Sshd getting 'dyntransition' AVC's in SElinux enforcing mode
Daniel J Walsh
dwalsh at redhat.com
Thu Jan 2 15:46:44 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/27/2013 05:06 PM, Philip Prindeville wrote:
> I’m seeing the following after an update (via yum) from F19 to F20:
>
> ---- time->Tue Dec 24 16:05:44 2013 type=SYSCALL
> msg=audit(1387926344.492:5867): arch=c000003e syscall=1 success=no exit=-13
> a0=6 a1=7f4e5e7afbb0 a2=20 a3=7fff44c2c550 items=0 ppid=686 pid=693
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> ses=4294967295 tty=(none) comm="sshd" exe="/usr/sbin/sshd"
> subj=system_u:system_r:init_t:s0 key=(null) type=AVC
> msg=audit(1387926344.492:5867): avc: denied { dyntransition } for
> pid=693 comm="sshd" scontext=system_u:system_r:init_t:s0
> tcontext=system_u:system_r:sshd_net_t:s0 tclass=process ---- time->Tue Dec
> 24 16:05:45 2013 type=SYSCALL msg=audit(1387926345.093:5883): arch=c000003e
> syscall=1 success=no exit=-13 a0=7 a1=7f4e5e7acef0 a2=2a
> a3=666e6f636e753a72 items=0 ppid=686 pid=706 auid=1000 uid=1000 gid=1000
> euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=627
> tty=(none) comm="sshd" exe="/usr/sbin/sshd"
> subj=system_u:system_r:init_t:s0 key=(null) type=AVC
> msg=audit(1387926345.093:5883): avc: denied { dyntransition } for
> pid=706 comm="sshd" scontext=system_u:system_r:init_t:s0
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
>
>
> Is this a known issue? I’m running:
>
> selinux-policy-devel-3.12.1-106.fc20.noarch
> selinux-policy-targeted-3.12.1-106.fc20.noarch
> selinux-policy-doc-3.12.1-106.fc20.noarch
> selinux-policy-3.12.1-106.fc20.noarch openssh-clients-6.4p1-3.fc20.x86_64
> openssh-6.4p1-3.fc20.x86_64 openssh-server-6.4p1-3.fc20.x86_64
>
> Thanks,
>
> -Philip
>
This is caused by sshd running with the wrong label, It should be running as
sshd_t not init_t. If the executable labeled sshd_exec_t?
ls -lZ /usr/sbin/sshd
restorecon -v /usr/sbin/sshd
should fix the label.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlLFieQACgkQrlYvE4MpobP9MgCfc021YV5LYtmoTfa6I4wMWbus
A8wAniWyoTqQWpmhvQ8gN2SCKvtAcNGh
=FGdE
-----END PGP SIGNATURE-----
More information about the devel
mailing list