Bug 674438 - sshd starts before ipv6 has been loaded - causing SE alert and not listening on ipv6
sshd starts before ipv6 has been loaded - causing SE alert and not listening ...
Status: CLOSED DUPLICATE of bug 641836
Product: Fedora
Classification: Fedora
Component: NetworkManager (Show other bugs)
14
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Dan Williams
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-02-01 16:40 EST by Mads Kiilerich
Modified: 2012-05-03 15:21 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-05-03 15:21:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Mads Kiilerich 2011-02-01 16:40:48 EST
I boot my F14 laptop with SElinux enforced. There is no wired network - but that doesn't make any difference.

When I login I see the SE error that is reported on #669047, warning that sshd isn't permitted to request the net-pf-10 / ipv6 kernel module.

I would expect sshd to start listening on the interfaces it should listen on without trigging any SElinux messages.


There is no ListenAddress configured in sshd_config, so it should "listen on all local addresses". But if sshd triggers a probe for ipv6 then it must be because there is no ipv6 in the system yet and there isn't any ipv6 local address to listen on. It seems like it doesn't do exactly as documented. Perhaps because sshd assumes that it is ok to try to use ipv6 and just let it fail if it fails? Well ... with SElinux the user will get a warning every time and it thus isn't ok.

When I look at it from a user session I can see that sshd listens on ipv4 only:

[root@local ~]# netstat -anpt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address     Foreign Address   State   PID/Program name
tcp        0      0 0.0.0.0:22        0.0.0.0:*         LISTEN  1394/sshd

But the ipv6 module has now been loaded anyway and the local interface now do have a ipv6 address:

[root@local ~]# lsmod|grep ipv6
ipv6                  229581  10
[root@local ~]# ifconfig
eth2      Link encap:Ethernet  HWaddr 00:12:3F:22:B1:77
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:16

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:20 errors:0 dropped:0 overruns:0 frame:0
          TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1328 (1.2 KiB)  TX bytes:1328 (1.2 KiB)

If I then try to restart sshd it thus correctly starts listening on ipv6 without any errors:

[root@local ~]# service sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]
[root@local ~]# netstat -anpt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address     Foreign Address   State   PID/Program name
tcp        0      0 0.0.0.0:22        0.0.0.0:*         LISTEN  2176/sshd
tcp        0      0 :::22             :::*              LISTEN  2176/sshd


Hacking the sshd start script to log the output of ifconfig and lsmod when it runs I can see that when sshd is started the ipv6 module haven't been loaded and lo do not have an ipv6 address.


So what I'm trying to report is something like:

1: sshd triggers ipv6 probing which causes SElinux warnings by default. If SE is right when it denies module probing then sshd must take care not to trigger a probing.

2: sshd doesn't listen on the ipv6 interfaces, contrary to what the documentation says.

The root cause for this might be that sshd isn't started at the right place in the boot process relative to other parts. It should wait until ipv6 has been loaded ... if ipv6 is going to be loaded at all. One reason this (no longer) happens might be that the network service no longer is started by default and NetworkManager is (too) asynchronous.
Comment 1 Jan F. Chadima 2011-05-24 03:43:01 EDT
seems to be a problem of NM or init scripts
Comment 2 Mads Kiilerich 2011-11-28 12:06:08 EST
http://danwalsh.livejournal.com/47118.html gives a workaround (or magic solution?) for this.
Comment 3 Dan Winship 2012-05-03 15:21:16 EDT
this is just a dup of 641836, and is not sshd or NetworkManager's fault

*** This bug has been marked as a duplicate of bug 641836 ***

Note You need to log in before you can comment on or make changes to this bug.