Sshd getting 'dyntransition' AVC's in SElinux enforcing mode
Daniel J Walsh
dwalsh at redhat.com
Thu Mar 6 14:14:32 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/06/2014 01:45 AM, Dan Callaghan wrote:
> Excerpts from Dan Callaghan's message of 2014-03-06 16:43:26 +1000:
>> Excerpts from Daniel J Walsh's message of 2014-01-03 01:46:44 +1000:
>>> This is caused by sshd running with the wrong label, It should be
>>> running as sshd_t not init_t. If the executable labeled sshd_exec_t?
>>>
>>> ls -lZ /usr/sbin/sshd
>>>
>>> restorecon -v /usr/sbin/sshd
>>>
>>> should fix the label.
>>
>> I started getting the same AVC denials a week or so ago. My
>> /usr/sbin/sshd was indeed wrongly labelled:
>>
>> $ ll -Z /usr/sbin/sshd -rwxr-xr-x. root root
>> unconfined_u:object_r:bin_t:s0 /usr/sbin/sshd $ sudo restorecon -v
>> /usr/sbin/sshd restorecon reset /usr/sbin/sshd context
>> unconfined_u:object_r:bin_t:s0->unconfined_u:object_r:sshd_exec_t:s0
>>
>> What I'm wondering is, how did it become wrongly labelled? Nothing else
>> on my filesystem was wrong, according to restorecon.
>>
>> The errors only appear in my logs after sshd was restarted on 24 Feb for
>> a yum upgrade. The updated packages included:
>>
>> selinux-policy-3.12.1-122.fc20.noarch openssh-server-6.4p1-3.fc20.x86_64
>>
>> (among many others). Any hints on how I can figure out what went wrong
>> with the labelling of /usr/sbin/sshd?
>
> Oh, I forgot that the yum upgrade on 24 Feb was actually from F19->F20,
> just like Philip who originally started this thread.
>
> I suppose that means we just write it off as "upgrading between releases is
> not supported" then...
>
>
>
I don't know what happened. We have seen this bug usually when people are
updating from older Fedoras to F20. It is strange, and I would figure it is
something with rpm, or something in the sshd package.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlMYgsgACgkQrlYvE4MpobNdEwCfTyrlhx/WCsZumpK5VM62zWBF
1RMAoL3Pi7RK1zebSH+OwKL4eAxjJYSL
=mwRc
-----END PGP SIGNATURE-----
More information about the devel
mailing list