Bug 492519
Summary: | SELinux denies ssh-keygen from system_u:object_r:initrc_exec_t | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Qian Cai <qcai> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | BaseOS QE <qe-baseos-auto> |
Severity: | medium | Docs Contact: | |
Priority: | urgent | ||
Version: | 5.3 | CC: | dwalsh, jplans, mmalik, ohudlick, phan |
Target Milestone: | rc | Keywords: | ZStream |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-03-30 07:49:06 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 538453 |
Description
Qian Cai
2009-03-27 08:16:56 UTC
If you add a restorecon /root/.ssh, after you create it, does the script work? Still the same. # /etc/init.d/try + rm -rf /root/.ssh + mkdir /root/.ssh + chmod 700 /root/.ssh + restorecon /root/.ssh + cd /root/.ssh + ssh-keygen -t rsa -N '' -f id_rsa Generating public/private rsa key pair. open id_rsa failed: Permission denied. Saving the key failed: id_rsa. More verbose output. # /etc/init.d/try + rm -rf /root/.ssh + mkdir /root/.ssh + ls -lZd /root/.ssh drwxr-xr-x root root root:object_r:user_home_dir_t /root/.ssh + chmod 700 /root/.ssh + restorecon /root/.ssh + ls -lZd /root/.ssh drwx------ root root root:object_r:user_home_t /root/.ssh + cd /root/.ssh + ssh-keygen -t rsa -N '' -f id_rsa Generating public/private rsa key pair. open id_rsa failed: Permission denied. Saving the key failed: id_rsa. Just for testing purposes, try chcon -t user_home_ssh_t /root/.ssh rather then restorecon # /etc/init.d/try + rm -rf /root/.ssh + mkdir /root/.ssh + chmod 700 /root/.ssh + chcon -t user_home_ssh_t /root/.ssh chcon: failed to change context of /root/.ssh to root:object_r:user_home_ssh_t: Invalid argument + ls -lZd /root/.ssh drwx------ root root root:object_r:user_home_dir_t /root/.ssh + cd /root/.ssh + ssh-keygen -t rsa -N '' -f id_rsa Generating public/private rsa key pair. open id_rsa failed: Permission denied. Saving the key failed: id_rsa. Fixed in selinux-policy-2.4.6-247.el5 What is /etc/init.d/try labeled? ls -lZ /etc/init.d/try If this is labeled initrc_exec_t, I believe it will work either way. If you run ssh-keygen directly it will not work since it will run as unconfined_t. No transition happens so the directory does not get created with the correct label. selinux-policy-2.4.6-253.el5 knows 2 user home contexts (user_home_t and user_home_dir_t). /root/.ssh is associated with the first context, dontaudit rule for /usr/bin/ssh-keygen is associated with the second context. That's the reason why AVCs mentioned in comment #10 still appear. # sesearch -s ssh_keygen_t -t user_home_t -c dir --all Found 5 role allow rules: allow system_r sysadm_r ; allow user_r sysadm_r ; allow user_r system_r ; allow sysadm_r user_r ; allow sysadm_r system_r ; # sesearch -s ssh_keygen_t -t user_home_dir_t -c dir --all Found 1 av rules: dontaudit ssh_keygen_t user_home_dir_t : dir { getattr search }; Found 5 role allow rules: allow system_r sysadm_r ; allow user_r sysadm_r ; allow user_r system_r ; allow sysadm_r user_r ; allow sysadm_r system_r ; # rpm -qa selinux-policy\* selinux-policy-2.4.6-253.el5 selinux-policy-targeted-2.4.6-253.el5 # cd /root # rm -rf .ssh # mkdir .ssh # restorecon -Rv . # ls -Zd .ssh drwxr-xr-x root root root:object_r:user_home_t .ssh # (In reply to comment #14) > What is /etc/init.d/try labeled? > > ls -lZ /etc/init.d/try > > If this is labeled initrc_exec_t, I believe it will work either way. If you > run ssh-keygen directly it will not work since it will run as unconfined_t. > > No transition happens so the directory does not get created with the correct > label. # ls -Z /etc/init.d/try -rwxr-xr-x root root system_u:object_r:initrc_exec_t /etc/init.d/try Malik Fixed in selinux-policy-2.4.6-260.el5 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2010-0182.html |