Bug 813870 - SELinux is preventing /usr/sbin/sshd from using the 'sys_admin' capabilities.
SELinux is preventing /usr/sbin/sshd from using the 'sys_admin' capabilities.
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
18
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:a55113d93e8d1bd229165135b0a...
:
: 835975 (view as bug list)
Depends On:
Blocks: 910430
  Show dependency treegraph
 
Reported: 2012-04-18 11:55 EDT by Daniel Scott
Modified: 2013-02-12 11:04 EST (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 910430 (view as bug list)
Environment:
Last Closed: 2013-01-22 20:56:00 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Daniel Scott 2012-04-18 11:55:24 EDT
libreport version: 2.0.8
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.3.1-3.fc16.x86_64
reason:         SELinux is preventing /usr/sbin/sshd from using the 'sys_admin' capabilities.
time:           Wed 18 Apr 2012 11:55:02 AM EDT

description:
:SELinux is preventing /usr/sbin/sshd from using the 'sys_admin' capabilities.
:
:*****  Plugin catchall_boolean (89.3 confidence) suggests  *******************
:
:If you want to enable polyinstantiated directory support.
:Then you must tell SELinux about this by enabling the 'allow_polyinstantiation'boolean.
:Do
:setsebool -P allow_polyinstantiation 1
:
:*****  Plugin catchall (11.6 confidence) suggests  ***************************
:
:If you believe that sshd should have the sys_admin capability by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep sshd /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:sshd_t:s0-s0:c0.c1023
:Target Context                system_u:system_r:sshd_t:s0-s0:c0.c1023
:Target Objects                 [ capability ]
:Source                        sshd
:Source Path                   /usr/sbin/sshd
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           openssh-server-5.8p2-25.fc16.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-80.fc16.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.3.1-3.fc16.x86_64 #1 SMP
:                              Wed Apr 4 18:08:51 UTC 2012 x86_64 x86_64
:Alert Count                   2
:First Seen                    Tue 10 Apr 2012 03:00:39 PM EDT
:Last Seen                     Wed 18 Apr 2012 11:50:29 AM EDT
:Local ID                      59104706-d3ef-4249-a64f-3af84a915b34
:
:Raw Audit Messages
:type=AVC msg=audit(1334764229.337:1297): avc:  denied  { sys_admin } for  pid=30579 comm="sshd" capability=21  scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=capability
:
:
:type=SYSCALL msg=audit(1334764229.337:1297): arch=x86_64 syscall=ioctl success=yes exit=0 a0=6 a1=40084301 a2=7fff8a339dc0 a3=8 items=0 ppid=1528 pid=30579 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=153 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
:
:Hash: sshd,sshd_t,sshd_t,capability,sys_admin
:
:audit2allow
:
:#============= sshd_t ==============
:#!!!! This avc can be allowed using the boolean 'allow_polyinstantiation'
:
:allow sshd_t self:capability sys_admin;
:
:audit2allow -R
:
:#============= sshd_t ==============
:#!!!! This avc can be allowed using the boolean 'allow_polyinstantiation'
:
:allow sshd_t self:capability sys_admin;
:
Comment 1 Miroslav Grepl 2012-04-20 08:11:20 EDT
Ok, we see it again.

Did it happen by default? Or did you setup pam_namespace?
Comment 2 Daniel Scott 2012-04-20 11:06:00 EDT
By default.
Comment 3 Daniel Walsh 2012-04-20 11:29:25 EDT
Daniel did you setup anything special in pam?  Did everything seem to work correctly?
Comment 4 Daniel Scott 2012-04-20 11:44:09 EDT
I am using FreeIPA for authentication with OpenAFS.

This error occurs when I ssh into my computer as root.

My /etc/pam.d/password-auth file has additional lines to get AFS tokens automatically:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth       [default=done]      pam_afs_session.so always_aklog debug
auth        required      pam_deny.so

account     required      pam_access.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so
session     required      pam_afs_session.so always_aklog debug

Perhaps this is because root is not a FreeIPA or OpenAFS user?
Comment 5 Daniel Walsh 2012-04-20 11:58:46 EDT
You only get it when you log in as root, but if you log in as a normal user, does everything work. IE do you get your proper tokens?
Comment 6 Daniel Scott 2012-04-20 12:05:42 EDT
Sorry, I take that back - I get it as 'normal' users too. But I get a ticket and token and can access AFS OK.
Comment 7 Daniel Walsh 2012-04-23 11:27:14 EDT
:type=SYSCALL msg=audit(1334764229.337:1297): arch=x86_64 syscall=ioctl
success=yes exit=0 a0=6 a1=40084301 a2=7fff8a339dc0 a3=8 items=0 ppid=1528
pid=30579 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=153 comm=sshd exe=/usr/sbin/sshd
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)

Actually the syscall is succeeding "success=yes" even though the AVC is generated, so you could safely generate a dontaudit alert for this.  

# grep sys_admin /var/log/audit/audit.log | audit2allow -D -M mysshd
# semodule -i mysshd.pp

I am not sure if this is caused by a problem with our kernel or with the afs kernel module.
Comment 8 Miroslav Grepl 2012-06-28 05:47:29 EDT
*** Bug 835975 has been marked as a duplicate of this bug. ***
Comment 9 Trond H. Amundsen 2012-07-20 14:18:35 EDT
Just a "me too". I'm seeing this as well, but on RHEL6, and without using pam_afs_session.
Comment 10 Daniel Walsh 2012-07-20 17:33:09 EDT
Trond is this happening on an AVS System?
Comment 11 Trond H. Amundsen 2012-07-20 18:24:11 EDT
(In reply to comment #10)
> Trond is this happening on an AVS System?

Hm.. I don't know what an AVS system is, so I'm pretty sure that the answer is no :) This is a Dell R720 running web server statistics (Google Urchin) for our site, but I'm not sure if it is in production yet. I've seen this AVC before on other RHEL6 hosts. Tested a few and found one more that has this problem. Also a Dell server, running mysql and some web apps.

Comparing Daniel's /etc/pam.d/password-auth in comment #4 to ours, except for the obvious I can only find one common denominator: pam_sss. I can't tell if that is significant though, I'm not sure what to look for. In my limited testing, this happens consistently on affected servers, for both root (local) and regular users (from SSSD/LDAP).

I'll be happy to perform some (non-desctructive) debugging, but I'll need some guidance on how to proceed.
Comment 12 Daniel Walsh 2012-07-23 10:29:02 EDT
AFS, sorry.
Comment 13 Trond H. Amundsen 2012-07-23 10:49:22 EDT
(In reply to comment #12)
> AFS, sorry.

Nope, Kerberos isn't in the picture at all. These systems use LDAP (rfc2307, not IPA) and SSSD for authentication.
Comment 14 Daniel Walsh 2012-07-23 11:01:26 EDT
Trond what AVC are you seeing?
Comment 15 Trond H. Amundsen 2012-07-23 11:11:13 EDT
Here is the AVC that is generated:

type=AVC msg=audit(1343055966.291:482641): avc:  denied  { sys_admin } for  pid=7134 comm="sshd" capability=21  scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=capability
Comment 16 Ken Dreyer 2012-12-12 00:08:26 EST
I'm seeing this on my AFS client (Fedora 19). It happens whenever I log in over SSH. I use sssd (Kerberos) and pam_afs_session. My homedir is in AFS.
Comment 17 Daniel Walsh 2012-12-17 16:39:51 EST
Ken are you successfully allowed to login?
Comment 18 Ken Dreyer 2012-12-26 21:27:33 EST
(In reply to comment #17)
> Ken are you successfully allowed to login?

Yep, I can still log in via SSH. (I'm using "Enforcing".)

I tested with selinux-policy-targeted-3.11.1-67.fc19 today, and SELinux still logs the AVC denial.
Comment 19 Daniel Walsh 2012-12-27 10:48:41 EST
Ok I just checked in a fix for this to allow sshd_t sys_admin privs, Looks like it requests it in a couple of different ways so might as well allow it.  sshd_t is already a really powerful domain.
Comment 20 Fedora Update System 2013-01-02 12:37:50 EST
selinux-policy-3.11.1-69.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-69.fc18
Comment 21 Ken Dreyer 2013-01-02 21:50:38 EST
I can confirm that I no longer get the AVC denial in 3.11.1-69.fc19
Comment 22 Miroslav Grepl 2013-01-03 04:20:51 EST
Could you update karma? Thank you for testing.
Comment 23 Fedora Update System 2013-01-03 18:50:50 EST
Package selinux-policy-3.11.1-69.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-69.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-0147/selinux-policy-3.11.1-69.fc18
then log in and leave karma (feedback).
Comment 24 Fedora Update System 2013-01-15 17:20:39 EST
selinux-policy-3.11.1-71.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-71.fc18
Comment 25 Fedora Update System 2013-01-22 20:56:03 EST
selinux-policy-3.11.1-71.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.