Bug 637109

Summary: which context is correct for /root/.ssh directory ?
Product: Red Hat Enterprise Linux 6 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: low    
Version: 6.0CC: dwalsh, eparis, mgrepl, sdsmall, syeghiay
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-69.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 11:56:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milos Malik 2010-09-24 10:18:41 UTC 
Description of problem:
restorecon changes the context from ssh_home_t to home_ssh_t and someone almost immediately changes the context back. I believed that restorecond is the culprit, but it is still happening even if restorecond is stopped.

Version-Release number of selected component (if applicable):
policycoreutils-python-2.0.83-19.1.el6.i686
policycoreutils-sandbox-2.0.83-19.1.el6.i686
policycoreutils-gui-2.0.83-19.1.el6.i686
policycoreutils-2.0.83-19.1.el6.i686
policycoreutils-newrole-2.0.83-19.1.el6.i686

How reproducible:
always

Steps to Reproduce:
# service restorecond stop
Shutting down restorecond:                                 [  OK  ]
# service restorecond status
restorecond is stopped
# restorecon -Rv /root
restorecon reset /root/.ssh context system_u:object_r:ssh_home_t:s0->system_u:object_r:home_ssh_t:s0
restorecon reset /root/.ssh/id_rsa.pub context system_u:object_r:ssh_home_t:s0->system_u:object_r:home_ssh_t:s0
restorecon reset /root/.ssh/id_rsa context system_u:object_r:ssh_home_t:s0->system_u:object_r:home_ssh_t:s0
restorecon reset /root/.ssh/known_hosts context system_u:object_r:ssh_home_t:s0->system_u:object_r:home_ssh_t:s0
# restorecon -Rv /root
restorecon reset /root/.ssh context system_u:object_r:ssh_home_t:s0->system_u:object_r:home_ssh_t:s0
restorecon reset /root/.ssh/id_rsa.pub context system_u:object_r:ssh_home_t:s0->system_u:object_r:home_ssh_t:s0
restorecon reset /root/.ssh/id_rsa context system_u:object_r:ssh_home_t:s0->system_u:object_r:home_ssh_t:s0
restorecon reset /root/.ssh/known_hosts context system_u:object_r:ssh_home_t:s0->system_u:object_r:home_ssh_t:s0
# restorecon -Rv /root
restorecon reset /root/.ssh context system_u:object_r:ssh_home_t:s0->system_u:object_r:home_ssh_t:s0
restorecon reset /root/.ssh/id_rsa.pub context system_u:object_r:ssh_home_t:s0->system_u:object_r:home_ssh_t:s0
restorecon reset /root/.ssh/id_rsa context system_u:object_r:ssh_home_t:s0->system_u:object_r:home_ssh_t:s0
restorecon reset /root/.ssh/known_hosts context system_u:object_r:ssh_home_t:s0->system_u:object_r:home_ssh_t:s0
#
Comment 1 Milos Malik 2010-09-24 10:34:11 UTC 
# semanage fcontext -l | grep ssh_home_t
# semanage fcontext -l | grep home_ssh_t
/opt/NX/home/nx/\.ssh(/.*)?                        all files          system_u:object_r:nx_server_home_ssh_t:s0 
/root/\.shosts                                     all files          system_u:object_r:home_ssh_t:s0 
/root/\.ssh(/.*)?                                  all files          system_u:object_r:home_ssh_t:s0 
/usr/NX/home/nx/\.ssh(/.*)?                        all files          system_u:object_r:nx_server_home_ssh_t:s0 
/var/lib/nxserver/home/.ssh(/.*)?                  all files          system_u:object_r:nx_server_home_ssh_t:s0 
# matchpathcon /root/.ssh
/root/.ssh	system_u:object_r:ssh_home_t:s0
#
Comment 2 Daniel Walsh 2010-09-24 13:48:16 UTC 
home_ssh_t and ssh_home_t are the same thing.  They are aliases to each other.

ssh_home_t is the correct label, going forward.

type ssh_home_t;
typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };

Seems like libsemanage is doing something strange with the aliasing.
Comment 3 RHEL Program Management 2011-01-07 15:56:49 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.
Comment 4 Daniel Walsh 2011-01-07 16:08:23 UTC 
I think this ended up being a problem in the policy.
Comment 5 Miroslav Grepl 2011-01-25 15:04:47 UTC 
Yes, it can be fixed in the policy.
Comment 6 Miroslav Grepl 2011-02-07 15:39:42 UTC 
Fixed in selinux-policy-3.7.19-69.el6
Comment 9 errata-xmlrpc 2011-05-19 11:56:34 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html