Solution for client_loop: send disconnect: Broken pipe

Introduction

While trying to SSH we may get this error “client_loop: send disconnect: Broken pipe”. The reason behind the cause is, a normal user added with a SELinux user should be allowed to do SSH by enabling 1 for ssh_sysadm_login

Checking logs

Let’s check the logs, we could get something.

# journalctl -f

Aug 09 11:09:52 server1.linuxsysadmins.local sshd[3321]: fatal: sshd_selinux_copy_context: setcon failed with Permission denied

We get to know it’s a Permission denied error for some reason.

Check for AVC

Check the audit logs for any AVC.

# ausearch -i -m avc

node=server1.linuxsysadmins.local type=AVC msg=audit(08/09/2022 11:09:52.762:2571) : avc:  denied  { dyntransition } for  pid=3321 comm=sshd scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=process permissive=0

Finding Solutions

If found any AVC, then find the cause why its getting denied with the help of audit2allow.

# audit2allow -w -a

-w | --why Translates SELinux audit messages into a description of why the access was denied.
-a | --all Read input from audit and message log, conflicts with -i

Solution

Set the ssh_sysadm_login SELinux boolean to 1.

# setsebool -P ssh_sysadm_login on

Verify the changes.

# getsebool -a | grep ssh

You may need to know more about SELinux Confining Users

Conclusion

As part of System Hardening we may need to configure specific users as per the requirement. Failing to configure SELinux for a normal user can throw permission denied.