Bug 752197

Summary: /root/.ssh created with wrong selinux context
Product: Red Hat Enterprise Linux 6 Reporter: Michael Brown <michael>
Component: opensshAssignee: Petr Lautrbach <plautrba>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: low Docs Contact:
Priority: unspecified    
Version: 6.1CC: dwalsh, mvadkert, plambri
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-12 16:35:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Michael Brown 2011-11-08 19:34:52 UTC 
Description of problem:
On a clean, updated RHEL 6.1 host, ssh-copy-id from a remote machine creates /root/.ssh with the wrong selinux context

How reproducible:
Every time

Steps to Reproduce:
[root@rhel ~]# ls -al /root/.ssh/
ls: cannot access /root/.ssh/: No such file or directory

(on another computer, run: 'ssh-copy-id root@rhel' and enter the password)

[root@rhel ~]# ls -alZ /root/.ssh
drwx------. root root unconfined_u:object_r:admin_home_t:s0 .
dr-xr-x---. root root system_u:object_r:admin_home_t:s0 ..
-rw-------. root root unconfined_u:object_r:admin_home_t:s0 authorized_keys

(looks like .ssh has been created with the wrong context. It can't be used to
ssh in with a key)

[root@rhel ~]# restorecon -r /root/.ssh
[root@rhel ~]# ls -alZ /root/.ssh
drwx------. root root system_u:object_r:ssh_home_t:s0  .
dr-xr-x---. root root system_u:object_r:admin_home_t:s0 ..
-rw-------. root root system_u:object_r:ssh_home_t:s0  authorized_keys

(context has been fixed - can now ssh in using a key)
Comment 1 Daniel Walsh 2011-11-08 19:36:35 UTC 
Please try this with RHEL6.2 policy
selinux-policy-3.7.19-123.el6.noarch.rpm

Preview release available on http://people.redhat.com/dwalsh/SELinux/RHEL6
Comment 3 Miroslav Grepl 2011-11-09 07:27:43 UTC 
Does your ssh-copy-id contain restorecon?

# mgrepl@rhel6 RHEL-6]$ grep restorecon /usr/bin/ssh-copy-id 
{ eval "$GET_ID" ; } | ssh $1 "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys; test -x /sbin/restorecon && /sbin/restorecon .ssh .ssh/authorized_keys" || exit 1

The problem probably is you do ssh-copy-id from a machine where ssh-copy-id doesn't contain restorecon which is needed for RHEL6.2
Comment 4 Petr Lautrbach 2011-12-09 15:20:42 UTC 
This seems to be duplicate of #739989.

What is version of openssh package on remote machine?
Comment 6 Daniel Walsh 2011-12-12 16:35:37 UTC 

*** This bug has been marked as a duplicate of bug 739989 ***