Bug 1331862

Summary: remote_execution_ssh_keys mislabels /root/.ssh/authorized_keys on RHEL6
Product: Red Hat Satellite Reporter: Maxim Burgerhout <mburgerh>
Component: Remote ExecutionAssignee: Stephen Benjamin <stbenjam>
Status: CLOSED ERRATA QA Contact: Kedar Bidarkar <kbidarka>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2.0CC: bbuckingham, bkearney, egolov, jalviso, jbhatia, kbidarka, omaciel
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
URL: http://projects.theforeman.org/issues/14899
Whiteboard:
Fixed In Version: foreman-1.11.0.28-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-27 11:30:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Maxim Burgerhout 2016-04-29 20:42:45 UTC 
Description of problem:
It seems that only on RHEL6, the SELinux context for the /root/.ssh/authorized_keys file on newly provisioned machines is set to admin_home_t, which is wrong.

This breaks REX for me on new RHEL6 machines. A restorecon on that file reset the context to ssh_home_t and then it works.

Version-Release number of selected component (if applicable):
6.2.0 beta

How reproducible:


Steps to Reproduce:
1. Provision new RHEL6 machine
2. Try and run a job
3.

Actual results:
Job fails, ausearch -sv no shows SELinux denial, label of /root/.ssh/authorized_keys is set to admin_home_t.

Expected results:
Job succeeds, label is set to ssh_home_t

Additional info:
RHEL5 and RHEL7 seem to work fine out of the box. I'm not sure the remote_execution_ssh_keys is at fault here, but the fact is that - for me at least - the mislabeling does break REX.
Comment 2 Stephen Benjamin 2016-05-02 12:27:27 UTC 
Created redmine issue http://projects.theforeman.org/issues/14899 from this bug
Comment 3 Bryan Kearney 2016-05-11 22:15:50 UTC 
Moving to POST since upstream bug http://projects.theforeman.org/issues/14899 has been closed
Comment 4 Kedar Bidarkar 2016-06-03 18:18:26 UTC 
[root@kbrhel68too ~]# ll -Z /root/.ssh/authorized_keys
-rw-------. root root system_u:object_r:ssh_home_t:s0  /root/.ssh/authorized_keys

~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.8 (Santiago)


VERIFIED with sat62-snap(GA)-14.1
Comment 5 Ivan Necas 2016-06-13 18:04:43 UTC 
*** Bug 1344185 has been marked as a duplicate of this bug. ***
Comment 6 Bryan Kearney 2016-07-27 11:30:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1501