Bug 575203

Summary: selinux denies ssh-keygen -f /root/.ssh/id_rsa when run from /etc/init.d directory
Product: Red Hat Enterprise Linux 5 Reporter: Jan Tluka <jtluka>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: low    
Version: 5.4CC: jrieden, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
When SELinux was enabled, an attempt to generate a key pair from an init script using the following command failed with an error: ssh-keygen -t rsa -f /root/.ssh/id_rsa -P "" These updated selinux-policy packages provide corrected SELinux rules that allow the "ssh_keygen_t" domain to search the content of the /root/.ssh/ directory, so that the key pair creation no longer fails.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2011-01-13 21:48:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Tluka 2010-03-19 17:50:35 UTC 
Description of problem:
When running following command from init script
ssh-keygen -t rsa -f /root/.ssh/id_rsa -P "" 
SELinux prevents creating the key and command fails. When run under root from login shell the command passes.

Generating public/private rsa key pair.
Could not create directory '/root/.ssh'.
open /root/.ssh/id_rsa failed: Permission denied.
Saving the key failed: /root/.ssh/id_rsa.

There is a workaround for the problem. If '-f id_rsa' is used instead of '-f /root/.ssh/id_rsa' the key creation succeeds. However, changing to directory /root/.ssh is needed.

Version-Release number of selected component (if applicable):
RHEL5.5-Server-20100310.0 x86_64

# rpm -qa selinux-\*
selinux-policy-2.4.6-279.el5
selinux-policy-targeted-2.4.6-279.el5
selinux-policy-devel-2.4.6-279.el5

How reproducible:
100%

Steps to Reproduce:
1. create file /etc/init.d/run with following content:
#!/bin/bash
rm -rf /root/.ssh
mkdir /root/.ssh
restorecon -Rv /root/.ssh/
ssh-keygen -t rsa -f /root/.ssh/id_rsa -P ""

2. setenforce Enforcing
3. chcon -t initrc_exec_t /etc/init.d/run
4. execute /etc/init.d/run under root

  
Actual results:
SSH key creation fails


Expected results:
SSH key creation succeeds

Additional info:
When running 
# semodule -DB
before the test I got following messages printed in log:

type=AVC msg=audit(1269020149.639:786): avc:  denied  { search } for  pid=6860 comm="ssh-keygen" name="selinux" dev=dm-0 ino=15630363 scontext=root:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
type=AVC msg=audit(1269020149.639:786): avc:  denied  { read } for  pid=6860 comm="ssh-keygen" name="config" dev=dm-0 ino=15631881 scontext=root:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
type=AVC msg=audit(1269020149.640:787): avc:  denied  { getattr } for  pid=6860 comm="ssh-keygen" path="/etc/selinux/config" dev=dm-0 ino=15631881 scontext=root:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
type=AVC msg=audit(1269020149.641:788): avc:  denied  { search } for  pid=6860 comm="ssh-keygen" name="/" dev=selinuxfs ino=463 scontext=root:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir
type=AVC msg=audit(1269020149.641:788): avc:  denied  { read } for  pid=6860 comm="ssh-keygen" name="mls" dev=selinuxfs ino=12 scontext=root:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
type=AVC msg=audit(1269020150.617:789): avc:  denied  { search } for  pid=6860 comm="ssh-keygen" name="root" dev=dm-0 ino=9666561 scontext=root:system_r:ssh_keygen_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
Comment 1 Daniel Walsh 2010-03-22 15:09:40 UTC 
Could you try the RHEL5.5 policy?

http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch
Comment 2 Jan Tluka 2010-06-10 14:12:30 UTC 
(In reply to comment #1)
> Could you try the RHEL5.5 policy?
> 
> http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch    

After upgrade the result is almost the same (getattr and read actions are no longer in audit log).

# rpm -qa selinux\*
selinux-policy-2.4.6-280.el5
selinux-policy-targeted-2.4.6-280.el5


# /etc/init.d/run 
restorecon reset /root/.ssh context root:object_r:user_home_dir_t:s0->root:object_r:sshd_key_t:s0
Generating public/private rsa key pair.
Could not create directory '/root/.ssh'.
open /root/.ssh/id_rsa failed: Permission denied.
Saving the key failed: /root/.ssh/id_rsa.
[root@dhcp-lab-247 ~]# 
type=AVC msg=audit(1276179018.776:157): avc:  denied  { search } for  pid=2183 comm="ssh-keygen" name="selinux" dev=dm-0 ino=190415 scontext=root:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
type=SYSCALL msg=audit(1276179018.776:157): arch=c000003e syscall=2 success=no exit=-13 a0=2b705b8d0a04 a1=0 a2=1b6 a3=0 items=0 ppid=2178 pid=2183 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:system_r:ssh_keygen_t:s0 key=(null)
type=AVC msg=audit(1276179018.777:158): avc:  denied  { search } for  pid=2183 comm="ssh-keygen" name="/" dev=selinuxfs ino=321 scontext=root:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir
type=SYSCALL msg=audit(1276179018.777:158): arch=c000003e syscall=2 success=no exit=-13 a0=7fff7bac0dc0 a1=0 a2=0 a3=0 items=0 ppid=2178 pid=2183 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:system_r:ssh_keygen_t:s0 key=(null)
type=AVC msg=audit(1276179019.229:159): avc:  denied  { search } for  pid=2183 comm="ssh-keygen" name="root" dev=dm-0 ino=63425 scontext=root:system_r:ssh_keygen_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
type=SYSCALL msg=audit(1276179019.229:159): arch=c000003e syscall=4 success=no exit=-13 a0=7fff7bac09e0 a1=7fff7bab9910 a2=7fff7bab9910 a3=0 items=0 ppid=2178 pid=2183 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:system_r:ssh_keygen_t:s0 key=(null)
type=AVC msg=audit(1276179019.230:160): avc:  denied  { search } for  pid=2183 comm="ssh-keygen" name="root" dev=dm-0 ino=63425 scontext=root:system_r:ssh_keygen_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
type=SYSCALL msg=audit(1276179019.230:160): arch=c000003e syscall=83 success=no exit=-13 a0=7fff7bac09e0 a1=1c0 a2=ffffffff a3=0 items=0 ppid=2178 pid=2183 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:system_r:ssh_keygen_t:s0 key=(null)
type=AVC msg=audit(1276179019.230:161): avc:  denied  { search } for  pid=2183 comm="ssh-keygen" name="root" dev=dm-0 ino=63425 scontext=root:system_r:ssh_keygen_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
type=SYSCALL msg=audit(1276179019.230:161): arch=c000003e syscall=4 success=no exit=-13 a0=2b70586d7960 a1=7fff7bab9910 a2=7fff7bab9910 a3=0 items=0 ppid=2178 pid=2183 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:system_r:ssh_keygen_t:s0 key=(null)
type=AVC msg=audit(1276179019.231:162): avc:  denied  { search } for  pid=2183 comm="ssh-keygen" name="root" dev=dm-0 ino=63425 scontext=root:system_r:ssh_keygen_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
type=SYSCALL msg=audit(1276179019.231:162): arch=c000003e syscall=2 success=no exit=-13 a0=2b70586d7960 a1=241 a2=180 a3=632e746168646572 items=0 ppid=2178 pid=2183 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:system_r:ssh_keygen_t:s0 key=(null)
Comment 3 Daniel Walsh 2010-06-16 21:03:40 UTC 
restorecon -R -v /root/.ssh
Comment 4 Jan Tluka 2010-06-21 13:31:27 UTC 
(In reply to comment #3)
> restorecon -R -v /root/.ssh    

This is included in reproducer I've been running.

# cat /etc/init.d/run 
#!/bin/bash

rm -rf /root/.ssh
mkdir /root/.ssh
restorecon -Rv /root/.ssh/
ssh-keygen -t rsa -f /root/.ssh/id_rsa -P ""
Comment 5 Miroslav Grepl 2010-07-02 11:05:19 UTC 
Afaik it was fixed in the latest selinux-policy-targeted-2.4.6-279.el5. I am trying to test it with selinux-policy-targeted-2.4.6-280.el5 and I am not seeing this issue.

Jan,
could you check the default context for /root/.ssh

# matchpathcon /root/.ssh
/root/.ssh	root:object_r:sshd_key_t

Also could you try to modify your test script to

# cat /etc/init.d/run 
#!/bin/bash

rm -rf /root/.ssh
mkdir /root/.ssh
restorecon -Rv /root/.ssh/
ls -dZ /root/.ssh
ssh-keygen -t rsa -f /root/.ssh/id_rsa -P ""
Comment 6 Jan Tluka 2010-07-07 14:31:42 UTC 
[root@dhcp-lab-247 ~]# rpm -qa selinux-policy-targeted
selinux-policy-targeted-2.4.6-280.el5
[root@dhcp-lab-247 ~]# 
[root@dhcp-lab-247 ~]# matchpathcon /root/.ssh
/root/.ssh	root:object_r:sshd_key_t
[root@dhcp-lab-247 ~]# 
[root@dhcp-lab-247 ~]# cat /etc/init.d/run 
#!/bin/bash

rm -rf /root/.ssh
mkdir /root/.ssh
restorecon -R -v /root/.ssh
ls -dZ /root/.ssh
ssh-keygen -t rsa -f /root/.ssh/id_rsa -P ""

[root@dhcp-lab-247 ~]# /etc/init.d/run 
restorecon reset /root/.ssh context root:object_r:user_home_dir_t:s0->root:object_r:sshd_key_t:s0
drwxr-xr-x  root root root:object_r:sshd_key_t         /root/.ssh
Generating public/private rsa key pair.
Could not create directory '/root/.ssh'.
open /root/.ssh/id_rsa failed: Permission denied.
Saving the key failed: /root/.ssh/id_rsa.
Comment 7 Miroslav Grepl 2010-07-22 09:22:17 UTC 
Fixed in selinux-policy-2.4.6-281.el5.noarch
Comment 9 Jan Tluka 2010-07-27 15:16:38 UTC 
Yes, it works now.

[root@dhcp-lab-247 ~]# rpm -qa selinux-\*
selinux-policy-2.4.6-281.el5
selinux-policy-targeted-2.4.6-281.el5
[root@dhcp-lab-247 ~]# matchpathcon /root/.ssh
/root/.ssh	root:object_r:sshd_key_t
[root@dhcp-lab-247 ~]# cat /etc/init.d/run 
#!/bin/bash

rm -rf /root/.ssh
mkdir /root/.ssh
restorecon -R -v /root/.ssh
ls -dZ /root/.ssh
ssh-keygen -t rsa -f /root/.ssh/id_rsa -P ""

[root@dhcp-lab-247 ~]# /etc/init.d/run 
restorecon reset /root/.ssh context root:object_r:user_home_dir_t:s0->root:object_r:sshd_key_t:s0
drwxr-xr-x  root root root:object_r:sshd_key_t         /root/.ssh
Generating public/private rsa key pair.
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
1b:86:4f:f3:41:91:b3:e9:2a:89:80:10:0a:78:f1:86 root.brq.redhat.com
Comment 10 Jaromir Hradilek 2011-01-05 16:10:55 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
When SELinux was enabled, an attempt to generate a key pair from an init script using the following command failed with an error:

    ssh-keygen -t rsa -f /root/.ssh/id_rsa -P ""

    These updated selinux-policy packages provide corrected SELinux rules that allow the "ssh_keygen_t" domain to search the content of the /root/.ssh/ directory, so that the key pair creation no longer fails.
Comment 12 errata-xmlrpc 2011-01-13 21:48:36 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html