Bug 512830

Summary: .ssh/authorized_keys is mislabelled
Product: [Fedora] Fedora Reporter: Oliver Henshaw <oliver.henshaw>
Component: safekeepAssignee: Jef Spaleta <jspaleta>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 11CC: dwalsh, jspaleta, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-06-28 13:44:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Oliver Henshaw 2009-07-20 21:19:55 UTC 
Description of problem:

Using safekeep, deploy keys with 'safekeep --keys --deploy' (and give root password). Subsequently 'safekeep --server' should ssh without requiring a password. What actually happens is the selinux denial below and sshd falls back to asking for a password.

After "restorecon root/.ssh/authorized_keys", everything works perfectly.

This happens even when deleting /root/.ssh/ and letting it be re-created during the key deployment.


Version-Release number of selected component (if applicable):

openssh-server-5.2p1-2.fc11.i586
selinux-policy-3.6.12-62.fc11.noarch
safekeep-server-1.0.5-2.fc11.noarch
  

Additional info:

SELinux is preventing sshd (sshd_t) "read" to /root/.ssh/authorized_keys
(admin_home_t).

Detailed Description:

SELinux denied access requested by sshd. /root/.ssh/authorized_keys may be a
mislabeled. /root/.ssh/authorized_keys default SELinux type is home_ssh_t, but
its current type is admin_home_t. Changing this file back to the default type,
may fix your problem.

File contexts can be assigned to a file in the following ways.

  * Files created in a directory receive the file context of the parent
    directory by default.
  * The SELinux policy might override the default label inherited from the
    parent directory by specifying a process running in context A which creates
    a file in a directory labeled B will instead create the file with label C.
    An example of this would be the dhcp client running with the dhclient_t type
    and creates a file in the directory /etc. This file would normally receive
    the etc_t type due to parental inheritance but instead the file is labeled
    with the net_conf_t type because the SELinux policy specifies this.
  * Users can change the file context on a file using tools such as chcon, or
    restorecon.

This file could have been mislabeled either by user error, or if an normally
confined application was run under the wrong domain.

However, this might also indicate a bug in SELinux because the file should not
have been labeled with this type.

If you believe this is a bug, please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

You can restore the default system context to this file by executing the
restorecon command. restorecon '/root/.ssh/authorized_keys', if this file is a
directory, you can recursively restore using restorecon -R
'/root/.ssh/authorized_keys'.

Fix Command:

restorecon '/root/.ssh/authorized_keys'

Additional Information:

Source Context                system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:admin_home_t:s0
Target Objects                /root/.ssh/authorized_keys [ file ]
Source                        sshd
Source Path                   /usr/sbin/sshd
Port                          <Unknown>
Host                          mostin
Source RPM Packages           openssh-server-5.2p1-2.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-62.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   restorecon
Host Name                     mostin
Platform                      Linux mostin 2.6.29.5-191.fc11.i586 #1 SMP Tue Jun
                              16 23:11:39 EDT 2009 i686 athlon
Alert Count                   4
First Seen                    Mon 20 Jul 2009 20:44:22 BST
Last Seen                     Mon 20 Jul 2009 21:10:03 BST
Local ID                      4bc43249-b983-471b-9410-6f2c4bd1051a
Line Numbers                  

Raw Audit Messages            

node=mostin type=AVC msg=audit(1248120603.552:225): avc:  denied  { read } for  pid=10203 comm="sshd" name="authorized_keys" dev=dm-6 ino=125282 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

node=mostin type=SYSCALL msg=audit(1248120603.552:225): arch=40000003 syscall=5 success=no exit=-13 a0=1406598 a1=8800 a2=0 a3=13f8a18 items=0 ppid=9593 pid=10203 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2009-07-21 01:31:27 UTC 
Did you read the description above?  Did you run the restorecon command?  After running the restorecon command, did it work?

Run 

restorecon -R -v /root/.ssh

Should fix the labeling so sshd can read the authorization_keys.

The safekeep tool should be making sure the labeling is correct, just like it would make sure the file ownership and permissions were correct.
Comment 2 Daniel Walsh 2009-07-21 01:35:23 UTC 
Something like 

                cmd = '%s %s@%s "umask 077; test -d .ssh || mkdir .ssh; cat >> .ssh/authorized_keys; restorecon -R -v .ssh"' % (basessh, cfg['user'], cfg['host'])

Would fix on SELinux platforms.
Comment 3 Daniel Walsh 2009-07-21 01:36:22 UTC 
restorecon will exit with 0 status if selinux is disabled.
Comment 5 Bug Zapper 2010-04-27 15:48:32 UTC 
This message is a reminder that Fedora 11 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 11.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '11'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 11's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 11 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 6 Bug Zapper 2010-06-28 13:44:02 UTC 
Fedora 11 changed to end-of-life (EOL) status on 2010-06-25. Fedora 11 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.