2017-11-23 07:30 UTC

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0014113CentOS-7selinux-policypublic2017-11-10 17:58
Reporterberkcelebi 
PrioritynormalSeverityminorReproducibilityhave not tried
StatusnewResolutionopen 
PlatformOSOS Version7
Product Version 
Target VersionFixed in Version 
Summary0014113: SELinux is preventing /usr/sbin/sshd from using the 'dac_override' capabilities.
DescriptionDescription of problem:
i'm trying to ssh my system remotely, i had successfull attempts but everytime i reset the pc i need to check all the settings again and again.
sshd should be enabled by default
SELinux is preventing /usr/sbin/sshd from using the 'dac_override' capabilities.

***** Plugin dac_override (91.4 confidence) suggests **********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.

***** Plugin catchall (9.59 confidence) suggests **************************

If you believe that sshd should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sshd' --raw | audit2allow -M my-sshd
# semodule -i my-sshd.pp

Additional Information:
Source Context system_u:system_r:sshd_net_t:s0-s0:c0.c1023
Target Context system_u:system_r:sshd_net_t:s0-s0:c0.c1023
Target Objects Unknown [ capability ]
Source sshd
Source Path /usr/sbin/sshd
Port <Unknown>
Host (removed)
Source RPM Packages openssh-server-7.4p1-13.el7_4.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-166.el7_4.5.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 3.10.0-693.5.2.el7.x86_64 #1 SMP
                              Fri Oct 20 20:32:50 UTC 2017 x86_64 x86_64
Alert Count 59
First Seen 2017-11-08 15:52:21 PST
Last Seen 2017-11-09 10:25:59 PST
Local ID 71bf12ae-8d73-4acf-9351-c6f21642d07f

Raw Audit Messages
type=AVC msg=audit(1510251959.918:114): avc: denied { dac_override } for pid=2666 comm="sshd" capability=1 scontext=system_u:system_r:sshd_net_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_net_t:s0-s0:c0.c1023 tclass=capability


type=AVC msg=audit(1510251959.918:114): avc: denied { dac_read_search } for pid=2666 comm="sshd" capability=2 scontext=system_u:system_r:sshd_net_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_net_t:s0-s0:c0.c1023 tclass=capability


type=SYSCALL msg=audit(1510251959.918:114): arch=x86_64 syscall=chroot success=no exit=EACCES a0=563c970dc5ac a1=7f91dcff8778 a2=ffffffff a3=7ffd9ecfb8c0 items=0 ppid=2665 pid=2666 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_net_t:s0-s0:c0.c1023 key=(null)

Hash: sshd,sshd_net_t,sshd_net_t,capability,dac_override

Version-Release number of selected component:
selinux-policy-3.13.1-166.el7_4.5.noarch
Additional Informationreporter: libreport-2.1.11.1
hashmarkername: setroubleshoot
kernel: 3.10.0-693.5.2.el7.x86_64
reproducible: Not sure how to reproduce the problem
type: libreport
TagsNo tags attached.
abrt_hash09381813f842672224e169b192e0de5bf88cb98652752b8995cdd73cb27d7627
URL
Attached Files

-Relationships
+Relationships

-Notes
There are no notes attached to this issue.
+Notes

-Issue History
Date Modified Username Field Change
2017-11-10 17:58 berkcelebi New Issue
+Issue History