Bug 1258154 - [PKI] selinux rejects ssh-keygen from accessing /tmp
[PKI] selinux rejects ssh-keygen from accessing /tmp
Status: CLOSED UPSTREAM
Product: oVirt
Classification: Community
Component: ovirt-engine-core (Show other bugs)
3.6
Unspecified Unspecified
unspecified Severity unspecified
: ---
: 3.6.0
Assigned To: Alon Bar-Lev
Pavel Stehlik
infra
:
Depends On: 1258365
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-29 13:44 EDT by Alon Bar-Lev
Modified: 2016-02-10 14:35 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-31 04:27:45 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Alon Bar-Lev 2015-08-29 13:44:13 EDT
selinux does not allow access of ssh_keygen_t to init_tmp_t:

---
/var/log/audit/audit.log:type=AVC msg=audit(1440108177.899:9542): avc:  
denied  { open } for  pid=11827 comm="ssh-keygen"
path="/tmp/tmp.KlPjsec4X3" dev="dm-0" ino=102401913
scontext=system_u:system_r:ssh_keygen_t:s0
tcontext=system_u:object_r:init_tmp_t:s0 tclass=file

ovirt    11827 11821  0 Aug21 ?        00:00:00 ssh-keygen -s
/tmp/tmp.KlPjsec4X3 -I rhsdev9.lab.eng.blr.redhat.com -h -V -1h:+1825d
-n rhsdev9.lab.eng.blr.redhat.com
/etc/pki/ovirt-engine/certs/rhsdev9.lab.eng.blr.redhat.com-ssh.pub
---

Not sure if there is any reason to limit processing files in /tmp owned by same user with proper permissions.
Comment 1 Alon Bar-Lev 2015-08-29 16:39:27 EDT
Cannot actually reproduce this, need access to environment to compare.
Comment 2 Alon Bar-Lev 2015-08-29 17:16:08 EDT
(In reply to Alon Bar-Lev from comment #1)
> Cannot actually reproduce this, need access to environment to compare.

oh, it is probably not even rhel as there is -n and not -Z argument, need to know exact distro.
Comment 3 Alon Bar-Lev 2015-08-31 04:27:45 EDT
This is centos-7.0 specific selinux policy issue.

ovirt-engine service runs as:
---
uid=108(ovirt) gid=108(ovirt) groups=108(ovirt) context=system_u:system_r:init_t:s0
---

after updating from:
---
selinux-policy-targeted-3.12.1-153.el7.noarch
selinux-policy-3.12.1-153.el7.noarch
---
to:
---
selinux-policy-3.13.1-23.el7_1.13.noarch
selinux-policy-targeted-3.13.1-23.el7_1.13.noarch
---

ovirt-engine service runs as:
---
uid=108(ovirt) gid=108(ovirt) groups=108(ovirt) context=system_u:system_r:unconfined_service_t:s0
---

issue is now resolved, I do not wish to add explicit dependency of selinux-policy to engine for centos specific issue, for now we will assume people using up to date system or refer to this bug to update the selinux policy.

Note You need to log in before you can comment on or make changes to this bug.