Bug 746961
| Summary: | ssh-keygen cannot create key outside of ~/.ssh directory | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Matěj Cepl <mcepl> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.2 | CC: | dpal, dwalsh, ksrot, mattias.ellert, mgrepl, mmalik, mvadkert, pvrabec, rvokal, tmraz |
| Target Milestone: | rc | Keywords: | FutureFeature, Triaged |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Enhancement | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 746290 | Environment: | |
| Last Closed: | 2012-06-20 12:27:57 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 746290 | ||
| Bug Blocks: | |||
|
Description
Matěj Cepl
2011-10-18 12:23:47 UTC
Well since we do not have the file name transitions in RHEL6 we do not want to remove the transition from user roles to ssh-keygen. Since RHEL 6.2 External Beta has begun, and this bug remains unresolved, it has been rejected as it is not proposed as exception or blocker. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. *** Bug 751828 has been marked as a duplicate of this bug. *** ssh-keygen asks for file, not for name and also it offers filename with absolute path by default:
Enter file in which to save the key (/home/test/.ssh/id_rsa)
So I don't think that this behaviour should be changed.
But there is problem with SELinux policy which doesn't allow ssh-keygen to create key outside of ~/.ssh even for unconfined user.
type=AVC msg=audit(1323358944.706:324): avc: denied { write } for pid=1578 comm="ssh-keygen" name="tmp" dev=vda3 ino=25 scontext=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1323358944.706:324): avc: denied { add_name } for pid=1578 comm="ssh-keygen" name="key" scontext=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1323358944.706:324): avc: denied { create } for pid=1578 comm="ssh-keygen" name="key" scontext=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1323358944.706:324): avc: denied { write open } for pid=1578 comm="ssh-keygen" name="key" dev=vda3 ino=2820 scontext=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
If you remove the .ssh directory or fix its label, it will work. restorecon -R -v ~/.ssh No, the problem is that ssh_keygen_t should be allowed to write just anywhere in the user's home directory, not only into ssh_home_t. Petr, I understand your point you run as unconfined SELinux user and you are confined. We needed to add this change because of CC. We made ssh_keygen_t domain as unconfined domain in the latest RHEL6.3 policy which should make this working. The problem is we can not add a proper SELinux solution until we get file name transition into RHEL6. Petr, could you test it with the latest policy? ssh-keygen now runs as unconfined domain in targeted policy by default. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0780.html |