Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1813023
Summary: | selinux-policy-3.14.6-7 with pam-1.3.1-24 blocks SSH logins | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Paul Moore <paul> |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | urgent | Docs Contact: | |
Priority: | high | ||
Version: | 32 | CC: | dwalsh, grepl.miroslav, gtwilliams, ipedrosa, jjelen, kdudka, lvrabec, plautrba, ppisar, tdecacqu, vmojzis, zpytela |
Target Milestone: | --- | Keywords: | Triaged |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.14.6-8.fc33 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-04-02 00:31:15 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Paul Moore
2020-03-12 18:18:32 UTC
Hi Paul, With the same policy version ssh works for me, either for user root or non-root. Do you use confined users? Is there anything else special in your settings? Are there avc/user_avc/selinux_err denials logged? Hi Zdenek, I can't believe I forgot to include the AVCs; I'm sorry about that! Here is a quick reproducer from my test system; this is a current Fedora Rawhide system if it helps better understand the bug. # ausearch -m AVC -i <no matches> # ssh root@localhost -- id -Z root@localhost's password: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 # ausearch -m AVC -i ---- type=AVC msg=audit(03/12/2020 14:35:36.375:195) : avc: denied { create } for pid=967 comm=sshd scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket permissive=1 ---- type=AVC msg=audit(03/12/2020 14:35:36.375:196) : avc: denied { bind } for pid=967 comm=sshd scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket permissive=1 # setenforce 1 # ssh root@localhost -- id -Z root@localhost's password: client_loop: send disconnect: Broken pipe # ausearch -m AVC -i ---- type=AVC msg=audit(03/12/2020 14:35:36.375:195) : avc: denied { create } for pid=967 comm=sshd scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket permissive=1 ---- type=AVC msg=audit(03/12/2020 14:35:36.375:196) : avc: denied { bind } for pid=967 comm=sshd scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket permissive=1 ---- type=AVC msg=audit(03/12/2020 14:35:59.935:220) : avc: denied { create } for pid=991 comm=sshd scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket permissive=0 Hi Paul! I expected also PR not only bugzilla ticket. Just kidding :P We want to look on it. @Jakub Are there any changes in sshd component in rawhide? Thanks, Lukas. We also have a similar one for cockpit: https://bugzilla.redhat.com/show_bug.cgi?id=1812901 With full today rawhide update I also see the same error, suspecting some library. Investigating further. Paul, could you please try to downgrade pam? Latest pam started to use selinux_check_access() instead of security_compute_av(). selinux_check_access() calls (void) avc_netlink_check_nb(); which matches on "netlink" substring with tclass Ok, it's related to https://bugzilla.redhat.com/show_bug.cgi?id=1680961 and to the change I described in comment 5 The following rule should fix it: allow login_pgm self:netlink_selinux_socket manage_socket_perms; cil version: # cat > pamnetlink.cil <<EOF (allow login_pgm self (netlink_selinux_socket (create bind))) EOF # semodule -i pamnetlink.cil allow login_pgm self:netlink_selinux_socket create_socket_perms; sorry *** Bug 1812901 has been marked as a duplicate of this bug. *** FYI the fix is going to be available soon - https://src.fedoraproject.org/rpms/selinux-policy/pull-request/54 A build for Fedora Rawhide is available: https://koji.fedoraproject.org/koji/taskinfo?taskID=42445203 I confirm selinux-policy-3.14.6-8.fc33 fixes it. I can also confirm that selinux-policy-3.14.6-8.fc33 fixed the SSH login problem - thanks everyone! *** Bug 1813388 has been marked as a duplicate of this bug. *** pam-1.3.1-24.fc32, selinux-policy-3.14.5-30.fc32 has been pushed to the Fedora 32 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-d0986e01cd FEDORA-2020-d0986e01cd has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-d0986e01cd This problem affects fc31 with selinux-policy-3.14.4-50.fc31.noarch . This version was installed from fc31 updates-testing repo. FEDORA-2020-d0986e01cd has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report. |