Bug 491541

Summary: SELinux isue with pam_ssh
Product: [Fedora] Fedora Reporter: Jochen Schmitt <jochen>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: low    
Version: 10Keywords: Reopened
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-03-31 16:49:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jochen Schmitt 2009-03-22 20:33:18 UTC 
when I'm using pam_ssh with my ssh key, I will got the following SELinux error messages:

Raw-Audit-Meldungen           

node=zeus.herr-schmitt.de type=AVC msg=audit(1237749010.790:63): avc:  denied  { read } for  pid=2959 comm="login" name="id_rsa" dev=dm-1 ino=3183866 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file

node=zeus.herr-schmitt.de type=SYSCALL msg=audit(1237749010.790:63): arch=c000003e syscall=2 success=yes exit=3 a0=139e450 a1=0 a2=7fff7cc3e168 a3=349cb6da70 items=0 ppid=1 pid=2959 auid=4294967295 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=tty3 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2009-03-23 17:07:19 UTC 
restorecon -R -v /home /root

You have some mislabeled key files.  There was a problem with the update from F8 and Maybe F9 that could have caused this problem.

Also make sure you have the latest selinux policy installed.
Comment 2 Jochen Schmitt 2009-03-23 19:09:10 UTC 
Yes, I know, that I can relable the complaint file with the restorecon command. But it's seem, that the mislable situation will be occurs after the next login, because pam_ssh will access the the key file.
Comment 3 Daniel Walsh 2009-03-24 14:28:30 UTC 
But the file should not be mislabeled any longer.  The file became mislabeled because of a failure in the upgrade.  Once it gets labeled correctly it should not be possible to create the mislabeled file again. (Well no confined domain should be able to create it anyways).
Comment 4 Jochen Schmitt 2009-03-31 16:49:43 UTC 
I will close this bug, because your hint works on my system.