Bug 120860 - policy: ssh-agent should be able to write to $HOME
Summary: policy: ssh-agent should be able to write to $HOME
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: policy
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard: triage|leonardjo|closed|rawhide
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-04-14 17:04 UTC by Tim Waugh
Modified: 2007-11-30 22:10 UTC (History)
3 users (show)

Fixed In Version: 1.11.2-6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2004-05-10 18:09:42 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Tim Waugh 2004-04-14 17:04:24 UTC
Description of problem:
Often I start ssh-agent from one session and expect to be able to use
it from a different session.  I do this by:

ssh-agent > .ssh-agent
. .ssh-agent
ssh-add

(next session):
. .ssh-agent

But now policy prevents me from doing this.  Well, I can 'ssh-agent
|cat >.ssh-agent' but it's a bit of a hack.

Also my .xsession-errors file has not been updated since I turned on
SELinux, and I expect it is the same problem.  Starting a VNC session
certainly prevents the equivalent file (~/.vnc/$machine:$display.log)
getting written.

Version-Release number of selected component (if applicable):
policy-1.11.1-2

How reproducible:
100%

Steps to Reproduce:
$ id -Z
user_u:user_r:user_t
$ ssh-agent > ~/.ssh-agent

Actual results:

This comes from 'ssh-agent > .ssh-agent':
audit(1081962293.040:0): avc:  denied  { write } for  pid=4124
exe=/usr/bin/ssh-agent path=/home/tim/.ssh-agent dev=hda6 ino=245634
scontext=user_u:user_r:user_ssh_agent_t
tcontext=user_u:object_r:user_home_t tclass=file

This comes from starting a VNC session:
audit(1081961465.310:0): avc:  denied  { append } for  pid=3370
exe=/usr/bin/ssh-agent path=/home/tim/.vnc/cyberelk.elk:1.log dev=hda6
ino=244821 scontext=user_u:user_r:user_ssh_agent_t
tcontext=user_u:object_r:user_home_t tclass=file

audit2allow says:
allow user_ssh_agent_t user_home_t:file { append write };

Comment 1 Daniel Walsh 2004-04-15 15:36:17 UTC
fixed in rawhide.  policy-1.11.2-6


Note You need to log in before you can comment on or make changes to this bug.