Hide Forgot
+++ This bug was initially created as a clone of Bug #1299106 +++ Description of problem: SELinux is preventing systemd from 'getattr' accesses on the file /etc/ssh/ssh_host_rsa_key. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd should be allowed getattr access on the ssh_host_rsa_key file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:sshd_key_t:s0 Target Objects /etc/ssh/ssh_host_rsa_key [ file ] Source systemd Source Path systemd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-166.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.4.0-1.fc24.x86_64 #1 SMP Mon Jan 11 16:48:24 UTC 2016 x86_64 x86_64 Alert Count 9 First Seen 2016-01-16 00:16:32 CET Last Seen 2016-01-16 01:02:02 CET Local ID 309aa1c1-7df2-484c-bc12-f0d5b2f09067 Raw Audit Messages type=AVC msg=audit(1452902522.632:89): avc: denied { getattr } for pid=1 comm="systemd" path="/etc/ssh/ssh_host_rsa_key" dev="dm-1" ino=1837544 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:sshd_key_t:s0 tclass=file permissive=0 Hash: systemd,init_t,sshd_key_t,file,getattr Version-Release number of selected component: selinux-policy-3.13.1-166.fc24.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.4.0-1.fc24.x86_64 type: libreport --- Additional comment from Lukas Vrabec on 2016-02-09 12:00:15 EST --- I had a discussion with ssh maintainer Jakub Jelen, and we ended up with that getattr si enough. Here is patch which caused the issue. http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/commit/?id=af94f46861844cbd6ba4162115039bebcc8f78ba I'm going to allow this. --- Additional comment from Lukas Vrabec on 2016-02-10 04:57:01 EST --- commit 1b1d96b26018468f9f930ddd5a7707eab05ebcfc Author: Lukas Vrabec <lvrabec> Date: Wed Feb 10 10:27:41 2016 +0100 Allow run sshd-keygen on second boot if first boot fails after some reason and content is not syncedon the disk. These changes are reflecting this commit in sshd. http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/commit/?id=af94f46861844cbd6ba4162115039bebcc8f78ba rhbz#1299106 commit 9ce8c9e84a78ca7dc5a02019a3d58113c10aad62 Author: Lukas Vrabec <lvrabec> Date: Wed Feb 10 10:17:40 2016 +0100 Add interface ssh_getattr_server_keys() interface. rhbz#1299106
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2283.html