subject:"Sshd getting 'dyntransition' AVC's in SElinux enforcing mode"

Re: Sshd getting 'dyntransition' AVC's in SElinux enforcing mode

2014-03-06 Thread Daniel J Walsh

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 03/06/2014 01:45 AM, Dan Callaghan wrote:
 Excerpts from Dan Callaghan's message of 2014-03-06 16:43:26 +1000:
 Excerpts from Daniel J Walsh's message of 2014-01-03 01:46:44 +1000:
 This is caused by sshd running with the wrong label, It should be 
 running as sshd_t not init_t.  If the executable labeled sshd_exec_t?
 
 ls -lZ /usr/sbin/sshd
 
 restorecon -v /usr/sbin/sshd
 
 should fix the label.
 
 I started getting the same AVC denials a week or so ago. My 
 /usr/sbin/sshd was indeed wrongly labelled:
 
 $ ll -Z /usr/sbin/sshd -rwxr-xr-x. root root
 unconfined_u:object_r:bin_t:s0   /usr/sbin/sshd $ sudo restorecon -v
 /usr/sbin/sshd restorecon reset /usr/sbin/sshd context
 unconfined_u:object_r:bin_t:s0-unconfined_u:object_r:sshd_exec_t:s0
 
 What I'm wondering is, how did it become wrongly labelled? Nothing else 
 on my filesystem was wrong, according to restorecon.
 
 The errors only appear in my logs after sshd was restarted on 24 Feb for
  a yum upgrade. The updated packages included:
 
 selinux-policy-3.12.1-122.fc20.noarch openssh-server-6.4p1-3.fc20.x86_64
 
 (among many others). Any hints on how I can figure out what went wrong 
 with the labelling of /usr/sbin/sshd?
 
 Oh, I forgot that the yum upgrade on 24 Feb was actually from F19-F20, 
 just like Philip who originally started this thread.
 
 I suppose that means we just write it off as upgrading between releases is
 not supported then...
 
 
 
I don't know what happened.  We have seen this bug usually when people are
updating from older Fedoras to F20.  It is strange, and I would figure it is
something with rpm, or something in the sshd package.


-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlMYgsgACgkQrlYvE4MpobNdEwCfTyrlhx/WCsZumpK5VM62zWBF
1RMAoL3Pi7RK1zebSH+OwKL4eAxjJYSL
=mwRc
-END PGP SIGNATURE-
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Sshd getting 'dyntransition' AVC's in SElinux enforcing mode

2014-03-05 Thread Dan Callaghan

Excerpts from Daniel J Walsh's message of 2014-01-03 01:46:44 +1000:
 This is caused by sshd running with the wrong label, It should be 
 running as sshd_t not init_t.  If the executable labeled sshd_exec_t?
 
 ls -lZ /usr/sbin/sshd
 
 restorecon -v /usr/sbin/sshd
 
 should fix the label.

I started getting the same AVC denials a week or so ago. My 
/usr/sbin/sshd was indeed wrongly labelled:

$ ll -Z /usr/sbin/sshd
-rwxr-xr-x. root root unconfined_u:object_r:bin_t:s0   /usr/sbin/sshd
$ sudo restorecon -v /usr/sbin/sshd
restorecon reset /usr/sbin/sshd context 
unconfined_u:object_r:bin_t:s0-unconfined_u:object_r:sshd_exec_t:s0

What I'm wondering is, how did it become wrongly labelled? Nothing else 
on my filesystem was wrong, according to restorecon.

The errors only appear in my logs after sshd was restarted on 24 Feb for 
a yum upgrade. The updated packages included:

selinux-policy-3.12.1-122.fc20.noarch
openssh-server-6.4p1-3.fc20.x86_64

(among many others). Any hints on how I can figure out what went wrong 
with the labelling of /usr/sbin/sshd?

-- 
Dan Callaghan dcall...@redhat.com
Software Engineer, Hosted  Shared Services
Red Hat, Inc.


signature.asc
Description: PGP signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Sshd getting 'dyntransition' AVC's in SElinux enforcing mode

2014-03-05 Thread Dan Callaghan

Excerpts from Dan Callaghan's message of 2014-03-06 16:43:26 +1000:
 Excerpts from Daniel J Walsh's message of 2014-01-03 01:46:44 +1000:
  This is caused by sshd running with the wrong label, It should be 
  running as sshd_t not init_t.  If the executable labeled sshd_exec_t?
  
  ls -lZ /usr/sbin/sshd
  
  restorecon -v /usr/sbin/sshd
  
  should fix the label.
 
 I started getting the same AVC denials a week or so ago. My 
 /usr/sbin/sshd was indeed wrongly labelled:
 
 $ ll -Z /usr/sbin/sshd
 -rwxr-xr-x. root root unconfined_u:object_r:bin_t:s0   /usr/sbin/sshd
 $ sudo restorecon -v /usr/sbin/sshd
 restorecon reset /usr/sbin/sshd context 
 unconfined_u:object_r:bin_t:s0-unconfined_u:object_r:sshd_exec_t:s0
 
 What I'm wondering is, how did it become wrongly labelled? Nothing else 
 on my filesystem was wrong, according to restorecon.
 
 The errors only appear in my logs after sshd was restarted on 24 Feb for 
 a yum upgrade. The updated packages included:
 
 selinux-policy-3.12.1-122.fc20.noarch
 openssh-server-6.4p1-3.fc20.x86_64
 
 (among many others). Any hints on how I can figure out what went wrong 
 with the labelling of /usr/sbin/sshd?

Oh, I forgot that the yum upgrade on 24 Feb was actually from F19-F20, 
just like Philip who originally started this thread.

I suppose that means we just write it off as upgrading between releases 
is not supported then...

-- 
Dan Callaghan dcall...@redhat.com
Software Engineer, Hosted  Shared Services
Red Hat, Inc.


signature.asc
Description: PGP signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Sshd getting 'dyntransition' AVC's in SElinux enforcing mode

2014-01-02 Thread Daniel J Walsh

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 12/27/2013 05:06 PM, Philip Prindeville wrote:
 I’m seeing the following after an update (via yum) from F19 to F20:
 
  time-Tue Dec 24 16:05:44 2013 type=SYSCALL
 msg=audit(1387926344.492:5867): arch=c03e syscall=1 success=no exit=-13
 a0=6 a1=7f4e5e7afbb0 a2=20 a3=7fff44c2c550 items=0 ppid=686 pid=693
 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
 ses=4294967295 tty=(none) comm=sshd exe=/usr/sbin/sshd
 subj=system_u:system_r:init_t:s0 key=(null) type=AVC
 msg=audit(1387926344.492:5867): avc:  denied  { dyntransition } for
 pid=693 comm=sshd scontext=system_u:system_r:init_t:s0
 tcontext=system_u:system_r:sshd_net_t:s0 tclass=process  time-Tue Dec
 24 16:05:45 2013 type=SYSCALL msg=audit(1387926345.093:5883): arch=c03e
 syscall=1 success=no exit=-13 a0=7 a1=7f4e5e7acef0 a2=2a
 a3=666e6f636e753a72 items=0 ppid=686 pid=706 auid=1000 uid=1000 gid=1000
 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=627
 tty=(none) comm=sshd exe=/usr/sbin/sshd
 subj=system_u:system_r:init_t:s0 key=(null) type=AVC
 msg=audit(1387926345.093:5883): avc:  denied  { dyntransition } for
 pid=706 comm=sshd scontext=system_u:system_r:init_t:s0
 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
 
 
 Is this a known issue?  I’m running:
 
 selinux-policy-devel-3.12.1-106.fc20.noarch 
 selinux-policy-targeted-3.12.1-106.fc20.noarch 
 selinux-policy-doc-3.12.1-106.fc20.noarch 
 selinux-policy-3.12.1-106.fc20.noarch openssh-clients-6.4p1-3.fc20.x86_64 
 openssh-6.4p1-3.fc20.x86_64 openssh-server-6.4p1-3.fc20.x86_64
 
 Thanks,
 
 -Philip
 
This is caused by sshd running with the wrong label, It should be running as
sshd_t not init_t.  If the executable labeled sshd_exec_t?

ls -lZ /usr/sbin/sshd

restorecon -v /usr/sbin/sshd

should fix the label.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLFieQACgkQrlYvE4MpobP9MgCfc021YV5LYtmoTfa6I4wMWbus
A8wAniWyoTqQWpmhvQ8gN2SCKvtAcNGh
=FGdE
-END PGP SIGNATURE-
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Sshd getting 'dyntransition' AVC's in SElinux enforcing mode

2013-12-27 Thread Philip Prindeville

I’m seeing the following after an update (via yum) from F19 to F20:


time-Tue Dec 24 16:05:44 2013
type=SYSCALL msg=audit(1387926344.492:5867): arch=c03e syscall=1 success=no 
exit=-13 a0=6 a1=7f4e5e7afbb0 a2=20 a3=7fff44c2c550 items=0 ppid=686 pid=693 
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
ses=4294967295 tty=(none) comm=sshd exe=/usr/sbin/sshd 
subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1387926344.492:5867): avc:  denied  { dyntransition } for  
pid=693 comm=sshd scontext=system_u:system_r:init_t:s0 
tcontext=system_u:system_r:sshd_net_t:s0 tclass=process

time-Tue Dec 24 16:05:45 2013
type=SYSCALL msg=audit(1387926345.093:5883): arch=c03e syscall=1 success=no 
exit=-13 a0=7 a1=7f4e5e7acef0 a2=2a a3=666e6f636e753a72 items=0 ppid=686 
pid=706 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 
sgid=1000 fsgid=1000 ses=627 tty=(none) comm=sshd exe=/usr/sbin/sshd 
subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1387926345.093:5883): avc:  denied  { dyntransition } for  
pid=706 comm=sshd scontext=system_u:system_r:init_t:s0 
tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process


Is this a known issue?  I’m running:

selinux-policy-devel-3.12.1-106.fc20.noarch
selinux-policy-targeted-3.12.1-106.fc20.noarch
selinux-policy-doc-3.12.1-106.fc20.noarch
selinux-policy-3.12.1-106.fc20.noarch
openssh-clients-6.4p1-3.fc20.x86_64
openssh-6.4p1-3.fc20.x86_64
openssh-server-6.4p1-3.fc20.x86_64

Thanks,

-Philip

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Sshd getting 'dyntransition' AVC's in SElinux enforcing mode

2013-12-27 Thread Michael Scherer

Le vendredi 27 décembre 2013 à 15:06 -0700, Philip Prindeville a écrit :
 I’m seeing the following after an update (via yum) from F19 to F20:
 
 
 time-Tue Dec 24 16:05:44 2013
 type=SYSCALL msg=audit(1387926344.492:5867): arch=c03e syscall=1 
 success=no exit=-13 a0=6 a1=7f4e5e7afbb0 a2=20 a3=7fff44c2c550 items=0 
 ppid=686 pid=693 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=sshd exe=/usr/sbin/sshd 
 subj=system_u:system_r:init_t:s0 key=(null)
 type=AVC msg=audit(1387926344.492:5867): avc:  denied  { dyntransition } for  
 pid=693 comm=sshd scontext=system_u:system_r:init_t:s0 
 tcontext=system_u:system_r:sshd_net_t:s0 tclass=process
 
 time-Tue Dec 24 16:05:45 2013
 type=SYSCALL msg=audit(1387926345.093:5883): arch=c03e syscall=1 
 success=no exit=-13 a0=7 a1=7f4e5e7acef0 a2=2a a3=666e6f636e753a72 items=0 
 ppid=686 pid=706 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 
 egid=1000 sgid=1000 fsgid=1000 ses=627 tty=(none) comm=sshd 
 exe=/usr/sbin/sshd subj=system_u:system_r:init_t:s0 key=(null)
 type=AVC msg=audit(1387926345.093:5883): avc:  denied  { dyntransition } for  
 pid=706 comm=sshd scontext=system_u:system_r:init_t:s0 
 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
 
 
 Is this a known issue?  I’m running:

Can you make sure the label is correct on the fs ( ie, relabel the
whole / ), as this seems to be a wrongly labeled sshd.

-- 
Michael Scherer

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Sshd getting 'dyntransition' AVC's in SElinux enforcing mode

Re: Sshd getting 'dyntransition' AVC's in SElinux enforcing mode

Re: Sshd getting 'dyntransition' AVC's in SElinux enforcing mode

Re: Sshd getting 'dyntransition' AVC's in SElinux enforcing mode

Sshd getting 'dyntransition' AVC's in SElinux enforcing mode

Re: Sshd getting 'dyntransition' AVC's in SElinux enforcing mode

6 matches

Site Navigation

Mail list logo

Footer information