Bug 1304018 - selinux - why would ssh with keys to postgres@localhost be prevented?
Summary: selinux - why would ssh with keys to postgres@localhost be prevented?
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.1
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-02-02 17:03 UTC by lejeczek
Modified: 2016-02-12 09:44 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-02-12 09:44:19 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description lejeczek 2016-02-02 17:03:50 UTC 
Description of problem:

and there is no boolean for this.
the opposite way it works, postgres can ssh to a $_user@localhost
ssh with keys to a postgres@_$remotebox works fine though.

asking tone of this report for I'm not sure if this is a bug.

type=AVC msg=audit(1454432013.141:11451210): avc:  denied  { read } for  pid=6865 comm="sshd" name="authorized_keys" dev="dm-0" ino=553208674 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:postgresql_db_t:s0 tclass=file

Version-Release number of selected component (if applicable):

selinux-policy-3.13.1-60.el7.noarch
selinux-policy-targeted-3.13.1-60.el7.noarch

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Milos Malik 2016-02-02 17:13:17 UTC 
If the authorized_keys file is located in ~/.ssh directory then it should be labeled ssh_home_t.
Comment 3 lejeczek 2016-02-03 14:00:17 UTC 
ok, restorecond was missing there,
yes, problem was fcontext on that folder,
many thanks
Note You need to log in before you can comment on or make changes to this bug.