sshd would be searching /etc/samba?

pam_winbind?
Comment 11 Tomas Mraz 2010-11-16 15:11:12 EST
Do you have winbind in /etc/nsswitch.conf or pam_winbind in /etc/pam.d/sshd?
Comment 12 Michael Gruys 2010-11-17 01:10:32 EST
Created attachment 460995 [details]
/etc/nsswitch.conf
Comment 13 Michael Gruys 2010-11-17 01:11:08 EST
Created attachment 460996 [details]
/etc/pam.d/sshd
Comment 14 Daniel Walsh 2010-11-17 10:53:32 EST
Tomas, if winbind was in either of those, it would not be unusual for the login programs to need search.  

Miroslav can you modify auth_login_pgm_domain to use

files_read_config_files($1)

In f13/F14.
Comment 15 Miroslav Grepl 2011-02-25 07:40:32 EST
Fixed in the current policies.

Note You need to log in before you can comment on or make changes to this bug.