924466 – SELinux is preventing /usr/bin/ssh from read, write access on the chr_file /dev/ptmx.

link管理

链接快照平台

输入网页链接，自动生成快照
标签化管理网页链接

相关文章推荐

想出家的山寨机 · 红米AX6 AX3600 ...· 1 月前 ·

愤怒的毛巾 · OpenWrt 用 ssh 换回默认主题 ...· 1 月前 ·

大鼻子的手术刀 · ERROR! SSH Error: ...· 1 月前 ·

考研的馒头 · zh-cn:编辑 ...· 1 月前 ·

豪情万千的芒果 · 除了死亡，一切皆是擦伤——震撼推荐《人世间2 ...· 2 月前 ·

焦虑的春卷 · 全面推进中国特色大国外交_中华人民共和国驻吉 ...· 2 月前 ·

没有腹肌的墨镜 · sana暗夜精灵动漫第一集/地下室偶像番剧s ...· 3 月前 ·

潇洒的硬币 · 湖南大学准官宣电气工程学科进入新一轮双一流学 ...· 8 月前 ·

酷酷的茶叶 · ZwQueryInformationProc ...· 8 月前 ·

Description of problem:
I attempted to use mosh to resume a screen session on a remote system.  It managed to connect and start the remote process just fine, but then it errored out, disconnected, and left me with a dangling remote process and an AVC.
SELinux is preventing /usr/bin/ssh from read, write access on the chr_file /dev/ptmx.
*****  Plugin leaks (86.2 confidence) suggests  ******************************
If you want to ignore ssh trying to read write access the ptmx chr_file, because you believe it should not need this access.
Then you should report this as a bug.  
You can generate a local policy module to dontaudit this access.
# grep /usr/bin/ssh /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp
*****  Plugin catchall (14.7 confidence) suggests  ***************************
If you believe that ssh should be allowed read write access on the ptmx chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep ssh /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context                staff_u:staff_r:ssh_t:s0-s0:c0.c1023
Target Context                system_u:object_r:ptmx_t:s0
Target Objects                /dev/ptmx [ chr_file ]
Source                        ssh
Source Path                   /usr/bin/ssh
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           openssh-clients-6.1p1-6.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-85.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.8.3-203.fc18.x86_64 #1 SMP Mon
                              Mar 18 12:59:28 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-03-21 13:11:23 PDT
Last Seen                     2013-03-21 13:11:23 PDT
Local ID                      347a952b-fcbf-4820-82f9-d87338c74ea3
Raw Audit Messages
type=AVC msg=audit(1363896683.807:411): avc:  denied  { read write } for  pid=2944 comm="ssh" path="/dev/ptmx" dev="devtmpfs" ino=1122 scontext=staff_u:staff_r:ssh_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file
type=AVC msg=audit(1363896683.807:411): avc:  denied  { read write } for  pid=2944 comm="ssh" path="/dev/ptmx" dev="devtmpfs" ino=1122 scontext=staff_u:staff_r:ssh_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1363896683.807:411): arch=x86_64 syscall=execve success=yes exit=0 a0=b72050 a1=b72420 a2=b6f920 a3=50 items=0 ppid=2939 pid=2944 auid=1000 uid=1000 gid=100 euid=1000 suid=1000 fsuid=1000 egid=100 sgid=100 fsgid=100 ses=3 tty=pts0 comm=ssh exe=/usr/bin/ssh subj=staff_u:staff_r:ssh_t:s0-s0:c0.c1023 key=(null)
Hash: ssh,ssh_t,ptmx_t,chr_file,read,write
audit2allow
#============= ssh_t ==============
allow ssh_t ptmx_t:chr_file { read write };
audit2allow -R
require {
	type ssh_t;
#============= ssh_t ==============
term_use_ptmx(ssh_t)
Additional info:
hashmarkername: setroubleshoot
kernel:         3.8.3-203.fc18.x86_64
type:           libreport
Did you try to add a local policy?
# grep /usr/bin/ssh /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Oh, I see now.  Grepping for /usr/bin/ssh didn't yield enough output to generate a policy, but just ssh did.  The policy it generated indeed does the trick for me:
grep ssh /var/log/audit/audit.log | audit2allow -R 
require {
	type ssh_t;
#============= ssh_t ==============
term_use_ptmx(ssh_t)
I do get :
type=AVC msg=audit(1376161805.145:2162): avc:  denied  { read write } for  pid=14861 comm="ssh" path="/dev/ptmx" dev="devtmpfs" ino=1121 scontext=staff_u:staff_r:ssh_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file
but I have not been able to see what create the AVC. I am also using mosh, so I guess it may be linked. I do have several AVC on ptmx, but I am not able to find what create it.
Package selinux-policy-3.11.1-101.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-101.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-15645/selinux-policy-3.11.1-101.fc18
then log in and leave karma (feedback).