Bug 1258154

Summary: [PKI] selinux rejects ssh-keygen from accessing /tmp
Product: [Retired] oVirt Reporter: Alon Bar-Lev <alonbl>
Component: ovirt-engine-coreAssignee: Alon Bar-Lev <alonbl>
Status: CLOSED UPSTREAM QA Contact: Pavel Stehlik <pstehlik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 3.6CC: bugs, ecohen, gklein, iheim, lsurette, rbalakri, sabose, sbonazzo, yeylon
Target Milestone: ---   
Target Release: 3.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: infra
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-31 08:27:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1258365    
Bug Blocks:    

Description Alon Bar-Lev 2015-08-29 17:44:13 UTC 
selinux does not allow access of ssh_keygen_t to init_tmp_t:

---
/var/log/audit/audit.log:type=AVC msg=audit(1440108177.899:9542): avc:  
denied  { open } for  pid=11827 comm="ssh-keygen"
path="/tmp/tmp.KlPjsec4X3" dev="dm-0" ino=102401913
scontext=system_u:system_r:ssh_keygen_t:s0
tcontext=system_u:object_r:init_tmp_t:s0 tclass=file

ovirt    11827 11821  0 Aug21 ?        00:00:00 ssh-keygen -s
/tmp/tmp.KlPjsec4X3 -I rhsdev9.lab.eng.blr.redhat.com -h -V -1h:+1825d
-n rhsdev9.lab.eng.blr.redhat.com
/etc/pki/ovirt-engine/certs/rhsdev9.lab.eng.blr.redhat.com-ssh.pub
---

Not sure if there is any reason to limit processing files in /tmp owned by same user with proper permissions.
Comment 1 Alon Bar-Lev 2015-08-29 20:39:27 UTC 
Cannot actually reproduce this, need access to environment to compare.
Comment 2 Alon Bar-Lev 2015-08-29 21:16:08 UTC 
(In reply to Alon Bar-Lev from comment #1)
> Cannot actually reproduce this, need access to environment to compare.

oh, it is probably not even rhel as there is -n and not -Z argument, need to know exact distro.
Comment 3 Alon Bar-Lev 2015-08-31 08:27:45 UTC 
This is centos-7.0 specific selinux policy issue.

ovirt-engine service runs as:
---
uid=108(ovirt) gid=108(ovirt) groups=108(ovirt) context=system_u:system_r:init_t:s0
---

after updating from:
---
selinux-policy-targeted-3.12.1-153.el7.noarch
selinux-policy-3.12.1-153.el7.noarch
---
to:
---
selinux-policy-3.13.1-23.el7_1.13.noarch
selinux-policy-targeted-3.13.1-23.el7_1.13.noarch
---

ovirt-engine service runs as:
---
uid=108(ovirt) gid=108(ovirt) groups=108(ovirt) context=system_u:system_r:unconfined_service_t:s0
---

issue is now resolved, I do not wish to add explicit dependency of selinux-policy to engine for centos specific issue, for now we will assume people using up to date system or refer to this bug to update the selinux policy.