Re: Sshd getting 'dyntransition' AVC's in SElinux enforcing mode
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/06/2014 01:45 AM, Dan Callaghan wrote: Excerpts from Dan Callaghan's message of 2014-03-06 16:43:26 +1000: Excerpts from Daniel J Walsh's message of 2014-01-03 01:46:44 +1000: This is caused by sshd running with the wrong label, It should be running as sshd_t not init_t. If the executable labeled sshd_exec_t? ls -lZ /usr/sbin/sshd restorecon -v /usr/sbin/sshd should fix the label. I started getting the same AVC denials a week or so ago. My /usr/sbin/sshd was indeed wrongly labelled: $ ll -Z /usr/sbin/sshd -rwxr-xr-x. root root unconfined_u:object_r:bin_t:s0 /usr/sbin/sshd $ sudo restorecon -v /usr/sbin/sshd restorecon reset /usr/sbin/sshd context unconfined_u:object_r:bin_t:s0-unconfined_u:object_r:sshd_exec_t:s0 What I'm wondering is, how did it become wrongly labelled? Nothing else on my filesystem was wrong, according to restorecon. The errors only appear in my logs after sshd was restarted on 24 Feb for a yum upgrade. The updated packages included: selinux-policy-3.12.1-122.fc20.noarch openssh-server-6.4p1-3.fc20.x86_64 (among many others). Any hints on how I can figure out what went wrong with the labelling of /usr/sbin/sshd? Oh, I forgot that the yum upgrade on 24 Feb was actually from F19-F20, just like Philip who originally started this thread. I suppose that means we just write it off as upgrading between releases is not supported then... I don't know what happened. We have seen this bug usually when people are updating from older Fedoras to F20. It is strange, and I would figure it is something with rpm, or something in the sshd package. -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlMYgsgACgkQrlYvE4MpobNdEwCfTyrlhx/WCsZumpK5VM62zWBF 1RMAoL3Pi7RK1zebSH+OwKL4eAxjJYSL =mwRc -END PGP SIGNATURE- -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Sshd getting 'dyntransition' AVC's in SElinux enforcing mode
Excerpts from Daniel J Walsh's message of 2014-01-03 01:46:44 +1000: This is caused by sshd running with the wrong label, It should be running as sshd_t not init_t. If the executable labeled sshd_exec_t? ls -lZ /usr/sbin/sshd restorecon -v /usr/sbin/sshd should fix the label. I started getting the same AVC denials a week or so ago. My /usr/sbin/sshd was indeed wrongly labelled: $ ll -Z /usr/sbin/sshd -rwxr-xr-x. root root unconfined_u:object_r:bin_t:s0 /usr/sbin/sshd $ sudo restorecon -v /usr/sbin/sshd restorecon reset /usr/sbin/sshd context unconfined_u:object_r:bin_t:s0-unconfined_u:object_r:sshd_exec_t:s0 What I'm wondering is, how did it become wrongly labelled? Nothing else on my filesystem was wrong, according to restorecon. The errors only appear in my logs after sshd was restarted on 24 Feb for a yum upgrade. The updated packages included: selinux-policy-3.12.1-122.fc20.noarch openssh-server-6.4p1-3.fc20.x86_64 (among many others). Any hints on how I can figure out what went wrong with the labelling of /usr/sbin/sshd? -- Dan Callaghan dcall...@redhat.com Software Engineer, Hosted Shared Services Red Hat, Inc. signature.asc Description: PGP signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Sshd getting 'dyntransition' AVC's in SElinux enforcing mode
Excerpts from Dan Callaghan's message of 2014-03-06 16:43:26 +1000: Excerpts from Daniel J Walsh's message of 2014-01-03 01:46:44 +1000: This is caused by sshd running with the wrong label, It should be running as sshd_t not init_t. If the executable labeled sshd_exec_t? ls -lZ /usr/sbin/sshd restorecon -v /usr/sbin/sshd should fix the label. I started getting the same AVC denials a week or so ago. My /usr/sbin/sshd was indeed wrongly labelled: $ ll -Z /usr/sbin/sshd -rwxr-xr-x. root root unconfined_u:object_r:bin_t:s0 /usr/sbin/sshd $ sudo restorecon -v /usr/sbin/sshd restorecon reset /usr/sbin/sshd context unconfined_u:object_r:bin_t:s0-unconfined_u:object_r:sshd_exec_t:s0 What I'm wondering is, how did it become wrongly labelled? Nothing else on my filesystem was wrong, according to restorecon. The errors only appear in my logs after sshd was restarted on 24 Feb for a yum upgrade. The updated packages included: selinux-policy-3.12.1-122.fc20.noarch openssh-server-6.4p1-3.fc20.x86_64 (among many others). Any hints on how I can figure out what went wrong with the labelling of /usr/sbin/sshd? Oh, I forgot that the yum upgrade on 24 Feb was actually from F19-F20, just like Philip who originally started this thread. I suppose that means we just write it off as upgrading between releases is not supported then... -- Dan Callaghan dcall...@redhat.com Software Engineer, Hosted Shared Services Red Hat, Inc. signature.asc Description: PGP signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Sshd getting 'dyntransition' AVC's in SElinux enforcing mode
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/27/2013 05:06 PM, Philip Prindeville wrote: I’m seeing the following after an update (via yum) from F19 to F20: time-Tue Dec 24 16:05:44 2013 type=SYSCALL msg=audit(1387926344.492:5867): arch=c03e syscall=1 success=no exit=-13 a0=6 a1=7f4e5e7afbb0 a2=20 a3=7fff44c2c550 items=0 ppid=686 pid=693 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1387926344.492:5867): avc: denied { dyntransition } for pid=693 comm=sshd scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:sshd_net_t:s0 tclass=process time-Tue Dec 24 16:05:45 2013 type=SYSCALL msg=audit(1387926345.093:5883): arch=c03e syscall=1 success=no exit=-13 a0=7 a1=7f4e5e7acef0 a2=2a a3=666e6f636e753a72 items=0 ppid=686 pid=706 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=627 tty=(none) comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1387926345.093:5883): avc: denied { dyntransition } for pid=706 comm=sshd scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process Is this a known issue? I’m running: selinux-policy-devel-3.12.1-106.fc20.noarch selinux-policy-targeted-3.12.1-106.fc20.noarch selinux-policy-doc-3.12.1-106.fc20.noarch selinux-policy-3.12.1-106.fc20.noarch openssh-clients-6.4p1-3.fc20.x86_64 openssh-6.4p1-3.fc20.x86_64 openssh-server-6.4p1-3.fc20.x86_64 Thanks, -Philip This is caused by sshd running with the wrong label, It should be running as sshd_t not init_t. If the executable labeled sshd_exec_t? ls -lZ /usr/sbin/sshd restorecon -v /usr/sbin/sshd should fix the label. -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlLFieQACgkQrlYvE4MpobP9MgCfc021YV5LYtmoTfa6I4wMWbus A8wAniWyoTqQWpmhvQ8gN2SCKvtAcNGh =FGdE -END PGP SIGNATURE- -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Sshd getting 'dyntransition' AVC's in SElinux enforcing mode
I’m seeing the following after an update (via yum) from F19 to F20: time-Tue Dec 24 16:05:44 2013 type=SYSCALL msg=audit(1387926344.492:5867): arch=c03e syscall=1 success=no exit=-13 a0=6 a1=7f4e5e7afbb0 a2=20 a3=7fff44c2c550 items=0 ppid=686 pid=693 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1387926344.492:5867): avc: denied { dyntransition } for pid=693 comm=sshd scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:sshd_net_t:s0 tclass=process time-Tue Dec 24 16:05:45 2013 type=SYSCALL msg=audit(1387926345.093:5883): arch=c03e syscall=1 success=no exit=-13 a0=7 a1=7f4e5e7acef0 a2=2a a3=666e6f636e753a72 items=0 ppid=686 pid=706 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=627 tty=(none) comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1387926345.093:5883): avc: denied { dyntransition } for pid=706 comm=sshd scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process Is this a known issue? I’m running: selinux-policy-devel-3.12.1-106.fc20.noarch selinux-policy-targeted-3.12.1-106.fc20.noarch selinux-policy-doc-3.12.1-106.fc20.noarch selinux-policy-3.12.1-106.fc20.noarch openssh-clients-6.4p1-3.fc20.x86_64 openssh-6.4p1-3.fc20.x86_64 openssh-server-6.4p1-3.fc20.x86_64 Thanks, -Philip -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Sshd getting 'dyntransition' AVC's in SElinux enforcing mode
Le vendredi 27 décembre 2013 à 15:06 -0700, Philip Prindeville a écrit : I’m seeing the following after an update (via yum) from F19 to F20: time-Tue Dec 24 16:05:44 2013 type=SYSCALL msg=audit(1387926344.492:5867): arch=c03e syscall=1 success=no exit=-13 a0=6 a1=7f4e5e7afbb0 a2=20 a3=7fff44c2c550 items=0 ppid=686 pid=693 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1387926344.492:5867): avc: denied { dyntransition } for pid=693 comm=sshd scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:sshd_net_t:s0 tclass=process time-Tue Dec 24 16:05:45 2013 type=SYSCALL msg=audit(1387926345.093:5883): arch=c03e syscall=1 success=no exit=-13 a0=7 a1=7f4e5e7acef0 a2=2a a3=666e6f636e753a72 items=0 ppid=686 pid=706 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=627 tty=(none) comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1387926345.093:5883): avc: denied { dyntransition } for pid=706 comm=sshd scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process Is this a known issue? I’m running: Can you make sure the label is correct on the fs ( ie, relabel the whole / ), as this seems to be a wrongly labeled sshd. -- Michael Scherer -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct