Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-138247

selinux prevents sshd to use ICA crypto adapter

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-10.2
    • selinux-policy
    • None
    • Yes
    • None
    • rhel-security-selinux
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • s390x
    • None

      What were you trying to do that didn't work?

      I have configured sshd to use openssl.conf with ICA crypto adapter.

      However, sshd cannot use it, there are AVCs reported.

      What is the impact of this issue to you?

      sshd cannot use crypto acceleration through ICA adapter

      Please provide the package NVR for which the bug is seen:

      according to logs this has worked with

      selinux-policy-42.1.7-1.el10.noarch

      and it is failing with

      selinux-policy-42.1.10-1.el10.noarch

       

      The denials reported in permissive mode are

      :: Test phase SELinux AVC denials since test phase start:: 01/02/2026 13:32:12:

      time->Fri Jan  2 13:32:12 2026
      type=PROCTITLE msg=audit(1767360732.885:6174): proctitle=2F7573722F6C6962657865632F6F70656E7373682F737368642D73657373696F6E002D44002D52
      type=SYSCALL msg=audit(1767360732.885:6174): arch=80000016 syscall=288 success=yes exit=6 a0=ffffffffffffff9c a1=3ffc6ef85f3 a2=a0002 a3=0 items=0 ppid=200897 pid=201123 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd-session" exe="/usr/libexec/openssh/sshd-session" subj=system_u:system_r:sshd_session_t:s0-s0:c0.c1023 key=(null)
      type=AVC msg=audit(1767360732.885:6174): avc:  denied  { read write } for  pid=201123 comm="sshd-session" name="icastats_0" dev="tmpfs" ino=4 scontext=system_u:system_r:sshd_session_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:ica_tmpfs_t:s0 tclass=file permissive=1

      time->Fri Jan  2 13:32:12 2026
      type=PROCTITLE msg=audit(1767360732.885:6175): proctitle=2F7573722F6C6962657865632F6F70656E7373682F737368642D73657373696F6E002D44002D52
      type=SYSCALL msg=audit(1767360732.885:6175): arch=80000016 syscall=90 success=yes exit=4396067848192 a0=3ffc6ef86d0 a1=e60 a2=3 a3=1 items=0 ppid=200897 pid=201123 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd-session" exe="/usr/libexec/openssh/sshd-session" subj=system_u:system_r:sshd_session_t:s0-s0:c0.c1023 key=(null)
      type=AVC msg=audit(1767360732.885:6175): avc:  denied  { map } for  pid=201123 comm="sshd-session" path="/dev/shm/icastats_0" dev="tmpfs" ino=4 scontext=system_u:system_r:sshd_session_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:ica_tmpfs_t:s0 tclass=file permissive=1

       

      There should be no denials and sshd should be able to use crypto adapter.

      How reproducible is this bug?:

      always

              rhn-support-zpytela Zdenek Pytela
              ksrot@redhat.com Karel Srot
              Zdenek Pytela Zdenek Pytela
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: