Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora 19/20 > Security and Privacy
FedoraForum Search

Forgot Password? Join Us!

Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits.

Closed Thread
 
Thread Tools Search this Thread Display Modes
  #1  
Old 6th March 2010, 06:10 AM
blueflame Offline
Registered User
 
Join Date: Oct 2009
Location: Australia
Posts: 35
linuxgentoofirefox
SELinux blocking sshd access to shadow

I'm trying to setup ssh access on my Fedora 12 laptop. I get the following error message in /var/log/secure when I try to login from another machine using ssh and the login is denied:
Code:
sshd[3025]: error: Could not get shadow information for <user>
sshd[3025]: Failed password for <user> from <ip> port <port> ssh2
If I do a 'setenforce 0' I can login and no error is logged.

Does anyone know what SELinux setting is causing this and how to fix it?
  #2  
Old 6th March 2010, 09:40 AM
Nokia Offline
Registered User
 
Join Date: Aug 2006
Location: /dev/realm/{Abba,Carpenters,...stage}
Posts: 3,286
linuxfirefox
Post
Code:
rpm -q selinux-policy{,-targeted}
__________________
For safer browsing, use OpenDNS nameservers 208.67.222.222 and 208.67.220.220

SELinux User Guide

AutoPager
  #3  
Old 6th March 2010, 11:53 AM
domg472 Offline
SELinux Contributor
 
Join Date: May 2008
Posts: 623
linuxfedorafirefox
Re: SELinux blocking sshd access to shadow

Can you please enclose AVC denials. AVC denials have all the information we need to make proper security decisions.
__________________
Come join us on #fedora-selinux on irc.freenode.org
http://docs.fedoraproject.org/selinu...ide/f10/en-US/
  #4  
Old 6th March 2010, 12:24 PM
blueflame Offline
Registered User
 
Join Date: Oct 2009
Location: Australia
Posts: 35
linuxgentoofirefox
Re: SELinux blocking sshd access to shadow

Quote:
Originally Posted by domg472 View Post
Can you please enclose AVC denials. AVC denials have all the information we need to make proper security decisions.
Forgive my ignorance but what are AVC denials and how would I know they have occurred? Are they logged somewhere?

How will this help me?
Quote:
rpm -q selinux-policy{,-targeted}
  #5  
Old 6th March 2010, 12:28 PM
domg472 Offline
SELinux Contributor
 
Join Date: May 2008
Posts: 623
linuxfedorafirefox
Re: SELinux blocking sshd access to shadow

Please run the following chain of commands and enclose its output here:

ausearch -m avc -ts yesterday | grep shadow_t

AVC denials are usually stored in /var/log/audit/audit.log

AVC denials (Access vector cache denials) are log messages of Access vectors that (in this case) have been denied by SELinux.

You can install setroubeshoot if you wish to be notified (on the desktop or in /var/log/messages) when such AVC denials happen. setroubleshoot basically relays AVC denials to desktop sessions or to /var/log/messages (i do not encourage the use of setroubleshoot though).

The output of command "rpm -qa | grep selinux-policy" will help us determine which version of policy you are using.
__________________
Come join us on #fedora-selinux on irc.freenode.org
http://docs.fedoraproject.org/selinu...ide/f10/en-US/

Last edited by domg472; 6th March 2010 at 12:38 PM.
  #6  
Old 6th March 2010, 01:00 PM
blueflame Offline
Registered User
 
Join Date: Oct 2009
Location: Australia
Posts: 35
linuxfedorafirefox
Re: SELinux blocking sshd access to shadow

I have setroubleshoot installed but it didn't give me any alerts at the time.

Code:
# rpm -q selinux-policy{,-targeted}
selinux-policy-3.6.32-92.fc12.noarch
selinux-policy-targeted-3.6.32-92.fc12.noarch
Code:
# ausearch -m avc -ts yesterday | grep shadow_t
<no matches>
This appears in /var/log/audit/audit.log when the ssh login fails:

Code:
type=USER_LOGIN msg=audit(1267880088.534:20): user pid=2906 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='acct="awalker": exe="/usr/sbin/sshd" hostname=? addr=192.168.1.1 terminal=sshd res=failed'
There's nothing about ssh in /var/log/messages.
  #7  
Old 6th March 2010, 01:14 PM
jpollard Offline
Registered User
 
Join Date: Aug 2009
Location: Waldorf, Maryland
Posts: 6,865
linuxfedorafirefox
Re: SELinux blocking sshd access to shadow

It almost sounds like the shadow file has the wrong mandatory access control label.

Do a "ls -lZ /etc/shadow".. It should look like:

Quote:
$ ls -lZ /etc/shadow
-r--------. root root system_u:object_r:shadow_t:s0 /etc/shadow
If this is not what you have, you can try "restorecon -f /etc/shadow", just "restorecon" (which will restore labels for
any file deemed incorrect).

This usually happens if you edit the file manually...

Last edited by jpollard; 6th March 2010 at 01:27 PM. Reason: didn't finish...
  #8  
Old 6th March 2010, 01:17 PM
domg472 Offline
SELinux Contributor
 
Join Date: May 2008
Posts: 623
linuxfedorafirefox
Re: SELinux blocking sshd access to shadow

Thanks.

You have not been notified by setroubleshoot because no (visible) AVC denial occurred. The fact that command chain "ausearch -m avc -ts yesterday | grep shadow_t" returned "<no matches>" seems to acknowledge that.

There is a rule in SELinux that say's "if sshd tries to access /etc/shadow"; then silently deny it." This means that access is denied but the AVC denial is not actually logged.

The conclusion of this is that sshd_t should (in Fedora's opinion) not need to access /etc/shadow, and that attempts should be silently denied.

The fact that sshd seems to require access to /etc/shadow suggests that:

- either you have some exotic configuration of sshd
- either you have misconfigured sshd
- or this signals an intrussion
- or there is a bug in either sshd or selinux policy.

If you are positive that this access should be required (if you are sure that you have configured sshd correct), you may want to consider reporting this issue to bugzilla.redhat.com in the selinux-policy component.
__________________
Come join us on #fedora-selinux on irc.freenode.org
http://docs.fedoraproject.org/selinu...ide/f10/en-US/
  #9  
Old 6th March 2010, 01:28 PM
blueflame Offline
Registered User
 
Join Date: Oct 2009
Location: Australia
Posts: 35
linuxfedorafirefox
Re: SELinux blocking sshd access to shadow

Looks ok ...
Code:
# ls -lZ /etc/shadow
-r--------. root root system_u:object_r:shadow_t:s0    /etc/shadow


---------- Post added at 09:28 PM CST ---------- Previous post was at 09:20 PM CST ----------

Quote:
Originally Posted by domg472 View Post
Thanks.

You have not been notified by setroubleshoot because no (visible) AVC denial occurred. The fact that command chain "ausearch -m avc -ts yesterday | grep shadow_t" returned "<no matches>" seems to acknowledge that.

There is a rule in SELinux that say's "if sshd tries to access /etc/shadow"; then silently deny it." This means that access is denied but the AVC denial is not actually logged.

The conclusion of this is that sshd_t should (in Fedora's opinion) not need to access /etc/shadow, and that attempts should be silently denied.

The fact that sshd seems to require access to /etc/shadow suggests that:

- either you have some exotic configuration of sshd
- either you have misconfigured sshd
- or this signals an intrussion
- or there is a bug in either sshd or selinux policy.

If you are positive that this access should be required (if you are sure that you have configured sshd correct), you may want to consider reporting this issue to bugzilla.redhat.com in the selinux-policy component.
It's possible I have misconfigured sshd. However I am simply allowing password authentication and not trying anything with hosts-based or key-based authentication nor anything else fancy. If anyone wants to take a look at my sshd_config I'd be happy to post it.

I'm not about to file bugs ... sorry, too much hassle and time required for me.

For the moment the lesson seems to be set SELinux to Permissive and be shot of it!
Which is kind of disappointing ... but it's just given me too many headaches to be worth the effort for my situation.
  #10  
Old 6th March 2010, 01:45 PM
Nokia Offline
Registered User
 
Join Date: Aug 2006
Location: /dev/realm/{Abba,Carpenters,...stage}
Posts: 3,286
linuxfirefox
Re: SELinux blocking sshd access to shadow

Try
Code:
su -
rm -fvr /etc/ssh/
yum reinstall openssh-server
__________________
For safer browsing, use OpenDNS nameservers 208.67.222.222 and 208.67.220.220

SELinux User Guide

AutoPager
  #11  
Old 7th March 2010, 12:45 AM
blueflame Offline
Registered User
 
Join Date: Oct 2009
Location: Australia
Posts: 35
linuxgentoofirefox
[SOLVED] Re: SELinux blocking sshd access to shadow

Quote:
Originally Posted by Nokia View Post
Try
Code:
su -
rm -fvr /etc/ssh/
yum reinstall openssh-server
Ok, problem solved

I don't know why, but hey I don't really care at this point.

Thanks, I should've tried that earlier!

Last edited by blueflame; 7th March 2010 at 12:46 AM. Reason: Add solved to title
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
SELinux blocking spamassassin rfeezel Using Fedora 4 24th July 2009 12:28 AM
SELinux blocking dhcpc_t mbr661 Security and Privacy 1 5th September 2008 01:06 PM
SELinux blocking network access jolun Security and Privacy 8 27th May 2008 07:05 PM
SELinux is blocking.........what? Judy Using Fedora 7 1st February 2008 12:06 AM
SELinux is blocking.........what? Judy Using Fedora 5 30th December 2007 11:01 PM


Current GMT-time: 14:42 (Friday, 24-10-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat
Kostrzyn nad Odra - Toba Tek Singh Photos on Instagram - Tufanganj Instagram Photos