[Bug 777232] New: OpenSSH depends on SELinux auditing feature; breaks AppArmor
https://bugzilla.novell.com/show_bug.cgi?id=777232 https://bugzilla.novell.com/show_bug.cgi?id=777232#c0 Summary: OpenSSH depends on SELinux auditing feature; breaks AppArmor Classification: openSUSE Product: openSUSE 12.1 Version: Final Platform: i686 OS/Version: openSUSE 12.1 Status: NEW Severity: Critical Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: hachque@gmail.com QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.83 Safari/537.1 It seems OpenSSH now relies on SELinux auditing features which are either non-existant or not yet available in the current build of AppArmor. This causes every attempted SSH authentication to fail while AppArmor is used (or I assume, any kernel that does not have SELinux running as the audit module). I have tested this with Tumbleweed kernel-xen and OpenSSH from 12.1 (5.8p2) and 12-1:Network (6.0p1) and this critical bug occurs in both. Reproducible: Always Steps to Reproduce: 1. Attempt to login to SSH 2. Observe "linux_audit_write_entry failed: Operation not permitted" occurring in system logs after otherwise successful authentication (it does state that the password was accepted before this message). Actual Results: Unable to login to SSH, despite providing correct password. Expected Results: Login via SSH should work. There seems to be a related issue at the Red Hat bug tracker (https://bugzilla.redhat.com/show_bug.cgi?id=183874) where this same issue is experienced, although in the case of that bug the kernel had no security module loaded as opposed to AppArmor. Marking this bug as "Critical" instead of "Major" since SSH doesn't work at all while this occurs. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=777232 https://bugzilla.novell.com/show_bug.cgi?id=777232#c1 James Rhodes <jrhodes@redpointsoftware.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Component|Security |Security Version|Final |RC 2 Product|openSUSE 12.1 |openSUSE 12.2 Target Milestone|--- |Final --- Comment #1 from James Rhodes <jrhodes@redpointsoftware.com.au> 2012-08-24 08:13:33 UTC --- Decided to update the OS version to openSUSE 12.2 as package versions of OpenSSH and Kernel-Xen are either identical to 12.2 or from Tumbleweed (and thus assumed to be the shipped version for 12.2). Please note that this hasn't been tested on a system that is distribution upgraded to 12.2 (it is distribution upgraded to Tumbleweed) so feel free to change back if not appropriate. However, I have a strong feeling that since the package versions are identical it is likely this bug exists in 12.2 as well and thus should be fixed before 12.2 ships. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=777232 https://bugzilla.novell.com/show_bug.cgi?id=777232#c2 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO CC| |meissner@suse.com InfoProvider| |jrhodes@redpointsoftware.co | |m.au --- Comment #2 from Marcus Meissner <meissner@suse.com> 2012-08-26 14:08:45 UTC --- Well, all other ssh users on openSUSE 12.2 seem to use it fine, yours is the first report I get. what is different with your configuration to the default? What did you configure differently? did you try to confine openssh? libaudit is btw the kernel auditing framework and is not connected or related to SELinux directly. There should be no interference. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=777232 https://bugzilla.novell.com/show_bug.cgi?id=777232#c3 --- Comment #3 from James Rhodes <jrhodes@redpointsoftware.com.au> 2012-08-26 23:08:05 UTC --- This is an OpenSUSE 12.1 system on Tumbleweed (thus not OpenSUSE 12.2 directly; see comment above). The OpenSSH daemon is being confined with the default OpenSUSE profile for it. It lists capability audit_control as being permitted which I assume is what is needed in order to log events. I rebuilt OpenSSH from scratch and it started working, although I have just realised that it wasn't confined by the profile because it was under /usr/local/sbin/sshd instead of /usr/sbin/sshd. Placing the newly built version under the profile in enforce mode still works correctly with no such error output in the log. There isn't any specific configuration changes between when I was running earlier 12.1 packages and an upgrade to Tumbleweed packages, other than the package versions themselves. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=777232 https://bugzilla.novell.com/show_bug.cgi?id=777232#c4 --- Comment #4 from Marcus Meissner <meissner@suse.com> 2012-08-30 14:08:38 UTC --- if you run logprof as root it will ask for "audit_write" permissions I suspect ... grant this permission and see if it helps? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=777232 https://bugzilla.novell.com/show_bug.cgi?id=777232#c Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |suse-beta@cboltz.de Summary|OpenSSH depends on SELinux |openssh server with |auditing feature; breaks |apparmor /usr/sbin/sshd |AppArmor |default profile not working -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=777232 https://bugzilla.novell.com/show_bug.cgi?id=777232#c5 --- Comment #5 from James Rhodes <jrhodes@redpointsoftware.com.au> 2012-08-31 00:34:52 UTC --- logprof seems to complain about various profiles having syntax errors, even though they are correctly loaded and handled by AppArmor (for example, see this profile for the OpenLDAP daemon: http://hastebin.com/koromuraxi.txt). Does logprof simply show the output of the audit logs? I can tell you that no such "audit_write" permission was requested at the time when I was using the package from the repository. The only thing that repeatedly occurs in my audit logs these days are denied "change_hat" requests from httpd2-itk with info "unconfined", though I have no idea how to make it silence those. Since then I've built OpenSSH from scratch and installed it, given that for a server, SSH is kind of essential (and as we both know, there's no "uninstall" for packages built from source). So I can't test with the actual versions in the OpenSUSE repositories any more since there'd just be file conflicts all over the place if I tried to install it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=777232 https://bugzilla.novell.com/show_bug.cgi?id=777232#c6 Thomas Biege <thomas@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |RESOLVED InfoProvider|jrhodes@redpointsoftware.co | |m.au | Resolution| |INVALID --- Comment #6 from Thomas Biege <thomas@suse.com> 2012-12-10 16:14:34 CET --- If you were able to reproduce it with a supported package set, open the bug again please. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com