Sshd getting 'dyntransition' AVC's in SElinux enforcing mode

Daniel J Walsh dwalsh at redhat.com
Thu Jan 2 15:46:44 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/27/2013 05:06 PM, Philip Prindeville wrote:
> I’m seeing the following after an update (via yum) from F19 to F20:
> 
> ---- time->Tue Dec 24 16:05:44 2013 type=SYSCALL
> msg=audit(1387926344.492:5867): arch=c000003e syscall=1 success=no exit=-13
> a0=6 a1=7f4e5e7afbb0 a2=20 a3=7fff44c2c550 items=0 ppid=686 pid=693
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> ses=4294967295 tty=(none) comm="sshd" exe="/usr/sbin/sshd"
> subj=system_u:system_r:init_t:s0 key=(null) type=AVC
> msg=audit(1387926344.492:5867): avc:  denied  { dyntransition } for
> pid=693 comm="sshd" scontext=system_u:system_r:init_t:s0
> tcontext=system_u:system_r:sshd_net_t:s0 tclass=process ---- time->Tue Dec
> 24 16:05:45 2013 type=SYSCALL msg=audit(1387926345.093:5883): arch=c000003e
> syscall=1 success=no exit=-13 a0=7 a1=7f4e5e7acef0 a2=2a
> a3=666e6f636e753a72 items=0 ppid=686 pid=706 auid=1000 uid=1000 gid=1000
> euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=627
> tty=(none) comm="sshd" exe="/usr/sbin/sshd"
> subj=system_u:system_r:init_t:s0 key=(null) type=AVC
> msg=audit(1387926345.093:5883): avc:  denied  { dyntransition } for
> pid=706 comm="sshd" scontext=system_u:system_r:init_t:s0
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
> 
> 
> Is this a known issue?  I’m running:
> 
> selinux-policy-devel-3.12.1-106.fc20.noarch 
> selinux-policy-targeted-3.12.1-106.fc20.noarch 
> selinux-policy-doc-3.12.1-106.fc20.noarch 
> selinux-policy-3.12.1-106.fc20.noarch openssh-clients-6.4p1-3.fc20.x86_64 
> openssh-6.4p1-3.fc20.x86_64 openssh-server-6.4p1-3.fc20.x86_64
> 
> Thanks,
> 
> -Philip
> 
This is caused by sshd running with the wrong label, It should be running as
sshd_t not init_t.  If the executable labeled sshd_exec_t?

ls -lZ /usr/sbin/sshd

restorecon -v /usr/sbin/sshd

should fix the label.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLFieQACgkQrlYvE4MpobP9MgCfc021YV5LYtmoTfa6I4wMWbus
A8wAniWyoTqQWpmhvQ8gN2SCKvtAcNGh
=FGdE
-----END PGP SIGNATURE-----

More information about the devel mailing list