Re: Sshd getting 'dyntransition' AVC's in SElinux enforcing mode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/06/2014 01:45 AM, Dan Callaghan wrote:
> Excerpts from Dan Callaghan's message of 2014-03-06 16:43:26 +1000:
>> Excerpts from Daniel J Walsh's message of 2014-01-03 01:46:44 +1000:
>>> This is caused by sshd running with the wrong label, It should be 
>>> running as sshd_t not init_t.  If the executable labeled sshd_exec_t?
>>> 
>>> ls -lZ /usr/sbin/sshd
>>> 
>>> restorecon -v /usr/sbin/sshd
>>> 
>>> should fix the label.
>> 
>> I started getting the same AVC denials a week or so ago. My 
>> /usr/sbin/sshd was indeed wrongly labelled:
>> 
>> $ ll -Z /usr/sbin/sshd -rwxr-xr-x. root root
>> unconfined_u:object_r:bin_t:s0   /usr/sbin/sshd $ sudo restorecon -v
>> /usr/sbin/sshd restorecon reset /usr/sbin/sshd context
>> unconfined_u:object_r:bin_t:s0->unconfined_u:object_r:sshd_exec_t:s0
>> 
>> What I'm wondering is, how did it become wrongly labelled? Nothing else 
>> on my filesystem was wrong, according to restorecon.
>> 
>> The errors only appear in my logs after sshd was restarted on 24 Feb for
>>  a yum upgrade. The updated packages included:
>> 
>> selinux-policy-3.12.1-122.fc20.noarch openssh-server-6.4p1-3.fc20.x86_64
>> 
>> (among many others). Any hints on how I can figure out what went wrong 
>> with the labelling of /usr/sbin/sshd?
> 
> Oh, I forgot that the yum upgrade on 24 Feb was actually from F19->F20, 
> just like Philip who originally started this thread.
> 
> I suppose that means we just write it off as "upgrading between releases is
> not supported" then...
> 
> 
> 
I don't know what happened.  We have seen this bug usually when people are
updating from older Fedoras to F20.  It is strange, and I would figure it is
something with rpm, or something in the sshd package.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlMYgsgACgkQrlYvE4MpobNdEwCfTyrlhx/WCsZumpK5VM62zWBF
1RMAoL3Pi7RK1zebSH+OwKL4eAxjJYSL
=mwRc
-----END PGP SIGNATURE-----
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux