Bug 2177704
Summary: | Cannot add smartcard key to SSH agent when user is confined | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Renaud Métrich <rmetrich> |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 8.7 | CC: | lvrabec, mhavrila, mmalik, mmmurphy2, omoris |
Target Milestone: | rc | Keywords: | Triaged |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.14.3-128.el8 | Doc Type: | Bug Fix |
Doc Text: |
Cause:
policy does not allow ssh-agent execute openssh helper for pkcs#11 support
Consequence:
ssh-agent cannot access keys stored on a smart card
Fix:
required rules were added to the policy
Result:
ssh-agent can get a key stored on a smart card for ssh to use it
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2023-11-14 15:47:46 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Renaud Métrich
2023-03-13 12:41:06 UTC
Commit to backport: 71086d81c (HEAD -> rawhide, upstream/rawhide) Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t Ondro, Can you help us with verification that fix for this bz is complete? It requires confined users setup and access to a smart card. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:7091 |