Red Hat Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

  • Comments

    • SSHD and SELinux entrypoint access denied

    Posted on

    Description of problem:

    Upon system bootup, everything is fine and no issue occur. However as root, restart the sshd and then the users ssh connection is presented with :

    @####'s password:

    Last login: Fri Feb 7 14:36:55 UTC 2014 from ### on pts/1
    Last login: Fri Feb 7 14:38:37 2014 from ###
    /bin/bash: Permission denied
    Connection to #### closed.

    Selinux shows this in the logs:

    type=AVC msg=audit(1391783451.309:99): avc: denied { entrypoint } for pid=3461 comm="sshd" path="/bin/bash" dev=dm-0 ino=4774818 scontext=user_u:system_r:update_modules_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
    type=AVC msg=audit(1391783815.832:111): avc: denied { entrypoint } for pid=3489 comm="sshd" path="/bin/bash" dev=dm-0 ino=4774818 scontext=user_u:system_r:update_modules_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
    type=AVC msg=audit(1391783917.334:125): avc: denied { entrypoint } for pid=3527 comm="sshd" path="/bin/bash" dev=dm-0 ino=4774818 scontext=user_u:system_r:update_modules_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file

    setroubleshoot: SELinux is preventing sshd (update_modules_t) "entrypoint" to /bin/bash (shell_exec_t). For complete SELinux messages. run sealert -l b134f048-ea68-41c1-a35e-6c1dd6f18c44

    sealert -l b134f048-ea68-41c1-a35e-6c1dd6f18c44

    Summary:

    SELinux is preventing sshd (update_modules_t) "entrypoint" to /bin/bash
    (shell_exec_t).

    Detailed Description:

    SELinux denied access requested by sshd. It is not expected that this access is
    required by sshd and this access may signal an intrusion attempt. It is also
    possible that the specific version or configuration of the application is
    causing it to require additional access.

    Allowing Access:

    Sometimes labeling problems can cause SELinux denials. You could try to restore
    the default system file context for /bin/bash,

    restorecon -v '/bin/bash'

    If this does not work, there is currently no automatic way to allow this access.
    Instead, you can generate a local policy module to allow this access - see FAQ
    (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not recommended.
    Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
    against this package.

    Additional Information:

    Source Context user_u:system_r:update_modules_t
    Target Context system_u:object_r:shell_exec_t
    Target Objects /bin/bash [ file ]
    Source sshd
    Source Path /usr/sbin/sshd
    Port
    Host hal04.halogenonline.co.uk
    Source RPM Packages openssh-server-4.3p2-82.el5
    Target RPM Packages bash-3.2-32.el5_9.1
    Policy RPM selinux-policy-2.4.6-346.el5
    Selinux Enabled True
    Policy Type targeted
    MLS Enabled True
    Enforcing Mode Enforcing
    Plugin Name catchall_file
    Host Name hal04.halogenonline.co.uk
    Platform Linux hal04.halogenonline.co.uk 2.6.18-371.3.1.el5
    #1 SMP Mon Nov 11 03:24:35 EST 2013 i686 i686
    Alert Count 29
    First Seen Wed Feb 5 15:53:59 2014
    Last Seen Fri Feb 7 12:20:43 2014
    Local ID b134f048-ea68-41c1-a35e-6c1dd6f18c44
    Line Numbers

    Raw Audit Messages

    host=hal04.halogenonline.co.uk type=AVC msg=audit(1391775643.42:73): avc: denied { entrypoint } for pid=3333 comm="sshd" path="/bin/bash" dev=dm-0 ino=4774818 scontext=user_u:system_r:update_modules_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file

    host=hal04.halogenonline.co.uk type=SYSCALL msg=audit(1391775643.42:73): arch=40000003 syscall=11 success=no exit=-13 a0=8476868 a1=bf7ff828 a2=847cef8 a3=0 items=0 ppid=3332 pid=3333 auid=503 uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503 sgid=503 fsgid=503 tty=pts1 ses=5 comm="sshd" exe="/usr/sbin/sshd" subj=user_u:sysadm_r:unconfined_t:s0-s0:c0.c1023 key=(null)

    Version-Release number of selected component (if applicable):
    openssh-server-4.3p2-82.el5
    libselinux-devel-1.33.4-5.7.el5
    selinux-policy-targeted-2.4.6-346.el5
    libselinux-1.33.4-5.7.el5
    selinux-policy-2.4.6-346.el5
    selinux-policy-minimum-2.4.6-346.el5
    libselinux-utils-1.33.4-5.7.el5
    libselinux-python-1.33.4-5.7.el5

    Feb 7 14:30:51 hal04 setroubleshoot: SELinux is preventing sshd (update_modules_t) "entrypoint" to /bin/bash (shell_exec_t). For complete SELinux messages. run sealert -l c65c8e44-d025-477f-aec1-64429b734f62
    Feb 7 14:36:55 hal04 setroubleshoot: SELinux is preventing sshd (update_modules_t) "entrypoint" to /bin/bash (shell_exec_t). For complete SELinux messages. run sealert -l c65c8e44-d025-477f-aec1-64429b734f62
    Feb 7 14:38:37 hal04 setroubleshoot: SELinux is preventing sshd (update_modules_t) "entrypoint" to /bin/bash (shell_exec_t). For complete SELinux messages. run sealert -l c65c8e44-d025-477f-aec1-64429b734f62

    How reproducible:

    Steps to Reproduce:
    1. Run RHEL 5 system
    2. restart sshd
    3. try to ssh to system

    Actual results:
    selinux blocks entrypoint

    Expected results:
    selinux should allow entrypoint

    Additional info:

    Two systems build using simuarl kickstarts occour with this issue.

    System reboot will restore sshd connectivity as well as setenforce 0.

    System with selinux enforcing on bootup will allow ssh connection.

    https://bugzilla.redhat.com/show_bug.cgi?id=1062643

    by

    points

    Responses

    Red Hat LinkedIn YouTube Facebook X, formerly Twitter

    Quick Links

    Help

    Site Info

    Related Sites

    © 2026 Red Hat