Hi, After upgrade to 9.8_p1-r2, sshd denied all connections with that error : sshd[1772]: fatal: rexec of /usr/lib64/misc/sshd-session failed: Permission denied That policy is needed : allow sshd_t lib_t:file execute_no_trans;
From 9.8 notes: * sshd(8): the server has been split into a listener binary, sshd(8), and a per-session binary "sshd-session". This allows for a much smaller listener binary, as it no longer needs to support the SSH protocol. As part of this work, support for disabling privilege separation (which previously required code changes to disable) and disabling re-execution of sshd(8) has been removed. Further separation of sshd-session into additional, minimal binaries is planned for the future.
I hit the same issue, so I can second the bug. My fix was to set /usr/lib/misc/sshd-session to bin_t (merged user installation): # semanage fcontext -a -t bin_t /usr/lib/misc/sshd-session # restorecon restorecon /usr/lib/misc/sshd-session That should be better than using execute_no_trans.
Right, that's the trick I did too, using example from /usr/lib64/misc/sftp-server execute_no_trans was the output of audit2allow
Well, everything is here thanks to 0xC0ncord, with sshd_exec_t : https://github.com/SELinuxProject/refpolicy/pull/793 https://github.com/SELinuxProject/refpolicy/issues/797 I think/hope unstable policies fixed that.
SELinux policies 2.20240916-r1 are now stable which include the needed patch.
