[DSE-Dev] Bug#739590: Bug#739590: selinux-policy-default: ssh & bind9 broken by removal of hotplug script initrc labelling

Devin Carraway devin at debian.org
Thu Feb 20 09:25:31 UTC 2014


On Thu, Feb 20, 2014 at 10:15:54AM +0100, Laurent Bigonville wrote:
> Could you please attach the AVC denials to the bug.

Sure, here you are -- this was taken in permissive mode obviously.  The
openssh-server command referred to in the first ssh-related denial is
/etc/network/if-up.d/openssh-server (there's only one other file by
that name on the system, and that's nonexecutable under /etc/ufw/).

type=AVC msg=audit(1392875609.055:17): avc:  denied  { getattr } for  pid=2746 comm="rndc" path="/etc/bind/rndc.key" dev="sda5" ino=76857 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dnssec_t:s0 tclass=file
type=AVC msg=audit(1392875609.055:18): avc:  denied  { read } for  pid=2746 comm="rndc" name="rndc.key" dev="sda5" ino=76857 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dnssec_t:s0 tclass=file
type=AVC msg=audit(1392875609.055:18): avc:  denied  { open } for  pid=2746 comm="rndc" path="/etc/bind/rndc.key" dev="sda5" ino=76857 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dnssec_t:s0 tclass=file
type=AVC msg=audit(1392875609.055:19): avc:  denied  { node_bind } for  pid=2748 comm="rndc" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:node_t:s0 tclass=tcp_socket
type=AVC msg=audit(1392875609.055:20): avc:  denied  { name_connect } for  pid=2748 comm="rndc" dest=953 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rndc_port_t:s0 tclass=tcp_socket
...
type=AVC msg=audit(1392875609.071:21): avc:  denied  { getattr } for  pid=2759 comm="openssh-server" path="/run/sshd.pid" dev="tmpfs" ino=4801 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sshd_var_run_t:s0 tclass=file
type=AVC msg=audit(1392875609.071:22): avc:  denied  { read } for  pid=2761 comm="cat" name="sshd.pid" dev="tmpfs" ino=4801 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sshd_var_run_t:s0 tclass=file
type=AVC msg=audit(1392875609.071:22): avc:  denied  { open } for  pid=2761 comm="cat" path="/run/sshd.pid" dev="tmpfs" ino=4801 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sshd_var_run_t:s0 tclass=file
type=AVC msg=audit(1392875609.087:23): avc:  denied  { getattr } for  pid=2779 comm="ssh" path="/run/sshd" dev="tmpfs" ino=7810 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sshd_var_run_t:s0 tclass=dir
type=AVC msg=audit(1392875609.091:24): avc:  denied  { read } for  pid=2784 comm="sshd" name="ssh_host_rsa_key" dev="sda5" ino=60118 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sshd_key_t:s0 tclass=file
type=AVC msg=audit(1392875609.091:24): avc:  denied  { open } for  pid=2784 comm="sshd" path="/etc/ssh/ssh_host_rsa_key" dev="sda5" ino=60118 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sshd_key_t:s0 tclass=file
[and so forth until one runs out of disk or patience]

-- 
Devin  \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com
Carraway \ 4096R/9197B5F9: 9C64 37CD 1B7B 029D 0933  49EA 1E52 7672 9197 B5F9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 828 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20140220/cd2a4f95/attachment.sig>


More information about the SELinux-devel mailing list