View Issue Details

IDProjectCategoryView StatusLast Update
0014113CentOS-7selinux-policypublic2017-11-10 17:58
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
PlatformOSOS Version7
Product Version 
Target VersionFixed in Version 
Summary0014113: SELinux is preventing /usr/sbin/sshd from using the 'dac_override' capabilities.
DescriptionDescription of problem:
i'm trying to ssh my system remotely, i had successfull attempts but everytime i reset the pc i need to check all the settings again and again.
sshd should be enabled by default
SELinux is preventing /usr/sbin/sshd from using the 'dac_override' capabilities.

***** Plugin dac_override (91.4 confidence) suggests **********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.

***** Plugin catchall (9.59 confidence) suggests **************************

If you believe that sshd should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# ausearch -c 'sshd' --raw | audit2allow -M my-sshd
# semodule -i my-sshd.pp

Additional Information:
Source Context system_u:system_r:sshd_net_t:s0-s0:c0.c1023
Target Context system_u:system_r:sshd_net_t:s0-s0:c0.c1023
Target Objects Unknown [ capability ]
Source sshd
Source Path /usr/sbin/sshd
Port <Unknown>
Host (removed)
Source RPM Packages openssh-server-7.4p1-13.el7_4.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-166.el7_4.5.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 3.10.0-693.5.2.el7.x86_64 #1 SMP
                              Fri Oct 20 20:32:50 UTC 2017 x86_64 x86_64
Alert Count 59
First Seen 2017-11-08 15:52:21 PST
Last Seen 2017-11-09 10:25:59 PST
Local ID 71bf12ae-8d73-4acf-9351-c6f21642d07f

Raw Audit Messages
type=AVC msg=audit(1510251959.918:114): avc: denied { dac_override } for pid=2666 comm="sshd" capability=1 scontext=system_u:system_r:sshd_net_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_net_t:s0-s0:c0.c1023 tclass=capability

type=AVC msg=audit(1510251959.918:114): avc: denied { dac_read_search } for pid=2666 comm="sshd" capability=2 scontext=system_u:system_r:sshd_net_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_net_t:s0-s0:c0.c1023 tclass=capability

type=SYSCALL msg=audit(1510251959.918:114): arch=x86_64 syscall=chroot success=no exit=EACCES a0=563c970dc5ac a1=7f91dcff8778 a2=ffffffff a3=7ffd9ecfb8c0 items=0 ppid=2665 pid=2666 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_net_t:s0-s0:c0.c1023 key=(null)

Hash: sshd,sshd_net_t,sshd_net_t,capability,dac_override

Version-Release number of selected component:
Additional Informationreporter: libreport-
hashmarkername: setroubleshoot
kernel: 3.10.0-693.5.2.el7.x86_64
reproducible: Not sure how to reproduce the problem
type: libreport
TagsNo tags attached.


There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2017-11-10 17:58 berkcelebi New Issue