Bug 1304018 - selinux - why would ssh with keys to postgres@localhost be prevented?
selinux - why would ssh with keys to postgres@localhost be prevented?
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.1
x86_64 Linux
unspecified Severity high
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-02 12:03 EST by lejeczek
Modified: 2016-02-12 04:44 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-02-12 04:44:19 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description lejeczek 2016-02-02 12:03:50 EST
Description of problem:

and there is no boolean for this.
the opposite way it works, postgres can ssh to a $_user@localhost
ssh with keys to a postgres@_$remotebox works fine though.

asking tone of this report for I'm not sure if this is a bug.

type=AVC msg=audit(1454432013.141:11451210): avc:  denied  { read } for  pid=6865 comm="sshd" name="authorized_keys" dev="dm-0" ino=553208674 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:postgresql_db_t:s0 tclass=file

Version-Release number of selected component (if applicable):

selinux-policy-3.13.1-60.el7.noarch
selinux-policy-targeted-3.13.1-60.el7.noarch

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Milos Malik 2016-02-02 12:13:17 EST
If the authorized_keys file is located in ~/.ssh directory then it should be labeled ssh_home_t.
Comment 3 lejeczek 2016-02-03 09:00:17 EST
ok, restorecond was missing there,
yes, problem was fcontext on that folder,
many thanks

Note You need to log in before you can comment on or make changes to this bug.