Bug 1304018

Summary: selinux - why would ssh with keys to postgres@localhost be prevented?
Product: Red Hat Enterprise Linux 7 Reporter: lejeczek <peljasz>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.1CC: lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-12 09:44:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description lejeczek 2016-02-02 17:03:50 UTC
Description of problem:

and there is no boolean for this.
the opposite way it works, postgres can ssh to a $_user@localhost
ssh with keys to a postgres@_$remotebox works fine though.

asking tone of this report for I'm not sure if this is a bug.

type=AVC msg=audit(1454432013.141:11451210): avc:  denied  { read } for  pid=6865 comm="sshd" name="authorized_keys" dev="dm-0" ino=553208674 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:postgresql_db_t:s0 tclass=file

Version-Release number of selected component (if applicable):

selinux-policy-3.13.1-60.el7.noarch
selinux-policy-targeted-3.13.1-60.el7.noarch

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Milos Malik 2016-02-02 17:13:17 UTC
If the authorized_keys file is located in ~/.ssh directory then it should be labeled ssh_home_t.

Comment 3 lejeczek 2016-02-03 14:00:17 UTC
ok, restorecond was missing there,
yes, problem was fcontext on that folder,
many thanks