Bug 1910102

Summary: restorecon fails for (x)guest_u accounts in ssh
Product: Red Hat Enterprise Linux 8 Reporter: Stanislav Zidek <szidek>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.4CC: lvrabec, mmalik, plautrba, ssekidde
Target Milestone: rcKeywords: Triaged
Target Release: 8.0Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-19 19:55:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1778780    

Description Stanislav Zidek 2020-12-22 16:58:15 UTC 
Description of problem:
Restorecon fails when used over ssh

Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-58.el8.noarch

How reproducible:
always

Steps to Reproduce:
1. useradd -Z guest_u X
2. echo redhat |passwd --stdin X
3. ssh X@localhost
4. mkdir -p .ssh && touch .ssh/authorized_keys && restorecon -F .ssh/authorized_keys

Actual results:
restorecon: Could not set context for /home/t7/.ssh/authorized_keys:  Permission denied

Expected results:
no error
Comment 1 Stanislav Zidek 2020-12-22 16:59:24 UTC 
# ausearch -m AVC -ts recent -i
----
type=PROCTITLE msg=audit(12/22/2020 11:51:04.706:702) : proctitle=restorecon -F .ssh/authorized_keys 
type=SYSCALL msg=audit(12/22/2020 11:51:04.706:702) : arch=x86_64 syscall=lsetxattr success=no exit=EACCES(Permission denied) a0=0x5614fa9d8410 a1=0x7f14d54cee5e a2=0x5614faa3b4d0 a3=0x24 items=0 ppid=5613 pid=5640 auid=t7 uid=t7 gid=t7 euid=t7 suid=t7 fsuid=t7 egid=t7 sgid=t7 fsgid=t7 tty=pts1 ses=19 comm=restorecon exe=/usr/sbin/setfiles subj=guest_u:guest_r:guest_t:s0 key=(null) 
type=AVC msg=audit(12/22/2020 11:51:04.706:702) : avc:  denied  { relabelto } for  pid=5640 comm=restorecon name=authorized_keys dev="vda1" ino=23069863 scontext=guest_u:guest_r:guest_t:s0 tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(12/22/2020 11:52:48.443:703) : proctitle=rpm -q selinux-policy 
type=SYSCALL msg=audit(12/22/2020 11:52:48.443:703) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7f20d51fda9b a2=O_RDONLY|O_CLOEXEC a3=0x0 items=0 ppid=5613 pid=5642 auid=t7 uid=t7 gid=t7 euid=t7 suid=t7 fsuid=t7 egid=t7 sgid=t7 fsgid=t7 tty=pts1 ses=19 comm=rpm exe=/usr/bin/rpm subj=guest_u:guest_r:guest_t:s0 key=(null) 
type=AVC msg=audit(12/22/2020 11:52:48.443:703) : avc:  denied  { read } for  pid=5642 comm=rpm name=resolv.conf dev="vda1" ino=8603 scontext=guest_u:guest_r:guest_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(12/22/2020 11:52:48.443:704) : proctitle=rpm -q selinux-policy 
type=SYSCALL msg=audit(12/22/2020 11:52:48.443:704) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7f20d3d0ab50 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=0 ppid=5613 pid=5642 auid=t7 uid=t7 gid=t7 euid=t7 suid=t7 fsuid=t7 egid=t7 sgid=t7 fsgid=t7 tty=pts1 ses=19 comm=rpm exe=/usr/bin/rpm subj=guest_u:guest_r:guest_t:s0 key=(null) 
type=AVC msg=audit(12/22/2020 11:52:48.443:704) : avc:  denied  { read } for  pid=5642 comm=rpm name=hosts dev="vda1" ino=2437823 scontext=guest_u:guest_r:guest_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=0
Comment 2 Milos Malik 2021-01-04 11:13:36 UTC 
I believe the first SELinux denial in comment#1 is a consequence of BZ#1907502.