SELinux AVC Denying "{ dyntransition }" for sshd

Question

I've tried looking around for the solution with no luck.

I have SELinux set to permissive right now on Centos 8, but if I set it to enforcing it completely disables my ability to ssh into the server. This is the journal entry:

setroubleshoot[2015]: setroubleshoot generated AVC, exiting to avoid recursion, context=system_u:system_r:kernel_t:s0, AVC scontext=system_u:system_r:kernel_t:s0
setroubleshoot[2015]: audit event 
                      node=<REMOVED> type=AVC msg=audit(1633374382.599:119): avc:  denied  { dyntransition } for  pid=2003 comm="sshd" scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=1
                      node=<REMOVED> type=SYSCALL msg=audit(1633374382.599:119): arch=c000003e syscall=1 success=yes exit=42 a0=c a1=5655238d6540 a2=2a a3=0 items=0 ppid=1985 pid=2003 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:unconfined_r:unconfined_t:s0 key=(null)

/etc/sbin/sshd has the following permissions

-rwxr-xr-x. 1 root root system_u:object_r:sshd_exec_t:s0 877760 May 27 10:54 sshd

This is my sshd config

Port <REMOVED FOR PRIVACY>
AddressFamily inet

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

SyslogFacility AUTHPRIV

PermitRootLogin yes

PubkeyAuthentication yes

AuthorizedKeysFile  .ssh/authorized_keys

PermitEmptyPasswords no
PasswordAuthentication no

ChallengeResponseAuthentication no

GSSAPIAuthentication yes
GSSAPICleanupCredentials no

UsePAM yes

X11Forwarding yes

PrintMotd no

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

Subsystem   sftp    /usr/libexec/openssh/sftp-server

Answer 1

Answering because I lack the rep to comment, le sigh.

The log messages you quote suggest that there is at least one missing SELinux rule on your system: When you try to login via ssh, a transition (dyntransition) from one SELinux type (kernel_t) to another (unconfined_t) is being denied.

There are a couple of commands you can run to investigate:

ausearch -m AVC -m USER_AVC | audit2allow

will look for denial messages and pipe them through a command that will suggest what rules are missing on your system.

sesearch -c process -p dyntransition -A

will tell you what dyntransition rules are already present on your system. You will need to run both of those as root and may need to disable SELinux first (setenforce 0).

What puzzles me is that I find it odd that these permissions would be missing on a stock CentOS box - that suggests either an upstream regression or SELinux policy changes made post-install. Have you or anyone else changed SELinux policy on that box?