Bug 744966

Summary: .ssh/authorized_keys labeling problem
Product: Red Hat Enterprise Linux 6 Reporter: Honggang LI <honli>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Milos Malik <mmalik>
Severity: low Docs Contact:
Priority: low    
Version: 6.1CC: dwalsh, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-12 18:24:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
beaker job xml file for infiniband perftest none

Description Honggang LI 2011-10-11 02:10:19 UTC 
Created attachment 527355 [details]
beaker job xml file for infiniband perftest

Description of problem:
   Beaker complains AVC error in multi-hosts automatic test case for infiniband perftest since .ssh/authorized_keys labeling problem.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. delete two lines '/sbin/restorecon -R -v /root' in the attachment perftest_multi_host_i386.xml
2. bkr job-submit perftest_multi_host_i386.xml
3. 
  
Actual results:
Info: Searching AVC errors produced since 1318239982.02 (Mon Oct 10 05:46:22 2011)
Searching logs...
Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 10/10/2011 05:46:22 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.LLmn7z 2>&1'
----
time->Mon Oct 10 05:57:39 2011
type=SYSCALL msg=audit(1318240659.495:192438): arch=40000003 syscall=5 success=no exit=-13 a0=2133e58 a1=8800 a2=0 a3=212ea20 items=0 ppid=7206 pid=13464 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1318240659.495:192438): avc:  denied  { read } for  pid=13464 comm="sshd" name="authorized_keys" dev=dm-0 ino=1962391 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
Fail: AVC messages found.
Checking for errors...
Using stronger AVC checks.
	Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems.
Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.LLmn7z | /sbin/ausearch -m AVC -m SELINUX_ERR'
Fail: AVC messages found.
Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.4iFPnP 2>&1'
Info: No AVC messages found.
/bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log
No AVC messages found in dmesg
Running '/usr/sbin/sestatus'
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
Running 'rpm -q selinux-policy || true'
selinux-policy-3.7.19-107.el6.noarch


Expected results:


Additional info:
Failed : https://beaker.engineering.redhat.com/jobs/141273
Succeed : https://beaker.engineering.redhat.com/jobs/141287
Comment 2 Miroslav Grepl 2011-10-11 06:40:02 UTC 
I don't see how /root/.ssh dir is created from the attached xml. If you create it by hand

# mkdir /root/.ssh

then you need to run restorecon.
Comment 3 Honggang LI 2011-10-11 06:53:28 UTC 
Hi, Miroslav
/root/.ssh was created by the kickstart script, not the attached xml. /sbin/restorecon -R -v /root fix the issue. However, even without run restorecon ,these is no avc error when I run the test manually.
Comment 4 Miroslav Grepl 2011-10-11 07:05:47 UTC 
Then this kickstart should contain

[ -x /sbin/restorecon ] && /sbin/restorecon /root/.ssh

in the %post.

How do you run it manually? Which steps?
Comment 5 Honggang LI 2011-10-11 09:05:11 UTC 
In fact, the error message arose when the test script setup passwordless ssh-connections with an auto-expect script. But there is no avc error when I executed 'ssh_copy_id_exp rdma1' manually. 

###### script trigger avc error #########

function ssh_copy_id_exp {

TARGET_HOST=$1   # $1=rdma1

/usr/bin/expect << EOF

set force_conservative 0  ;# set to 1 to force conservative mode even if
			  ;# script wasn't run conservatively originally
if {\$force_conservative} {
	set send_slow {1 .1}
	proc send {ignore arg} {
		sleep .1
		exp_send -s -- \$arg
	}
}


set timeout -1
spawn ssh-copy-id ${TARGET_HOST}
match_max 100000
expect -exact "root@${TARGET_HOST}'s password: "
send -- "xxxxxx\r"
expect eof
EOF
}

ssh_copy_id_exp rdma1
Comment 6 Honggang LI 2011-10-11 09:07:37 UTC 
Sorry for the typo, I executed manually 'ssh_copy_id rdma1', not 'ssh_copy_id_exp rdma1'.
Comment 7 Miroslav Grepl 2011-10-11 09:48:22 UTC 
ssh-copy-id contains "restorecon" so this is reason why it works.
Comment 8 Honggang LI 2011-10-11 10:08:56 UTC 
However, as comment #5 saying, the auto-expect script call ssh-copy-id too. As the avc error message can be eliminated with '/sbin/restorecon', it is ok to close the bug. I will run restorecon with the kickstart post script, when I run multi-hosts test which need ssh-connections.
Comment 9 Miroslav Grepl 2011-10-11 12:25:40 UTC 
Are we talking about the same host?
Comment 10 Honggang LI 2011-10-12 01:44:20 UTC 
Yes, all of the automatic tests run on rdma1.rhts.eng.bos.redhat.com and rdma2.rhts.eng.bos.redhat.com.
Comment 11 Miroslav Grepl 2011-10-12 09:54:46 UTC 
Ok, I would say to leave restorecon in the %post. Could you send the kickstart?
Comment 12 Honggang LI 2011-10-12 10:14:44 UTC 
the main kickstart file:
http://download.lab.bos.redhat.com/qa/rhts/lookaside/rdma-testing/rdma-setup.sh

And I attached a few kickstart statement in the beaker job xml file.