[SOLVED] SELinux blocking sshd access to shadow
FedoraForum.org - Fedora Support Forums and Community
Results 1 to 11 of 11
  1. #1
    Join Date
    Oct 2009
    Location
    Australia
    Posts
    41

    SELinux blocking sshd access to shadow

    I'm trying to setup ssh access on my Fedora 12 laptop. I get the following error message in /var/log/secure when I try to login from another machine using ssh and the login is denied:
    Code:
    sshd[3025]: error: Could not get shadow information for <user>
    sshd[3025]: Failed password for <user> from <ip> port <port> ssh2
    If I do a 'setenforce 0' I can login and no error is logged.

    Does anyone know what SELinux setting is causing this and how to fix it?

  2. #2
    Join Date
    Aug 2006
    Location
    /dev/realm/{Abba,Carpenters,...stage}
    Posts
    3,285
    Post
    Code:
    rpm -q selinux-policy{,-targeted}
    For safer browsing, use OpenDNS nameservers 208.67.222.222 and 208.67.220.220

    SELinux User Guide

    AutoPager

  3. #3
    Join Date
    May 2008
    Posts
    623

    Re: SELinux blocking sshd access to shadow

    Can you please enclose AVC denials. AVC denials have all the information we need to make proper security decisions.
    Come join us on #fedora-selinux on irc.freenode.org
    http://docs.fedoraproject.org/selinu...ide/f10/en-US/

  4. #4
    Join Date
    Oct 2009
    Location
    Australia
    Posts
    41

    Re: SELinux blocking sshd access to shadow

    Quote Originally Posted by domg472
    Can you please enclose AVC denials. AVC denials have all the information we need to make proper security decisions.
    Forgive my ignorance but what are AVC denials and how would I know they have occurred? Are they logged somewhere?

    How will this help me?
    rpm -q selinux-policy{,-targeted}

  5. #5
    Join Date
    May 2008
    Posts
    623

    Re: SELinux blocking sshd access to shadow

    Please run the following chain of commands and enclose its output here:

    ausearch -m avc -ts yesterday | grep shadow_t

    AVC denials are usually stored in /var/log/audit/audit.log

    AVC denials (Access vector cache denials) are log messages of Access vectors that (in this case) have been denied by SELinux.

    You can install setroubeshoot if you wish to be notified (on the desktop or in /var/log/messages) when such AVC denials happen. setroubleshoot basically relays AVC denials to desktop sessions or to /var/log/messages (i do not encourage the use of setroubleshoot though).

    The output of command "rpm -qa | grep selinux-policy" will help us determine which version of policy you are using.
    Last edited by domg472; 6th March 2010 at 01:38 PM.
    Come join us on #fedora-selinux on irc.freenode.org
    http://docs.fedoraproject.org/selinu...ide/f10/en-US/

  6. #6
    Join Date
    Oct 2009
    Location
    Australia
    Posts
    41

    Re: SELinux blocking sshd access to shadow

    I have setroubleshoot installed but it didn't give me any alerts at the time.

    Code:
    # rpm -q selinux-policy{,-targeted}
    selinux-policy-3.6.32-92.fc12.noarch
    selinux-policy-targeted-3.6.32-92.fc12.noarch
    Code:
    # ausearch -m avc -ts yesterday | grep shadow_t
    <no matches>
    This appears in /var/log/audit/audit.log when the ssh login fails:

    Code:
    type=USER_LOGIN msg=audit(1267880088.534:20): user pid=2906 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='acct="awalker": exe="/usr/sbin/sshd" hostname=? addr=192.168.1.1 terminal=sshd res=failed'
    There's nothing about ssh in /var/log/messages.

  7. #7
    Join Date
    Aug 2009
    Location
    Waldorf, Maryland
    Posts
    7,345

    Re: SELinux blocking sshd access to shadow

    It almost sounds like the shadow file has the wrong mandatory access control label.

    Do a "ls -lZ /etc/shadow".. It should look like:

    $ ls -lZ /etc/shadow
    -r--------. root root system_u:object_r:shadow_t:s0 /etc/shadow
    If this is not what you have, you can try "restorecon -f /etc/shadow", just "restorecon" (which will restore labels for
    any file deemed incorrect).

    This usually happens if you edit the file manually...
    Last edited by jpollard; 6th March 2010 at 02:27 PM. Reason: didn't finish...

  8. #8
    Join Date
    May 2008
    Posts
    623

    Re: SELinux blocking sshd access to shadow

    Thanks.

    You have not been notified by setroubleshoot because no (visible) AVC denial occurred. The fact that command chain "ausearch -m avc -ts yesterday | grep shadow_t" returned "<no matches>" seems to acknowledge that.

    There is a rule in SELinux that say's "if sshd tries to access /etc/shadow"; then silently deny it." This means that access is denied but the AVC denial is not actually logged.

    The conclusion of this is that sshd_t should (in Fedora's opinion) not need to access /etc/shadow, and that attempts should be silently denied.

    The fact that sshd seems to require access to /etc/shadow suggests that:

    - either you have some exotic configuration of sshd
    - either you have misconfigured sshd
    - or this signals an intrussion
    - or there is a bug in either sshd or selinux policy.

    If you are positive that this access should be required (if you are sure that you have configured sshd correct), you may want to consider reporting this issue to bugzilla.redhat.com in the selinux-policy component.
    Come join us on #fedora-selinux on irc.freenode.org
    http://docs.fedoraproject.org/selinu...ide/f10/en-US/

  9. #9
    Join Date
    Oct 2009
    Location
    Australia
    Posts
    41

    Re: SELinux blocking sshd access to shadow

    Looks ok ...
    Code:
    # ls -lZ /etc/shadow
    -r--------. root root system_u:object_r:shadow_t:s0    /etc/shadow


    ---------- Post added at 09:28 PM CST ---------- Previous post was at 09:20 PM CST ----------

    Quote Originally Posted by domg472
    Thanks.

    You have not been notified by setroubleshoot because no (visible) AVC denial occurred. The fact that command chain "ausearch -m avc -ts yesterday | grep shadow_t" returned "<no matches>" seems to acknowledge that.

    There is a rule in SELinux that say's "if sshd tries to access /etc/shadow"; then silently deny it." This means that access is denied but the AVC denial is not actually logged.

    The conclusion of this is that sshd_t should (in Fedora's opinion) not need to access /etc/shadow, and that attempts should be silently denied.

    The fact that sshd seems to require access to /etc/shadow suggests that:

    - either you have some exotic configuration of sshd
    - either you have misconfigured sshd
    - or this signals an intrussion
    - or there is a bug in either sshd or selinux policy.

    If you are positive that this access should be required (if you are sure that you have configured sshd correct), you may want to consider reporting this issue to bugzilla.redhat.com in the selinux-policy component.
    It's possible I have misconfigured sshd. However I am simply allowing password authentication and not trying anything with hosts-based or key-based authentication nor anything else fancy. If anyone wants to take a look at my sshd_config I'd be happy to post it.

    I'm not about to file bugs ... sorry, too much hassle and time required for me.

    For the moment the lesson seems to be set SELinux to Permissive and be shot of it!
    Which is kind of disappointing ... but it's just given me too many headaches to be worth the effort for my situation.

  10. #10
    Join Date
    Aug 2006
    Location
    /dev/realm/{Abba,Carpenters,...stage}
    Posts
    3,285

    Re: SELinux blocking sshd access to shadow

    Try
    Code:
    su -
    rm -fvr /etc/ssh/
    yum reinstall openssh-server
    For safer browsing, use OpenDNS nameservers 208.67.222.222 and 208.67.220.220

    SELinux User Guide

    AutoPager

  11. #11
    Join Date
    Oct 2009
    Location
    Australia
    Posts
    41

    [SOLVED] Re: SELinux blocking sshd access to shadow

    Quote Originally Posted by Nokia
    Try
    Code:
    su -
    rm -fvr /etc/ssh/
    yum reinstall openssh-server
    Ok, problem solved

    I don't know why, but hey I don't really care at this point.

    Thanks, I should've tried that earlier!
    Last edited by blueflame; 7th March 2010 at 01:46 AM. Reason: Add solved to title

Similar Threads

  1. SELinux blocking spamassassin
    By rfeezel in forum Using Fedora
    Replies: 4
    Last Post: 24th July 2009, 12:28 AM
  2. SELinux blocking dhcpc_t
    By mbr661 in forum Security and Privacy
    Replies: 1
    Last Post: 5th September 2008, 01:06 PM
  3. SELinux blocking network access
    By jolun in forum Security and Privacy
    Replies: 8
    Last Post: 27th May 2008, 07:05 PM
  4. SELinux is blocking.........what?
    By Judy in forum Using Fedora
    Replies: 7
    Last Post: 1st February 2008, 01:06 AM
  5. SELinux is blocking.........what?
    By Judy in forum Using Fedora
    Replies: 5
    Last Post: 31st December 2007, 12:01 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •