Bug 773641

Summary: SELinux prevents ssh-keygen write access to NFS home dirs
Product: Red Hat Enterprise Linux 6 Reporter: Trond H. Amundsen <t.h.amundsen>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2CC: dwalsh, ksrot, mmalik, stephenf
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-135.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 12:30:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Trond H. Amundsen 2012-01-12 13:39:21 UTC 
Description of problem:
SELinux does not permit ssh-keygen to create files in ~/.ssh on NFS-mounted home directories:

[trondham@tux ~]$ df ~
Filesystem           1K-blocks      Used Available Use% Mounted on
nfsserver:/nfshome   178257920 147720384  30537536  83% /nfshome
[trondham@tux ~]$ ls -Zd .ssh
drwx------. trondham usit system_u:object_r:nfs_t:s0       .ssh
[trondham@tux ~]$ cd
[trondham@tux ~]$ ssh-keygen -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/nfshome/trondham/.ssh/id_rsa): 
Could not create directory '/nfshome/trondham/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
open /nfshome/trondham/.ssh/id_rsa failed: Permission denied.
Saving the key failed: /nfshome/trondham/.ssh/id_rsa.

Note that the use_nfs_home_dirs is set to "on".

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-126.el6_2.4.noarch

How reproducible:
Always

Steps to Reproduce:
1. Use an NFS mounted home directory
2. run ssh-keygen
  
Actual results:
ssh-keygen fails to generate key as demonstrated above

Expected results:
ssh-keygen generates key without issues

Additional info:
Running ssh-keygen while in permissive mode, the following appears in audit.log:

# grep ssh-keygen /var/log/audit/audit.log
type=AVC msg=audit(1326375335.616:51497): avc:  denied  { write } for  pid=12412 comm="ssh-keygen" name=".ssh" dev=0:51 ino=25846406 scontext=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=AVC msg=audit(1326375335.616:51497): avc:  denied  { add_name } for  pid=12412 comm="ssh-keygen" name="id_rsa" scontext=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=AVC msg=audit(1326375335.616:51497): avc:  denied  { create } for  pid=12412 comm="ssh-keygen" name="id_rsa" scontext=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:nfs_t:s0 tclass=file
type=AVC msg=audit(1326375335.616:51497): avc:  denied  { open } for  pid=12412 comm="ssh-keygen" name="id_rsa" dev=0:51 ino=14226765 scontext=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file
type=SYSCALL msg=audit(1326375335.616:51497): arch=c000003e syscall=2 success=yes exit=3 a0=7f2b0e42eb80 a1=241 a2=180 a3=fffffff6 items=0 ppid=10147 pid=12412 auid=45150 uid=45150 gid=55150 euid=45150 suid=45150 fsuid=45150 egid=55150 sgid=55150 fsgid=55150 tty=pts38 ses=265 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 key=(null)

Audit2allow translates this to:

# grep ssh-keygen /var/log/audit/audit.log | audit2allow -m foo

module foo 1.0;

require {
        type ssh_keygen_t;
        type nfs_t;
        class dir { write add_name };
        class file { create open };
}

#============= ssh_keygen_t ==============
#!!!! The source type 'ssh_keygen_t' can write to a 'dir' of the following types:
# user_home_dir_t, etc_t, ssh_home_t, admin_home_t

allow ssh_keygen_t nfs_t:dir { write add_name };
allow ssh_keygen_t nfs_t:file { create open };
Comment 2 Miroslav Grepl 2012-01-12 14:19:45 UTC 
We made some fixes for ssh_keygen which allow it. But I think we should add a boolean for this too.
Comment 3 Trond H. Amundsen 2012-01-12 14:28:28 UTC 
Hm.. just curious.. what would be the point in adding an extra boolean? We already have this one:

use_nfs_home_dirs              -> on    Support NFS home directories
Comment 4 Miroslav Grepl 2012-01-12 15:02:10 UTC 
Yes, I want to add this boolean for ssh_keygen_t.
Comment 6 Miroslav Grepl 2012-01-25 16:57:25 UTC 
Fixed in selinux-policy-3.7.19-135.el6
Comment 9 errata-xmlrpc 2012-06-20 12:30:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html