Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 453554 - Selinux in enforced mode prevents login via ssh since Jun 12th update
Summary: Selinux in enforced mode prevents login via ssh since Jun 12th update
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 9
Hardware: x86_64
OS: Linux
low
high
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-07-01 09:56 UTC by Phil Stewart
Modified: 2008-07-07 16:27 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-07-07 16:27:45 UTC


Attachments (Terms of Use)
avcs from /var/log/audit/audit.log (deleted)
2008-07-02 13:47 UTC, Phil Stewart
no flags Details
semodule has unknown options user and login (deleted)
2008-07-03 09:14 UTC, Phil Stewart
no flags Details
Output from semanage (deleted)
2008-07-03 09:17 UTC, Phil Stewart
no flags Details
Output of semanage -l (deleted)
2008-07-03 15:30 UTC, Phil Stewart
no flags Details

Description Phil Stewart 2008-07-01 09:56:56 UTC
Description of problem: Since the Jun 12th update to selinux, although I can
successfully pass the ssh password request, as soon as I get through, I'm kicked
out with the error:

Last login: Fri Jun 13 10:42:30 2008 from xxx.xxx.xxx.xxx
/bin/bash: Permission denied
Connection to localhost closed.


Version-Release number of selected component (if applicable): 69.fc9


How reproducible:
Log in using ssh.

Steps to Reproduce:
1.Connect using ssh and enter password
2.
3.
  
Actual results:

Last login: Fri Jun 13 10:42:30 2008 from xxx.xxx.xxx.xxx
/bin/bash: Permission denied
Connection to localhost closed.

Expected results:

bash shell

Additional info:

var/log/secure:

Jun 13 10:43:51 purkinje sshd[3667]: Accepted password for phil from
xxx.xxx.xxx.xxx port 57220 ssh2
Jun 13 10:43:51 purkinje sshd[3667]: pam_unix(sshd:session): session opened for
user phil by (uid=0)
Jun 13 10:43:51 purkinje sshd[3667]: error: ssh_selinux_setup_pty:
security_compute_relabel: Invalid argument
Jun 13 10:43:51 purkinje sshd[3667]: pam_unix(sshd:session): session closed for
user phil

Comment 1 Phil Stewart 2008-07-01 09:59:37 UTC
Setting selinux to permissive mode allows successful login, but is not desirable.

Comment 2 Daniel Walsh 2008-07-01 14:03:36 UTC
Check the context on the home directory

restorecon -R -v /home


Comment 3 Phil Stewart 2008-07-01 15:04:58 UTC
[root@purkinje ~]# restorecon -R -v /home
restorecon:  unable to stat file /home/phil/.gvfs: Permission denied

Same error as before when attempting login.

Comment 4 Josef Kubin 2008-07-01 17:14:04 UTC
Did you try:
# setenforce 0
# restorecon -R -v /home
# setenforce 1


Comment 5 Phil Stewart 2008-07-02 09:50:01 UTC
Just tried now, no change.
Also installed today's updates (incl. selinux), no change.
Decided to check that it wasn't just my user, created a new user, no access
either, same error.

Comment 6 Daniel Walsh 2008-07-02 13:37:33 UTC
Please attach the avcs in /var/log/audit/audit.log

Comment 7 Phil Stewart 2008-07-02 13:47:57 UTC
Created attachment 310791 [details]
avcs from /var/log/audit/audit.log

obscured hostname and username after attempting ssh login

Comment 8 Daniel Walsh 2008-07-02 18:47:04 UTC
Please attach the output of 

# semodule user -l
# semoduel login -l


Comment 9 Daniel Walsh 2008-07-02 20:13:40 UTC
#semanage user -a -S targeted -P user -R "unconfined_r system_r" -r
#s0-s0:c0.c1023 unconfined_u 
#semanage login -m -S targeted  -s "unconfined_u" -r s0-s0:c0.c1023 __default__
#semanage login -m -S targeted  -s "unconfined_u" -r s0-s0:c0.c1023 root
#semanage user -a -S targeted  -P user -R guest_r guest_u
#semanage user -a -S targeted  -P user -R xguest_r xguest_u 

I have a failing these commands failed to execute on update.

If you execute them now and try to login, it should work.

Comment 10 Phil Stewart 2008-07-03 09:14:48 UTC
Created attachment 310900 [details]
semodule has unknown options user and login

Both commands fail to execute because of unknown options, user and login.

Comment 11 Phil Stewart 2008-07-03 09:17:13 UTC
Created attachment 310901 [details]
Output from semanage

All commands execute fine but won't work. Tried restorecon again. Still no joy.

Comment 12 Daniel Walsh 2008-07-03 15:22:08 UTC
Sorry meant to say

# semanage user -l
# semanage login -l


Comment 13 Phil Stewart 2008-07-03 15:30:04 UTC
Created attachment 310934 [details]
Output of semanage -l

Comment 14 Daniel Walsh 2008-07-03 20:09:05 UTC
# ls -lZ /etc/pam.d/sshd*
Does you sshd include pam_selinux?

# grep ssh /etc/selinux/targeted/contexts/users/unconfined_u 
system_r:sshd_t:s0		unconfined_r:unconfined_t:s0
 

Comment 15 Phil Stewart 2008-07-04 09:31:50 UTC
[root@purkinje ~]# ls -lZ /etc/pam.d/sshd*
-rw-r--r--  root root system_u:object_r:etc_t:s0       /etc/pam.d/sshd
-rw-r--r--  root root system_u:object_r:etc_t:s0       /etc/pam.d/sshd.rpmnew

[root@purkinje ~]# grep ssh /etc/selinux/targeted/contexts/users/unconfined_u
system_r:sshd_t:s0		unconfined_r:unconfined_t:s0

Comment 16 Daniel Walsh 2008-07-07 15:09:47 UTC
Phil, I think there is a line in rpmnew file that needs to be added to your sshd
file.

You need the two pam_selinux lines?



Comment 17 Phil Stewart 2008-07-07 15:19:50 UTC
Daniel,

I'm not sure I understand but are you saying I should only have one item in
/etc/pam.d/sshd* (I assume the first) and any differences in the two files
should be merged?

I don't know if I need the two or not, I haven't done that on purpose!

I diffed the two files:

[root@purkinje ~]# diff /etc/pam.d/sshd /etc/pam.d/sshd.rpmnew 
2d1
< auth	   required	pam_abl.so config=/etc/security/pam_abl.conf
7c6,7
< session    optional     pam_keyinit.so force revoke
---
> # pam_selinux.so close should be the first session rule
> session    required     pam_selinux.so close
9a10,12
> # pam_selinux.so open should only be followed by sessions to be executed in
the user context
> session    required     pam_selinux.so open env_params
> session    optional     pam_keyinit.so force revoke


Comment 18 Phil Stewart 2008-07-07 15:25:17 UTC
Daniel,

I thought I might as well try it anyway and it works!

Thank you so much for your help.

Best regards,

Phil

Comment 19 Daniel Walsh 2008-07-07 16:27:45 UTC
SELinux support used to be directly in sshd, but it has been moved directly into
pam.   So if the pam.d files did not update properly you end up with this
problem.  This was done by others, so I was originally confused.  Sorry about
taking so long to figure it out.  




Note You need to log in before you can comment on or make changes to this bug.