1813023 – selinux-policy-3.14.6-7 with pam-1.3.1-24 blocks SSH logins

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1813023 - selinux-policy-3.14.6-7 with pam-1.3.1-24 blocks SSH logins

Summary: selinux-policy-3.14.6-7 with pam-1.3.1-24 blocks SSH logins

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	32
Hardware:	All
OS:	Linux
Priority:	high
Severity:	urgent
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	1812901 1813388 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-03-12 18:18 UTC by Paul Moore
Modified:	2020-11-10 17:55 UTC (History)
CC List:	12 users (show)
Fixed In Version:	selinux-policy-3.14.6-8.fc33
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-04-02 00:31:15 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Paul Moore 2020-03-12 18:18:32 UTC

Description of problem:
After upgrading to selinux-policy v3.14.6-7.fc33 (current Rawhide package) I am unable to login to the system over SSH when in enforcing mode using the targeted policy.  The failure can be seen as a broken pipe (snippet below).

  # ssh localhost
  root@localhost's password: 
  client_loop: send disconnect: Broken pipe

Version-Release number of selected component (if applicable):
selinux-policy-3.14.6-7.fc33.noarch

How reproducible:
Everytime

Steps to Reproduce:
1. setenforce 1
2. ssh localhost

Comment 1 Zdenek Pytela 2020-03-12 18:29:55 UTC

Hi Paul,

With the same policy version ssh works for me, either for user root or non-root. Do you use confined users? Is there anything else special in your settings? Are there avc/user_avc/selinux_err denials logged?

Comment 2 Paul Moore 2020-03-12 18:37:34 UTC

Hi Zdenek,

I can't believe I forgot to include the AVCs; I'm sorry about that!  Here is a quick reproducer from my test system; this is a current Fedora Rawhide system if it helps better understand the bug.

# ausearch -m AVC -i 
<no matches>
# ssh root@localhost -- id -Z
root@localhost's password: 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# ausearch -m AVC -i 
----
type=AVC msg=audit(03/12/2020 14:35:36.375:195) : avc:  denied  { create } for  pid=967 comm=sshd scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket permissive=1 
----
type=AVC msg=audit(03/12/2020 14:35:36.375:196) : avc:  denied  { bind } for  pid=967 comm=sshd scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket permissive=1 
# setenforce 1
# ssh root@localhost -- id -Z
root@localhost's password: 
client_loop: send disconnect: Broken pipe
# ausearch -m AVC -i 
----
type=AVC msg=audit(03/12/2020 14:35:36.375:195) : avc:  denied  { create } for  pid=967 comm=sshd scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket permissive=1 
----
type=AVC msg=audit(03/12/2020 14:35:36.375:196) : avc:  denied  { bind } for  pid=967 comm=sshd scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket permissive=1 
----
type=AVC msg=audit(03/12/2020 14:35:59.935:220) : avc:  denied  { create } for  pid=991 comm=sshd scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket permissive=0

Comment 3 Lukas Vrabec 2020-03-12 18:45:40 UTC

Hi Paul! 

I expected also PR not only bugzilla ticket. Just kidding :P We want to look on it.   

@Jakub

Are there any changes in sshd component in rawhide? 

Thanks,
Lukas.

Comment 4 Zdenek Pytela 2020-03-12 18:54:01 UTC

We also have a similar one for cockpit:
https://bugzilla.redhat.com/show_bug.cgi?id=1812901

With full today rawhide update I also see the same error, suspecting some library. Investigating further.

Comment 5 Petr Lautrbach 2020-03-12 19:28:24 UTC

Paul, could you please try to downgrade pam?  Latest pam started to use selinux_check_access() instead of security_compute_av(). selinux_check_access() calls 	(void) avc_netlink_check_nb(); which matches on "netlink" substring with tclass

Comment 6 Petr Lautrbach 2020-03-12 19:50:32 UTC

Ok, it's related to https://bugzilla.redhat.com/show_bug.cgi?id=1680961 and to the change I described in comment 5

The following rule should fix it:

allow login_pgm self:netlink_selinux_socket manage_socket_perms; 


cil version:

# cat > pamnetlink.cil <<EOF
(allow login_pgm self (netlink_selinux_socket (create bind)))
EOF

# semodule -i pamnetlink.cil

Comment 7 Petr Lautrbach 2020-03-12 19:51:45 UTC

allow login_pgm self:netlink_selinux_socket create_socket_perms; 

sorry

Comment 8 Petr Lautrbach 2020-03-12 19:58:20 UTC

*** Bug 1812901 has been marked as a duplicate of this bug. ***

Comment 9 Petr Lautrbach 2020-03-13 10:18:30 UTC

FYI the fix is going to be available soon - https://src.fedoraproject.org/rpms/selinux-policy/pull-request/54

Comment 10 Zdenek Pytela 2020-03-13 11:08:22 UTC

A build for Fedora Rawhide is available:
https://koji.fedoraproject.org/koji/taskinfo?taskID=42445203

Comment 11 Petr Pisar 2020-03-13 12:04:36 UTC

I confirm selinux-policy-3.14.6-8.fc33 fixes it.

Comment 12 Paul Moore 2020-03-13 13:22:19 UTC

I can also confirm that selinux-policy-3.14.6-8.fc33 fixed the SSH login problem - thanks everyone!

Comment 13 Petr Lautrbach 2020-03-13 16:55:01 UTC

*** Bug 1813388 has been marked as a duplicate of this bug. ***

Comment 14 Fedora Update System 2020-03-13 18:33:25 UTC

pam-1.3.1-24.fc32, selinux-policy-3.14.5-30.fc32 has been pushed to the Fedora 32 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-d0986e01cd

Comment 15 Fedora Update System 2020-04-01 09:23:01 UTC

FEDORA-2020-d0986e01cd has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-d0986e01cd

Comment 16 Garry T. Williams 2020-04-01 20:51:28 UTC

This problem affects fc31 with selinux-policy-3.14.4-50.fc31.noarch .

This version was installed from fc31 updates-testing repo.

Comment 17 Fedora Update System 2020-04-02 00:31:15 UTC

FEDORA-2020-d0986e01cd has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.