Where's the bug

m.roth at 5-cent.us m.roth at 5-cent.us
Mon Jan 14 17:03:09 UTC 2013 

FC 17. Just built last week.

ll -Z /etc/ssh:
-rw-------. root root system_u:object_r:etc_t:s0       moduli
-rw-r--r--. root root system_u:system_u:etc_t:s0       ssh_config
-rw-------. root root system_u:system_u:sshd_key_t:s0  ssh_host_dsa_key
-rw-r--r--. root root system_u:system_u:sshd_key_t:s0  ssh_host_dsa_key.pub
-rw-------. root root system_u:system_u:sshd_key_t:s0  ssh_host_key
-rw-r--r--. root root system_u:system_u:sshd_key_t:s0  ssh_host_key.pub
-rw-------. root root system_u:system_u:sshd_key_t:s0  ssh_host_rsa_key
-rw-r--r--. root root system_u:system_u:sshd_key_t:s0  ssh_host_rsa_key.pub
-rw-r--r--. root root system_u:system_u:etc_t:s0       ssh_known_hosts
-rw-------. root root system_u:system_u:etc_t:s0       sshd_config
-rw-------. root root system_u:system_u:etc_t:s0       sshd_config.rpmnew

ll -Z /usr/sbin/sshd:
-rwxr-xr-x. root root system_u:object_r:sshd_exec_t:s0 /usr/sbin/sshd

ps -efZ | grep sshd
system_u:system_r:sshd_t:s0-s0:c0.c1023 root 6321  1  0 11:48 ?       
00:00:00 /usr/sbin/sshd -D

Alert 1:
*****  Plugin restorecon (94.8 confidence) suggests 
*************************

If you want to fix the label.
/etc/ssh/ssh_host_rsa_key default label should be sshd_key_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /etc/ssh/ssh_host_rsa_key

Alert 2:
*****  Plugin restorecon (94.8 confidence) suggests 
*************************

If you want to fix the label.
/etc/ssh/ssh_host_rsa_key default label should be sshd_key_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /etc/ssh/ssh_host_rsa_key

*****  Plugin catchall_labels (5.21 confidence) suggests 
********************

If you want to allow sshd to have getattr access on the ssh_host_rsa_key file
Then you need to change the label on /etc/ssh/ssh_host_rsa_key

grep -i avc | tail
<snip>
type=AVC msg=audit(1358182127.469:291): avc:  denied  { read } for 
pid=6321 comm="sshd" name="ssh_host_rsa_key" dev="sda3" ino=11372820
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
type=AVC msg=audit(1358182127.469:291): avc:  denied  { open } for 
pid=6321 comm="sshd" path="/etc/ssh/ssh_host_rsa_key" dev="sda3"
ino=11372820 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
type=AVC msg=audit(1358182127.469:292): avc:  denied  { getattr } for 
pid=6321 comm="sshd" path="/etc/ssh/ssh_host_rsa_key" dev="sda3"
ino=11372820 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file

I've done a chcon. I did an semanage and the restorecon. The system was
rebooted after the chcon; sshd was restarted after the semanage and
restorecon. I just did restorecon -R /etc/ssh again.

Is the audit program buggy?

       mark

More information about the selinux mailing list