| Summary: | SELinux prevents ssh-keygen write access to NFS home dirs | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Trond H. Amundsen <t.h.amundsen> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.2 | CC: | dwalsh, ksrot, mmalik, stephenf |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-135.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-06-20 12:30:21 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
We made some fixes for ssh_keygen which allow it. But I think we should add a boolean for this too. Hm.. just curious.. what would be the point in adding an extra boolean? We already have this one: use_nfs_home_dirs -> on Support NFS home directories Yes, I want to add this boolean for ssh_keygen_t. Fixed in selinux-policy-3.7.19-135.el6 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0780.html |
Description of problem: SELinux does not permit ssh-keygen to create files in ~/.ssh on NFS-mounted home directories: [trondham@tux ~]$ df ~ Filesystem 1K-blocks Used Available Use% Mounted on nfsserver:/nfshome 178257920 147720384 30537536 83% /nfshome [trondham@tux ~]$ ls -Zd .ssh drwx------. trondham usit system_u:object_r:nfs_t:s0 .ssh [trondham@tux ~]$ cd [trondham@tux ~]$ ssh-keygen -b 4096 Generating public/private rsa key pair. Enter file in which to save the key (/nfshome/trondham/.ssh/id_rsa): Could not create directory '/nfshome/trondham/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: open /nfshome/trondham/.ssh/id_rsa failed: Permission denied. Saving the key failed: /nfshome/trondham/.ssh/id_rsa. Note that the use_nfs_home_dirs is set to "on". Version-Release number of selected component (if applicable): selinux-policy-3.7.19-126.el6_2.4.noarch How reproducible: Always Steps to Reproduce: 1. Use an NFS mounted home directory 2. run ssh-keygen Actual results: ssh-keygen fails to generate key as demonstrated above Expected results: ssh-keygen generates key without issues Additional info: Running ssh-keygen while in permissive mode, the following appears in audit.log: # grep ssh-keygen /var/log/audit/audit.log type=AVC msg=audit(1326375335.616:51497): avc: denied { write } for pid=12412 comm="ssh-keygen" name=".ssh" dev=0:51 ino=25846406 scontext=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir type=AVC msg=audit(1326375335.616:51497): avc: denied { add_name } for pid=12412 comm="ssh-keygen" name="id_rsa" scontext=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir type=AVC msg=audit(1326375335.616:51497): avc: denied { create } for pid=12412 comm="ssh-keygen" name="id_rsa" scontext=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:nfs_t:s0 tclass=file type=AVC msg=audit(1326375335.616:51497): avc: denied { open } for pid=12412 comm="ssh-keygen" name="id_rsa" dev=0:51 ino=14226765 scontext=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file type=SYSCALL msg=audit(1326375335.616:51497): arch=c000003e syscall=2 success=yes exit=3 a0=7f2b0e42eb80 a1=241 a2=180 a3=fffffff6 items=0 ppid=10147 pid=12412 auid=45150 uid=45150 gid=55150 euid=45150 suid=45150 fsuid=45150 egid=55150 sgid=55150 fsgid=55150 tty=pts38 ses=265 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 key=(null) Audit2allow translates this to: # grep ssh-keygen /var/log/audit/audit.log | audit2allow -m foo module foo 1.0; require { type ssh_keygen_t; type nfs_t; class dir { write add_name }; class file { create open }; } #============= ssh_keygen_t ============== #!!!! The source type 'ssh_keygen_t' can write to a 'dir' of the following types: # user_home_dir_t, etc_t, ssh_home_t, admin_home_t allow ssh_keygen_t nfs_t:dir { write add_name }; allow ssh_keygen_t nfs_t:file { create open };