Bug 120860 - policy: ssh-agent should be able to write to $HOME
policy: ssh-agent should be able to write to $HOME
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: policy (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
triage|leonardjo|closed|rawhide
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-04-14 13:04 EDT by Tim Waugh
Modified: 2007-11-30 17:10 EST (History)
3 users (show)

See Also:
Fixed In Version: 1.11.2-6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-05-10 14:09:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tim Waugh 2004-04-14 13:04:24 EDT
Description of problem:
Often I start ssh-agent from one session and expect to be able to use
it from a different session.  I do this by:

ssh-agent > .ssh-agent
. .ssh-agent
ssh-add

(next session):
. .ssh-agent

But now policy prevents me from doing this.  Well, I can 'ssh-agent
|cat >.ssh-agent' but it's a bit of a hack.

Also my .xsession-errors file has not been updated since I turned on
SELinux, and I expect it is the same problem.  Starting a VNC session
certainly prevents the equivalent file (~/.vnc/$machine:$display.log)
getting written.

Version-Release number of selected component (if applicable):
policy-1.11.1-2

How reproducible:
100%

Steps to Reproduce:
$ id -Z
user_u:user_r:user_t
$ ssh-agent > ~/.ssh-agent

Actual results:

This comes from 'ssh-agent > .ssh-agent':
audit(1081962293.040:0): avc:  denied  { write } for  pid=4124
exe=/usr/bin/ssh-agent path=/home/tim/.ssh-agent dev=hda6 ino=245634
scontext=user_u:user_r:user_ssh_agent_t
tcontext=user_u:object_r:user_home_t tclass=file

This comes from starting a VNC session:
audit(1081961465.310:0): avc:  denied  { append } for  pid=3370
exe=/usr/bin/ssh-agent path=/home/tim/.vnc/cyberelk.elk:1.log dev=hda6
ino=244821 scontext=user_u:user_r:user_ssh_agent_t
tcontext=user_u:object_r:user_home_t tclass=file

audit2allow says:
allow user_ssh_agent_t user_home_t:file { append write };
Comment 1 Daniel Walsh 2004-04-15 11:36:17 EDT
fixed in rawhide.  policy-1.11.2-6

Note You need to log in before you can comment on or make changes to this bug.