1910102 – restorecon fails for (x)guest_u accounts in ssh

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1910102 - restorecon fails for (x)guest_u accounts in ssh

Summary: restorecon fails for (x)guest_u accounts in ssh

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.4
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	8.0
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1778780
TreeView+	depends on / blocked

Reported:	2020-12-22 16:58 UTC by Stanislav Zidek
Modified:	2022-01-05 13:43 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-08-19 19:55:42 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Description Stanislav Zidek 2020-12-22 16:58:15 UTC

Description of problem:
Restorecon fails when used over ssh

Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-58.el8.noarch

How reproducible:
always

Steps to Reproduce:
1. useradd -Z guest_u X
2. echo redhat |passwd --stdin X
3. ssh X@localhost
4. mkdir -p .ssh && touch .ssh/authorized_keys && restorecon -F .ssh/authorized_keys

Actual results:
restorecon: Could not set context for /home/t7/.ssh/authorized_keys:  Permission denied

Expected results:
no error

Comment 1 Stanislav Zidek 2020-12-22 16:59:24 UTC

# ausearch -m AVC -ts recent -i
----
type=PROCTITLE msg=audit(12/22/2020 11:51:04.706:702) : proctitle=restorecon -F .ssh/authorized_keys 
type=SYSCALL msg=audit(12/22/2020 11:51:04.706:702) : arch=x86_64 syscall=lsetxattr success=no exit=EACCES(Permission denied) a0=0x5614fa9d8410 a1=0x7f14d54cee5e a2=0x5614faa3b4d0 a3=0x24 items=0 ppid=5613 pid=5640 auid=t7 uid=t7 gid=t7 euid=t7 suid=t7 fsuid=t7 egid=t7 sgid=t7 fsgid=t7 tty=pts1 ses=19 comm=restorecon exe=/usr/sbin/setfiles subj=guest_u:guest_r:guest_t:s0 key=(null) 
type=AVC msg=audit(12/22/2020 11:51:04.706:702) : avc:  denied  { relabelto } for  pid=5640 comm=restorecon name=authorized_keys dev="vda1" ino=23069863 scontext=guest_u:guest_r:guest_t:s0 tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(12/22/2020 11:52:48.443:703) : proctitle=rpm -q selinux-policy 
type=SYSCALL msg=audit(12/22/2020 11:52:48.443:703) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7f20d51fda9b a2=O_RDONLY|O_CLOEXEC a3=0x0 items=0 ppid=5613 pid=5642 auid=t7 uid=t7 gid=t7 euid=t7 suid=t7 fsuid=t7 egid=t7 sgid=t7 fsgid=t7 tty=pts1 ses=19 comm=rpm exe=/usr/bin/rpm subj=guest_u:guest_r:guest_t:s0 key=(null) 
type=AVC msg=audit(12/22/2020 11:52:48.443:703) : avc:  denied  { read } for  pid=5642 comm=rpm name=resolv.conf dev="vda1" ino=8603 scontext=guest_u:guest_r:guest_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(12/22/2020 11:52:48.443:704) : proctitle=rpm -q selinux-policy 
type=SYSCALL msg=audit(12/22/2020 11:52:48.443:704) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7f20d3d0ab50 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=0 ppid=5613 pid=5642 auid=t7 uid=t7 gid=t7 euid=t7 suid=t7 fsuid=t7 egid=t7 sgid=t7 fsgid=t7 tty=pts1 ses=19 comm=rpm exe=/usr/bin/rpm subj=guest_u:guest_r:guest_t:s0 key=(null) 
type=AVC msg=audit(12/22/2020 11:52:48.443:704) : avc:  denied  { read } for  pid=5642 comm=rpm name=hosts dev="vda1" ino=2437823 scontext=guest_u:guest_r:guest_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=0

Comment 2 Milos Malik 2021-01-04 11:13:36 UTC

I believe the first SELinux denial in comment#1 is a consequence of BZ#1907502.

Note You need to log in before you can comment on or make changes to this bug.