Bug 994173 - SELinux is preventing /usr/sbin/sshd from 'name_connect' accesses on the tcp_socket .
SELinux is preventing /usr/sbin/sshd from 'name_connect' accesses on the tcp_...
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
19
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:c359d99806801bfd4fa2da506ef...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-06 12:06 EDT by Kevin
Modified: 2013-08-08 08:06 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-07 14:15:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kevin 2013-08-06 12:06:53 EDT
Description of problem:
Having installed the pam_yubico package from Fedora repos, ssh login with the yubikey is blocked by the
system SELixun policy.

I'm not sure if this should be allowed by default, but it seems to me that using pam_yubico with sshd is a 
very common use-case for the module.
SELinux is preventing /usr/sbin/sshd from 'name_connect' accesses on the tcp_socket .

*****  Plugin catchall_boolean (47.5 confidence) suggests  *******************

If you want to allow nis to enabled
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.
You can read 'None' man page for more details.
Do
setsebool -P nis_enabled 1

*****  Plugin catchall_boolean (47.5 confidence) suggests  *******************

If you want to allow authlogin to yubikey
Then you must tell SELinux about this by enabling the 'authlogin_yubikey' boolean.
You can read 'None' man page for more details.
Do
setsebool -P authlogin_yubikey 1

*****  Plugin catchall (6.38 confidence) suggests  ***************************

If you believe that sshd should be allowed name_connect access on the  tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sshd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:http_port_t:s0
Target Objects                 [ tcp_socket ]
Source                        sshd
Source Path                   /usr/sbin/sshd
Port                          80
Host                          (removed)
Source RPM Packages           openssh-server-6.2p2-4.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-66.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.10.4-300.fc19.x86_64 #1 SMP Tue
                              Jul 30 11:29:05 UTC 2013 x86_64 x86_64
Alert Count                   5
First Seen                    2013-08-03 01:07:20 EDT
Last Seen                     2013-08-06 11:51:16 EDT
Local ID                      185d529c-1d31-4733-b1cb-bbc1740c495d

Raw Audit Messages
type=AVC msg=audit(1375804276.446:433): avc:  denied  { name_connect } for  pid=2383 comm="sshd" dest=80 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket


type=SYSCALL msg=audit(1375804276.446:433): arch=x86_64 syscall=connect success=no exit=EACCES a0=4 a1=7fff5403ecc0 a2=1c a3=7 items=0 ppid=2381 pid=2383 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)

Hash: sshd,sshd_t,http_port_t,tcp_socket,name_connect

Additional info:
reporter:       libreport-2.1.6
hashmarkername: setroubleshoot
kernel:         3.10.4-300.fc19.x86_64
type:           libreport
Comment 1 Daniel Walsh 2013-08-07 14:15:52 EDT
Did you read the alert?

*****  Plugin catchall_boolean (47.5 confidence) suggests  *******************

If you want to allow authlogin to yubikey
Then you must tell SELinux about this by enabling the 'authlogin_yubikey' boolean.
You can read 'None' man page for more details.
Do
setsebool -P authlogin_yubikey 1
Comment 2 Kevin 2013-08-07 14:18:03 EDT
Yes, I did.  Did you read my original comments?
Comment 3 Miroslav Grepl 2013-08-08 08:06:45 EDT
We don't want to allow it by default. Basically this is a reason why we have booleans.

# setsebool -P authlogin_yubikey 1

is for the permanent change.

Note You need to log in before you can comment on or make changes to this bug.