Description of problem: SELinux is preventing systemd from 'getattr' accesses on the file /etc/ssh/ssh_host_rsa_key. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd should be allowed getattr access on the ssh_host_rsa_key file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:sshd_key_t:s0 Target Objects /etc/ssh/ssh_host_rsa_key [ file ] Source systemd Source Path systemd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-166.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.4.0-1.fc24.x86_64 #1 SMP Mon Jan 11 16:48:24 UTC 2016 x86_64 x86_64 Alert Count 9 First Seen 2016-01-16 00:16:32 CET Last Seen 2016-01-16 01:02:02 CET Local ID 309aa1c1-7df2-484c-bc12-f0d5b2f09067 Raw Audit Messages type=AVC msg=audit(1452902522.632:89): avc: denied { getattr } for pid=1 comm="systemd" path="/etc/ssh/ssh_host_rsa_key" dev="dm-1" ino=1837544 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:sshd_key_t:s0 tclass=file permissive=0 Hash: systemd,init_t,sshd_key_t,file,getattr Version-Release number of selected component: selinux-policy-3.13.1-166.fc24.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.4.0-1.fc24.x86_64 type: libreport
I had a discussion with ssh maintainer Jakub Jelen, and we ended up with that getattr si enough. Here is patch which caused the issue. http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/commit/?id=af94f46861844cbd6ba4162115039bebcc8f78ba I'm going to allow this.
commit 1b1d96b26018468f9f930ddd5a7707eab05ebcfc Author: Lukas Vrabec <lvrabec> Date: Wed Feb 10 10:27:41 2016 +0100 Allow run sshd-keygen on second boot if first boot fails after some reason and content is not syncedon the disk. These changes are reflecting this commit in sshd. http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/commit/?id=af94f46861844cbd6ba4162115039bebcc8f78ba rhbz#1299106 commit 9ce8c9e84a78ca7dc5a02019a3d58113c10aad62 Author: Lukas Vrabec <lvrabec> Date: Wed Feb 10 10:17:40 2016 +0100 Add interface ssh_getattr_server_keys() interface. rhbz#1299106
Description of problem: Upgraded, rebooted, autorelabeled my Rawhide box. Version-Release number of selected component: selinux-policy-3.13.1-169.fc24.noarch Additional info: reporter: libreport-2.6.4.2.g18a1 hashmarkername: setroubleshoot kernel: 4.5.0-0.rc3.git1.2.fc24.x86_64 type: libreport
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle. Changing version to '24'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase
selinux-policy-3.13.1-178.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-1350c96015
selinux-policy-3.13.1-178.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-1350c96015
selinux-policy-3.13.1-179.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-8f142bb969
selinux-policy-3.13.1-179.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-8f142bb969
selinux-policy-3.13.1-179.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.