Description of problem: When changing the default entry usepasswd=False in /etc/selinux/semanage.conf to usepasswd=true, and genhomedircon was run (manual or automatically), and restorecon -r /var was run, then /var/empty and /var/empty/sshd has the wrong selinux labels, and ssh login fails with "Connection closed by ...". We run dnf-automatic, this night there was some updates that seems to run some of the command above (I changed /etc/selinux/semanage.conf before), that prevents us to log in via ssh. Journal contains message like sshd[...]: fatal: chroot("/var/empty/sshd"): Permission denied [preauth] Right selinux labels: drwxr-xr-x. 3 root root system_u:object_r:var_t:s0 4096 3. Jul 23:43 /var/empty drwx--x--x. 2 root root unconfined_u:object_r:var_t:s0 4096 1. Jul 09:30 /var/empty/sshd After changing the parameter to usepasswd=true and running the genhomedircon and then restorecon, we got the following changes: # restorecon -rv /var/empty restorecon reset /var/empty context system_u:object_r:var_t:s0->system_u:object_r:home_root_t:s0 restorecon reset /var/empty/sshd context unconfined_u:object_r:var_t:s0->unconfined_u:object_r:user_home_dir_t:s0 Wrong selinux labels: drwxr-xr-x. 3 root root system_u:object_r:home_root_t:s0 4096 3. Jul 23:43 /var/empty drwx--x--x. 2 root root unconfined_u:object_r:user_home_dir_t:s0 4096 1. Jul 09:30 /var/empty/sshd After running gehhomedircon file /etc/selinux/targeted/contexts/files/file_contexts.homedirs contains lines for "/var/empty/...". After undoing the changes in /etc/selinux/semanage.conf and running the commands above again, then the entries for "/var/empty/..." are gone (as it was before the change). I think there should be at least a warning in /etc/selinux/semanage.conf and the man page that setting usepasswd to true may break ssh login (and possible other services). Even better would be to prevent the wrong labels on /var/empty/... This may be done by adding /var/empty (or /var/empty/sshd, I am not sure which one is right) to parameter ignoredirs (it currently contais "/root"). Version-Release number of selected component (if applicable): libsemanage-2.5-2.fc24.x86_64 How reproducible: Always Steps to Reproduce: 1. Install Fedora 24 2. Try ssh login. 3. sed -i -e 's/^usepasswd=False/usepasswd=true/' /etc/selinux/semanage.conf 4. genhomedircon 5. restorecon -rv /var 6. Try ssh login. Actual results: Step 2: ssh login successful. Step 6: ssh login fails with "Connection closed by ..." Expected results: Step 2: ssh login successful. Step 6: ssh login successful.
checkpolicy-2.5-8.fc25, libselinux-2.5-12.fc25, libsemanage-2.5-8.fc25, libsepol-2.5-10.fc25, policycoreutils-2.5-17.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-b7e8e980ef
checkpolicy-2.5-8.fc25, libselinux-2.5-12.fc25, libsemanage-2.5-8.fc25, libsepol-2.5-10.fc25, policycoreutils-2.5-17.fc25, secilc-2.5-6.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-b7e8e980ef
checkpolicy-2.5-8.fc25, libselinux-2.5-12.fc25, libsemanage-2.5-8.fc25, libsepol-2.5-10.fc25, policycoreutils-2.5-17.fc25, secilc-2.5-6.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.