Bug 509138

Summary: Enforcing policy is preventing ssh login via ssh keys
Product: [Fedora] Fedora Reporter: David Kovalsky <dkovalsk>
Component: opensshAssignee: Jan F. Chadima <jchadima>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: high    
Version: 11CC: benl, jchadima, mgrepl, tmraz
Target Milestone: ---Keywords: Regression, Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-07-02 09:23:57 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description David Kovalsky 2009-07-01 10:09:40 EDT
I've copied my public ssh key from F10 to a fully updated f11, but if selinux is in enforcing more I can't login. 

I used `ssh-copy-id -i .ssh/id_rsa.pub root@the-new-system' from F10.

The new F11 box logs this info:
/var/log/messages:
type=AVC msg=audit(1246454396.024:20950): avc:  denied  { getattr } for  pid=3145 comm="sshd" path="/root/.ssh/authorized_keys" dev=dm-0 ino=100773002 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
type=AVC msg=audit(1246454402.940:20961): avc:  denied  { read } for  pid=3187 comm="sshd" name="authorized_keys" dev=dm-0 ino=100773002 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
type=AVC msg=audit(1246454402.940:20961): avc:  denied  { open } for  pid=3187 comm="sshd" name="authorized_keys" dev=dm-0 ino=100773002 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

(repeated many times)

[root@f11dave ~]# ls -lZ /root/.ssh/
-rw-------. root root unconfined_u:object_r:admin_home_t:s0 authorized_keys

selinux-policy-3.6.12-53.fc11.noarch


Seems this is a regression from F10, since I never had issues with this kind of setup since Fedora Core 4 :)

Let me know if you need more info to properly debug the issue.
Comment 1 Daniel Walsh 2009-07-01 13:24:48 EDT
restorecon -R -v /root

Should fix the labeling.
Comment 2 David Kovalsky 2009-07-02 04:57:34 EDT
Thanks Dan, works like charm. 

Perhaps ssh-copy-id could try to set the context properly? Reopening against openssh.
openssh-clients-5.1p1-3.fc10.i386
Comment 3 Jan F. Chadima 2009-07-02 09:23:57 EDT
ssh-copy-id is repaired in f10 f11 and rawhide please update
this bug is duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=508584 already closed

*** This bug has been marked as a duplicate of bug 508584 ***