RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1015211 - RHEL7 ssh avc denials preventing proper hostkey setup
Summary: RHEL7 ssh avc denials preventing proper hostkey setup
Keywords:
Status: CLOSED DUPLICATE of bug 1014482
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.0
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-10-03 16:32 UTC by Scott Poore
Modified: 2015-02-18 13:42 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-10-03 16:54:53 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Scott Poore 2013-10-03 16:32:22 UTC 
Description of problem:

On RHEL7 test builds, I'm seeing the following trying to start sshd:

[root@qe-blade-05 ssh]# setenforce 1

[root@qe-blade-05 ssh]# rm ssh_host_rsa_key* -f 

[root@qe-blade-05 ssh]# date; service sshd start
Thu Oct  3 12:22:40 EDT 2013
Redirecting to /bin/systemctl start  sshd.service

[root@qe-blade-05 ssh]# tail /var/log/messages
...
Oct  3 12:22:40 qe-blade-05 systemd: Starting OpenSSH server daemon...
Oct  3 12:22:40 qe-blade-05 sshd-keygen: Generating SSH2 RSA host key: chgrp: changing group of ‘/etc/ssh/ssh_host_rsa_key’: Operation not permitted
Oct  3 12:22:40 qe-blade-05 sshd-keygen: [  OK  ]
Oct  3 12:22:40 qe-blade-05 systemd: Started OpenSSH server daemon.
Oct  3 12:22:40 qe-blade-05 sshd: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Oct  3 12:22:40 qe-blade-05 sshd: @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
Oct  3 12:22:40 qe-blade-05 sshd: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Oct  3 12:22:40 qe-blade-05 sshd: Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
Oct  3 12:22:40 qe-blade-05 sshd: It is required that your private key files are NOT accessible by others.
Oct  3 12:22:40 qe-blade-05 sshd: This private key will be ignored.
Oct  3 12:22:40 qe-blade-05 sshd: bad permissions: ignore key: /etc/ssh/ssh_host_rsa_key
Oct  3 12:22:40 qe-blade-05 sshd: Could not load host key: /etc/ssh/ssh_host_rsa_key
Oct  3 12:22:40 qe-blade-05 sshd: Could not load host key: /etc/ssh/ssh_host_dsa_key
Oct  3 12:22:40 qe-blade-05 sshd: Could not load host key: /etc/ssh/ssh_host_ecdsa_key

[root@qe-blade-05 ssh]# ausearch -m avc  -ts 12:22:40 
----
time->Thu Oct  3 12:22:40 2013
type=SYSCALL msg=audit(1380817360.234:208): arch=c000003e syscall=260 success=no exit=-1 a0=ffffffffffffff9c a1=86f3f0 a2=ffffffff a3=3e6 items=0 ppid=27629 pid=27632 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chgrp" exe="/usr/bin/chgrp" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)
type=AVC msg=audit(1380817360.234:208): avc:  denied  { chown } for  pid=27632 comm="chgrp" capability=0  scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:system_r:ssh_keygen_t:s0 tclass=capability
----
time->Thu Oct  3 12:22:40 2013
type=SYSCALL msg=audit(1380817360.236:209): arch=c000003e syscall=269 success=no exit=-13 a0=ffffffffffffff9c a1=1271d10 a2=1 a3=7fffee202910 items=0 ppid=1 pid=27629 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd-keygen" exe="/usr/bin/bash" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)
type=AVC msg=audit(1380817360.236:209): avc:  denied  { execute } for  pid=27629 comm="sshd-keygen" name="setfiles" dev="dm-1" ino=202250182 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file

And it appears as if the file is left with group read:

[root@qe-blade-05 ssh]# ls -ld /etc/ssh/ssh_host_rsa_key*
-rw-r-----. 1 root root 1679 Oct  3 12:22 /etc/ssh/ssh_host_rsa_key
-rw-r--r--. 1 root root  382 Oct  3 12:22 /etc/ssh/ssh_host_rsa_key.pub

Version-Release number of selected component (if applicable):

[root@qe-blade-05 ssh]# rpm -q openssh selinux-policy
openssh-6.2p2-8.el7.x86_64
selinux-policy-3.12.1-85.el7.noarch

Note that selinux-policy was upgaded from the previous -84 release.

How reproducible:
Currently unknown.  Issue seen on two separate test boxes in lab.


Steps to Reproduce:
1. Install RHEL7 from repo with affected versions
2. service sshd stop
3. rm -f /etc/ssh/ssh_host_rsa_key*
4. date; service sshd start
5. ls -l /etc/ssh_host_rsa_key*
6. ausearch -m avc -ts <time from step 4>

Actual results:
above errors and unable to ssh into host

Expected results:
proper permissions and ownership set for sshd to function properly.

Additional info:
Comment 1 Scott Poore 2013-10-03 16:34:07 UTC 
fyi, all AVC denials I see when I set permissive mode:

[root@qe-blade-05 ssh]# service sshd stop
Redirecting to /bin/systemctl stop  sshd.service

[root@qe-blade-05 ssh]# setenforce 0

[root@qe-blade-05 ssh]# rm ssh_host_rsa_key* -f 

[root@qe-blade-05 ssh]# date; service sshd start
Thu Oct  3 12:30:37 EDT 2013
Redirecting to /bin/systemctl start  sshd.service

[root@qe-blade-05 ssh]# ausearch -m avc -ts 12:30:37
----
time->Thu Oct  3 12:30:37 2013
type=SYSCALL msg=audit(1380817837.919:218): arch=c000003e syscall=260 success=yes exit=0 a0=ffffffffffffff9c a1=13e73f0 a2=ffffffff a3=3e6 items=0 ppid=27710 pid=27713 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chgrp" exe="/usr/bin/chgrp" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)
type=AVC msg=audit(1380817837.919:218): avc:  denied  { chown } for  pid=27713 comm="chgrp" capability=0  scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:system_r:ssh_keygen_t:s0 tclass=capability
----
time->Thu Oct  3 12:30:37 2013
type=SYSCALL msg=audit(1380817837.920:219): arch=c000003e syscall=268 success=yes exit=0 a0=ffffffffffffff9c a1=8fc0f0 a2=1a0 a3=7fffcb249860 items=0 ppid=27710 pid=27714 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chmod" exe="/usr/bin/chmod" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)
type=AVC msg=audit(1380817837.920:219): avc:  denied  { fsetid } for  pid=27714 comm="chmod" capability=4  scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:system_r:ssh_keygen_t:s0 tclass=capability
----
time->Thu Oct  3 12:30:37 2013
type=SYSCALL msg=audit(1380817837.921:220): arch=c000003e syscall=269 success=yes exit=0 a0=ffffffffffffff9c a1=fc2d10 a2=1 a3=7fff0f7ece90 items=0 ppid=1 pid=27710 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd-keygen" exe="/usr/bin/bash" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)
type=AVC msg=audit(1380817837.921:220): avc:  denied  { execute } for  pid=27710 comm="sshd-keygen" name="setfiles" dev="dm-1" ino=202250182 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file
----
time->Thu Oct  3 12:30:37 2013
type=SYSCALL msg=audit(1380817837.921:221): arch=c000003e syscall=59 success=yes exit=0 a0=fc2d10 a1=fc3790 a2=fc3250 a3=7fff0f7ecff0 items=0 ppid=27710 pid=27716 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)
type=AVC msg=audit(1380817837.921:221): avc:  denied  { execute_no_trans } for  pid=27716 comm="sshd-keygen" path="/usr/sbin/setfiles" dev="dm-1" ino=202250182 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file
type=AVC msg=audit(1380817837.921:221): avc:  denied  { read open } for  pid=27716 comm="sshd-keygen" path="/usr/sbin/setfiles" dev="dm-1" ino=202250182 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file
----
time->Thu Oct  3 12:30:37 2013
type=SYSCALL msg=audit(1380817837.922:222): arch=c000003e syscall=137 success=yes exit=0 a0=7f3a3a775299 a1=7ffffcc58ed0 a2=7f3a3a775299 a3=36393631363d7365 items=0 ppid=27710 pid=27716 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)
type=AVC msg=audit(1380817837.922:222): avc:  denied  { getattr } for  pid=27716 comm="restorecon" name="/" dev="devtmpfs" ino=1025 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem
----
time->Thu Oct  3 12:30:37 2013
type=SYSCALL msg=audit(1380817837.922:223): arch=c000003e syscall=137 success=yes exit=0 a0=7f3a3a775296 a1=7ffffcc58ed0 a2=7f3a3a775296 a3=6975736f6e2c6c65 items=0 ppid=27710 pid=27716 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)
type=AVC msg=audit(1380817837.922:223): avc:  denied  { getattr } for  pid=27716 comm="restorecon" name="/" dev="tmpfs" ino=1174 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
----
time->Thu Oct  3 12:30:37 2013
type=SYSCALL msg=audit(1380817837.922:224): arch=c000003e syscall=137 success=yes exit=0 a0=7f3a3a775297 a1=7ffffcc58ed0 a2=7f3a3a775297 a3=65646f6d2c353d64 items=0 ppid=27710 pid=27716 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)
type=AVC msg=audit(1380817837.922:224): avc:  denied  { getattr } for  pid=27716 comm="restorecon" name="/" dev="devpts" ino=1 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=filesystem
----
time->Thu Oct  3 12:30:37 2013
type=SYSCALL msg=audit(1380817837.923:225): arch=c000003e syscall=137 success=yes exit=0 a0=7f3a3a7753b4 a1=7ffffcc58ed0 a2=7f3a3a7753b4 a3=7f3a37eaf000 items=0 ppid=27710 pid=27716 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)
type=AVC msg=audit(1380817837.923:225): avc:  denied  { getattr } for  pid=27716 comm="restorecon" name="/" dev="dm-1" ino=128 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
----
time->Thu Oct  3 12:30:37 2013
type=SYSCALL msg=audit(1380817837.923:226): arch=c000003e syscall=137 success=yes exit=0 a0=7f3a3a77539a a1=7ffffcc58ed0 a2=7f3a3a77539a a3=732c777220736662 items=0 ppid=27710 pid=27716 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)
type=AVC msg=audit(1380817837.923:226): avc:  denied  { getattr } for  pid=27716 comm="restorecon" name="/" dev="hugetlbfs" ino=15218 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=filesystem
Comment 3 Miroslav Grepl 2013-10-03 16:54:53 UTC 

*** This bug has been marked as a duplicate of bug 1014482 ***
Note You need to log in before you can comment on or make changes to this bug.