selinux does not allow access of ssh_keygen_t to init_tmp_t: --- /var/log/audit/audit.log:type=AVC msg=audit(1440108177.899:9542): avc: denied { open } for pid=11827 comm="ssh-keygen" path="/tmp/tmp.KlPjsec4X3" dev="dm-0" ino=102401913 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:init_tmp_t:s0 tclass=file ovirt 11827 11821 0 Aug21 ? 00:00:00 ssh-keygen -s /tmp/tmp.KlPjsec4X3 -I rhsdev9.lab.eng.blr.redhat.com -h -V -1h:+1825d -n rhsdev9.lab.eng.blr.redhat.com /etc/pki/ovirt-engine/certs/rhsdev9.lab.eng.blr.redhat.com-ssh.pub --- Not sure if there is any reason to limit processing files in /tmp owned by same user with proper permissions.
Cannot actually reproduce this, need access to environment to compare.
(In reply to Alon Bar-Lev from comment #1) > Cannot actually reproduce this, need access to environment to compare. oh, it is probably not even rhel as there is -n and not -Z argument, need to know exact distro.
This is centos-7.0 specific selinux policy issue. ovirt-engine service runs as: --- uid=108(ovirt) gid=108(ovirt) groups=108(ovirt) context=system_u:system_r:init_t:s0 --- after updating from: --- selinux-policy-targeted-3.12.1-153.el7.noarch selinux-policy-3.12.1-153.el7.noarch --- to: --- selinux-policy-3.13.1-23.el7_1.13.noarch selinux-policy-targeted-3.13.1-23.el7_1.13.noarch --- ovirt-engine service runs as: --- uid=108(ovirt) gid=108(ovirt) groups=108(ovirt) context=system_u:system_r:unconfined_service_t:s0 --- issue is now resolved, I do not wish to add explicit dependency of selinux-policy to engine for centos specific issue, for now we will assume people using up to date system or refer to this bug to update the selinux policy.