| Summary: | Targeted: add rule for ssh-keygen to be able to create .ssh folder with correct context | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Miroslav Vadkerti <mvadkert> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.1 | CC: | dwalsh, mmalik |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-106.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-12-06 10:09:49 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | |||
| Bug Blocks: | 584498, 846801, 846802 | ||
Fixed in selinux-policy-3.7.19-106.el6 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1511.html |
Description of problem: When running ssh-keygen as a non-root user (under unconfined_t) and the .ssh folder does not exist the tool creates .ssh folder with incorrect context. As all other tools from the ssh package create the .ssh folder with correct context the ssh-keygen tool should behave the same. This custom module solves this issue: policy_module(ssh-keygen, 1.1) require{ type unconfined_t; role unconfined_r; } ssh_run_keygen(unconfined_t, unconfined_r) Version-Release number of selected component (if applicable): selinux-policy-targeted-3.7.19-93.el6_1.2.noarch How reproducible: 100% Steps to Reproduce: 1. login as non-root user 2. rm -rf ~/.ssh 3. ssh-keygen 4. ls -dZ ~/.ssh Actual results: drwx------. test test unconfined_u:object_r:user_home_t:SystemLow .ssh/ Expected results: drwx------. test test unconfined_u:object_r:ssh_home_t:SystemLow .ssh/ Additional info: Test case for this scenario is a part of CCC testing.