#2649 /usr/libexec/sssd/selinux_child crashes and gets avc denial when ssh
Closed: Fixed None Opened 5 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1216094

Created attachment 1019677
full abrt email

Description of problem:
/usr/libexec/sssd/selinux_child crashes and gets avc denial when ssh

abrt_version:   2.0.8
backtrace_rating: 0
cgroup:
cmdline:        /usr/libexec/sssd/selinux_child --debug-microseconds=0
--debug-timestamps=1 --debug-fd=21 --debug-level=0x0010
crash_function: semanage_disconnect
executable:     /usr/libexec/sssd/selinux_child
hostname:       ibm-x3650m4-01-vm-06.testrelm.test
kernel:         2.6.32-504.el6.x86_64
last_occurrence: 1430165842
open_fds:
pid:            9809
pwd:            /
time:           Mon 27 Apr 2015 04:17:22 PM EDT
uid:            0
username:       root

Version-Release number of selected component (if applicable):
sssd-1.12.4-31.el6

How reproducible:
Always

Steps to Reproduce:
1.Upgrades from 6.6 to 6.7
2.ssh check as I pasted on additional info

Actual results:
/usr/libexec/sssd/selinux_child crashes and gets avc denial when ssh

Expected results:
no crash and no avc denial

Additional info:

ssh check tests:
:: [ 16:17:18 ] :: {{{{{{{{{{{{{{{{{{{ starting ipa_quicktest_ssh_check
ipa_upgrade_master_replica_client_all_1 }}}}}}}}}}}}}}}}}}}
:: [ 16:17:18 ] ::
:: [ 16:17:18 ] ::
:: [  BEGIN   ] :: Running 'ssh-keyscan -t dsa
ibm-x3650m4-01-vm-06.testrelm.test >
/tmp/ssh_host_dsa_key_ibm-x3650m4-01-vm-06.testrelm.test.pub 2>/dev/null'
:: [   PASS   ] :: Command 'ssh-keyscan -t dsa
ibm-x3650m4-01-vm-06.testrelm.test >
/tmp/ssh_host_dsa_key_ibm-x3650m4-01-vm-06.testrelm.test.pub 2>/dev/null'
(Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ssh-keyscan -t rsa
ibm-x3650m4-01-vm-06.testrelm.test >
/tmp/ssh_host_rsa_key_ibm-x3650m4-01-vm-06.testrelm.test.pub 2>/dev/null'
:: [   PASS   ] :: Command 'ssh-keyscan -t rsa
ibm-x3650m4-01-vm-06.testrelm.test >
/tmp/ssh_host_rsa_key_ibm-x3650m4-01-vm-06.testrelm.test.pub 2>/dev/null'
(Expected 0, got 0)
:: [ 16:17:19 ] :: Checking for User SSH Public Key
:: [  BEGIN   ] :: Running 'ipa user-show sshuser1 | grep
1A:50:63:B9:52:12:50:50:F1:4C:DD:AE:87:DD:F1:27'
  SSH public key fingerprint: 1A:50:63:B9:52:12:50:50:F1:4C:DD:AE:87:DD:F1:27
root@ibm-x3650m4-01-vm-06.testrelm.test (ssh-rsa)
:: [   PASS   ] :: Command 'ipa user-show sshuser1 | grep
1A:50:63:B9:52:12:50:50:F1:4C:DD:AE:87:DD:F1:27' (Expected 0, got 0)
:: [ 16:17:20 ] :: Checking for Host SSH Public DSA Key
:: [  BEGIN   ] :: Running 'ipa host-show ibm-x3650m4-01-vm-06.testrelm.test |
grep 18:7A:09:11:6E:B2:DA:0C:05:74:54:A3:59:45:AA:67'
  SSH public key fingerprint: 18:7A:09:11:6E:B2:DA:0C:05:74:54:A3:59:45:AA:67
(ssh-dss), E7:7E:D5:03:92:C7:82:84:50:0A:D0:CB:DB:A6:A8:D7 (ssh-rsa)
:: [   PASS   ] :: Command 'ipa host-show ibm-x3650m4-01-vm-06.testrelm.test |
grep 18:7A:09:11:6E:B2:DA:0C:05:74:54:A3:59:45:AA:67' (Expected 0, got 0)
:: [ 16:17:21 ] :: Checking for Host SSH Public RSA Key
:: [  BEGIN   ] :: Running 'ipa host-show ibm-x3650m4-01-vm-06.testrelm.test |
grep E7:7E:D5:03:92:C7:82:84:50:0A:D0:CB:DB:A6:A8:D7'
  SSH public key fingerprint: 18:7A:09:11:6E:B2:DA:0C:05:74:54:A3:59:45:AA:67
(ssh-dss), E7:7E:D5:03:92:C7:82:84:50:0A:D0:CB:DB:A6:A8:D7 (ssh-rsa)
:: [   PASS   ] :: Command 'ipa host-show ibm-x3650m4-01-vm-06.testrelm.test |
grep E7:7E:D5:03:92:C7:82:84:50:0A:D0:CB:DB:A6:A8:D7' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ssh -o StrictHostKeyChecking=no -i
/tmp/id_rsa_sshuser1 sshuser1@ibm-x3650m4-01-vm-06.testrelm.test hostname'
Could not chdir to home directory /home/sshuser1: No such file or directory
ibm-x3650m4-01-vm-06.testrelm.test
:: [   PASS   ] :: Command 'ssh -o StrictHostKeyChecking=no -i
/tmp/id_rsa_sshuser1 sshuser1@ibm-x3650m4-01-vm-06.testrelm.test hostname'
(Expected 0, got 0)
:: [ 16:17:22 ] ::

I also attached full abrt email and avc log

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
patch: 0 => 1
review: True => 0
selected: =>
testsupdated: => 0

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.12.5

resolution: => fixed
status: new => closed

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.12.5

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3690

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata