fedora rawhideでsshdがSELinuxにはじかれた件

前回更新からまたしても2ヶ月の時が流れすぎ・・・
なんていうのが毎回な気もするけど無事に就職しました!

今日は業務の片手間に会社PCへ開発環境用にLinux環境を作ろう
Fedoraを最小構成で入れてSSHでログインしようとしたとき
なぜかはじかれるような挙動を取っていてなんだろうと調べてみた話

結論から言えばSELinuxが関わっていたんだけど
別に

_人人人人人人人人_
> またSELinuxか <
 ̄Y^Y^Y^Y^Y^Y^Y ̄

みたいな事は思ってないですw

とにかくまずは/var/log/audit/audit.logを見るところから・・・

単純にgrepして抽出してるので重複はご勘弁を・・・w

type=AVC msg=audit(1398163354.168:407): avc: denied { mounton } for pid=1231 comm="systemd-logind" path="/run/user/1000" dev="tmpfs" ino=15430 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir
type=AVC msg=audit(1398163354.168:408): avc: denied { mounton } for pid=1231 comm="systemd-logind" path="/run/user/0" dev="tmpfs" ino=14594 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir
type=AVC msg=audit(1398163354.168:409): avc: denied { mounton } for pid=1231 comm="systemd-logind" path="/run/user/1000" dev="tmpfs" ino=15430 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir
type=AVC msg=audit(1398163381.360:415): avc: denied { read } for pid=1231 comm="systemd-logind" name="/" dev="tmpfs" ino=7506 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1398163381.363:416): avc: denied { read } for pid=1231 comm="systemd-logind" name="/" dev="mqueue" ino=7479 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1398133051.276:333): avc: denied { dyntransition } for pid=898 comm="sshd" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:sshd_net_t:s0 tclass=process
type=USER_AVC msg=audit(1398133057.824:346): pid=451 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.8 spid=449 tpid=897 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=AVC msg=audit(1398133081.432:352): avc: denied { dyntransition } for pid=905 comm="sshd" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
type=AVC msg=audit(1398133081.509:355): avc: denied { transition } for pid=906 comm="sshd" path="/usr/bin/bash" dev="dm-1" ino=1966782 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
type=AVC msg=audit(1398133147.605:366): avc: denied { dyntransition } for pid=914 comm="sshd" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:sshd_net_t:s0 tclass=process
type=USER_AVC msg=audit(1398133157.023:379): pid=451 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.9 spid=449 tpid=913 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=AVC msg=audit(1398133180.643:393): avc: denied { dyntransition } for pid=949 comm="sshd" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
type=AVC msg=audit(1398133180.719:396): avc: denied { transition } for pid=950 comm="sshd" path="/usr/bin/bash" dev="dm-1" ino=1966782 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
type=AVC msg=audit(1398133300.890:418): avc: denied { dyntransition } for pid=985 comm="sshd" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:sshd_net_t:s0 tclass=process
type=AVC msg=audit(1398133306.231:424): avc: denied { sigchld } for pid=984 comm="sshd" scontext=system_u:system_r:sshd_net_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process
type=USER_AVC msg=audit(1398133306.688:430): pid=451 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.12 spid=449 tpid=984 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=AVC msg=audit(1398133306.765:436): avc: denied { dyntransition } for pid=988 comm="sshd" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
type=AVC msg=audit(1398133361.882:453): avc: denied { dyntransition } for pid=1041 comm="sshd" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:sshd_net_t:s0 tclass=process
type=AVC msg=audit(1398133367.213:459): avc: denied { sigchld } for pid=1040 comm="sshd" scontext=system_u:system_r:sshd_net_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process
type=AVC msg=audit(1398133367.673:469): avc: denied { dyntransition } for pid=1044 comm="sshd" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
type=AVC msg=audit(1398133800.714:491): avc: denied { dyntransition } for pid=1101 comm="sshd" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:sshd_net_t:s0 tclass=process
type=USER_AVC msg=audit(1398133805.950:502): pid=451 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.15 spid=449 tpid=1100 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=AVC msg=audit(1398133830.900:513): avc: denied { dyntransition } for pid=1108 comm="sshd" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
type=AVC msg=audit(1398133831.014:516): avc: denied { transition } for pid=1109 comm="sshd" path="/usr/bin/bash" dev="dm-1" ino=1966782 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
type=AVC msg=audit(1398133970.306:532): avc: denied { dyntransition } for pid=1120 comm="sshd" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:sshd_net_t:s0 tclass=process
type=USER_AVC msg=audit(1398133974.395:542): pid=451 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.16 spid=449 tpid=1119 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=AVC msg=audit(1398133999.339:555): avc: denied { dyntransition } for pid=1141 comm="sshd" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
type=AVC msg=audit(1398133999.427:558): avc: denied { transition } for pid=1142 comm="sshd" path="/usr/bin/bash" dev="dm-1" ino=1966782 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
type=USER_AVC msg=audit(1398141622.820:672): pid=451 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.25 spid=449 tpid=1040 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

なるほどなんか/usr/bin/sshdがdeniedなログが見えますね・・・

コンソール経由だと入れるのでおそらくラベルが間違ってるだろうとの
予測の元検索してみると以下のページがヒット

Sshd getting ‘dyntransition’ AVC’s in SElinux enforcing mode

まさにこの通りでした

順番に以下を実行して無事に復活

[mitto@fedora ~]$ ls -lZ /usr/sbin/sshd
-rwxr-xr-x. root root unconfined_u:object_r:bin_t:s0 /usr/sbin/sshd
[mitto@fedora ~]$ sudo restorecon -v /usr/sbin/sshd
restorecon reset /usr/sbin/sshd context unconfined_u:object_r:bin_t:s0->unconfined_u:object_r:sshd_exec_t:s0
[mitto@fedora ~]$ ls -lZ /usr/sbin/sshd
-rwxr-xr-x. root root unconfined_u:object_r:sshd_exec_t:s0 /usr/sbin/sshd
[mitto@fedora ~]$ sudo service sshd restart
Redirecting to /bin/systemctl restart sshd.service

アップデートした過程で本来なら「unconfined_u:object_r:sshd_exec_t:s0」にのラベルにすべきところが「unconfied_u:object_r:bin_t:s0」になってしまってたのが原因だったんだなぁ・・・

ではでは〜

コメント