Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
DescriptionTrond H. Amundsen
2012-01-12 13:39:21 UTC
Description of problem:
SELinux does not permit ssh-keygen to create files in ~/.ssh on NFS-mounted home directories:
[trondham@tux ~]$ df ~
Filesystem 1K-blocks Used Available Use% Mounted on
nfsserver:/nfshome 178257920 147720384 30537536 83% /nfshome
[trondham@tux ~]$ ls -Zd .ssh
drwx------. trondham usit system_u:object_r:nfs_t:s0 .ssh
[trondham@tux ~]$ cd
[trondham@tux ~]$ ssh-keygen -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/nfshome/trondham/.ssh/id_rsa):
Could not create directory '/nfshome/trondham/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
open /nfshome/trondham/.ssh/id_rsa failed: Permission denied.
Saving the key failed: /nfshome/trondham/.ssh/id_rsa.
Note that the use_nfs_home_dirs is set to "on".
Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-126.el6_2.4.noarch
How reproducible:
Always
Steps to Reproduce:
1. Use an NFS mounted home directory
2. run ssh-keygen
Actual results:
ssh-keygen fails to generate key as demonstrated above
Expected results:
ssh-keygen generates key without issues
Additional info:
Running ssh-keygen while in permissive mode, the following appears in audit.log:
# grep ssh-keygen /var/log/audit/audit.log
type=AVC msg=audit(1326375335.616:51497): avc: denied { write } for pid=12412 comm="ssh-keygen" name=".ssh" dev=0:51 ino=25846406 scontext=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=AVC msg=audit(1326375335.616:51497): avc: denied { add_name } for pid=12412 comm="ssh-keygen" name="id_rsa" scontext=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=AVC msg=audit(1326375335.616:51497): avc: denied { create } for pid=12412 comm="ssh-keygen" name="id_rsa" scontext=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:nfs_t:s0 tclass=file
type=AVC msg=audit(1326375335.616:51497): avc: denied { open } for pid=12412 comm="ssh-keygen" name="id_rsa" dev=0:51 ino=14226765 scontext=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file
type=SYSCALL msg=audit(1326375335.616:51497): arch=c000003e syscall=2 success=yes exit=3 a0=7f2b0e42eb80 a1=241 a2=180 a3=fffffff6 items=0 ppid=10147 pid=12412 auid=45150 uid=45150 gid=55150 euid=45150 suid=45150 fsuid=45150 egid=55150 sgid=55150 fsgid=55150 tty=pts38 ses=265 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 key=(null)
Audit2allow translates this to:
# grep ssh-keygen /var/log/audit/audit.log | audit2allow -m foo
module foo 1.0;
require {
type ssh_keygen_t;
type nfs_t;
class dir { write add_name };
class file { create open };
}
#============= ssh_keygen_t ==============
#!!!! The source type 'ssh_keygen_t' can write to a 'dir' of the following types:
# user_home_dir_t, etc_t, ssh_home_t, admin_home_t
allow ssh_keygen_t nfs_t:dir { write add_name };
allow ssh_keygen_t nfs_t:file { create open };
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
http://rhn.redhat.com/errata/RHBA-2012-0780.html
Description of problem: SELinux does not permit ssh-keygen to create files in ~/.ssh on NFS-mounted home directories: [trondham@tux ~]$ df ~ Filesystem 1K-blocks Used Available Use% Mounted on nfsserver:/nfshome 178257920 147720384 30537536 83% /nfshome [trondham@tux ~]$ ls -Zd .ssh drwx------. trondham usit system_u:object_r:nfs_t:s0 .ssh [trondham@tux ~]$ cd [trondham@tux ~]$ ssh-keygen -b 4096 Generating public/private rsa key pair. Enter file in which to save the key (/nfshome/trondham/.ssh/id_rsa): Could not create directory '/nfshome/trondham/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: open /nfshome/trondham/.ssh/id_rsa failed: Permission denied. Saving the key failed: /nfshome/trondham/.ssh/id_rsa. Note that the use_nfs_home_dirs is set to "on". Version-Release number of selected component (if applicable): selinux-policy-3.7.19-126.el6_2.4.noarch How reproducible: Always Steps to Reproduce: 1. Use an NFS mounted home directory 2. run ssh-keygen Actual results: ssh-keygen fails to generate key as demonstrated above Expected results: ssh-keygen generates key without issues Additional info: Running ssh-keygen while in permissive mode, the following appears in audit.log: # grep ssh-keygen /var/log/audit/audit.log type=AVC msg=audit(1326375335.616:51497): avc: denied { write } for pid=12412 comm="ssh-keygen" name=".ssh" dev=0:51 ino=25846406 scontext=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir type=AVC msg=audit(1326375335.616:51497): avc: denied { add_name } for pid=12412 comm="ssh-keygen" name="id_rsa" scontext=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir type=AVC msg=audit(1326375335.616:51497): avc: denied { create } for pid=12412 comm="ssh-keygen" name="id_rsa" scontext=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:nfs_t:s0 tclass=file type=AVC msg=audit(1326375335.616:51497): avc: denied { open } for pid=12412 comm="ssh-keygen" name="id_rsa" dev=0:51 ino=14226765 scontext=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file type=SYSCALL msg=audit(1326375335.616:51497): arch=c000003e syscall=2 success=yes exit=3 a0=7f2b0e42eb80 a1=241 a2=180 a3=fffffff6 items=0 ppid=10147 pid=12412 auid=45150 uid=45150 gid=55150 euid=45150 suid=45150 fsuid=45150 egid=55150 sgid=55150 fsgid=55150 tty=pts38 ses=265 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 key=(null) Audit2allow translates this to: # grep ssh-keygen /var/log/audit/audit.log | audit2allow -m foo module foo 1.0; require { type ssh_keygen_t; type nfs_t; class dir { write add_name }; class file { create open }; } #============= ssh_keygen_t ============== #!!!! The source type 'ssh_keygen_t' can write to a 'dir' of the following types: # user_home_dir_t, etc_t, ssh_home_t, admin_home_t allow ssh_keygen_t nfs_t:dir { write add_name }; allow ssh_keygen_t nfs_t:file { create open };