Bug 212851 - SElinux prevents ssh-keygen from writing generated SSH keys to disk
SElinux prevents ssh-keygen from writing generated SSH keys to disk
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
6
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-10-29 12:57 EST by Gabriel Schulhof
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-11-28 15:49:11 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Gabriel Schulhof 2006-10-29 12:57:49 EST
Description of problem:

[nix@achilles .ssh]$ ssh-keygen -q  -t rsa
Enter file in which to save the key (/home/nix/.ssh/id_rsa): 
Could not create directory '/home/nix/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
open /home/nix/.ssh/id_rsa failed: Permission denied.
Saving the key failed: /home/nix/.ssh/id_rsa.

Oct 29 08:47:20 achilles kernel: audit(1162129640.406:25): avc:  denied  {
search } for  pid=24939 comm="ssh-keygen" name="home" dev=hda1 ino=2681729
scontext=system_u:system_r:ssh_keygen_t:s0
tcontext=system_u:object_r:home_root_t:s0 tclass=dir
Oct 29 08:47:20 achilles kernel: audit(1162129640.426:26): avc:  denied  {
search } for  pid=24939 comm="ssh-keygen" name="home" dev=hda1 ino=2681729
scontext=system_u:system_r:ssh_keygen_t:s0
tcontext=system_u:object_r:home_root_t:s0 tclass=dir
Oct 29 08:47:20 achilles kernel: audit(1162129640.446:27): avc:  denied  {
search } for  pid=24939 comm="ssh-keygen" name="home" dev=hda1 ino=2681729
scontext=system_u:system_r:ssh_keygen_t:s0
tcontext=system_u:object_r:home_root_t:s0 tclass=dir
Oct 29 08:47:23 achilles kernel: audit(1162129643.310:28): avc:  denied  {
search } for  pid=24939 comm="ssh-keygen" name="home" dev=hda1 ino=2681729
scontext=system_u:system_r:ssh_keygen_t:s0
tcontext=system_u:object_r:home_root_t:s0 tclass=dir

[nix@achilles .ssh]$ ssh-keygen -q -f /tmp/test_key_rsa -t rsa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
open /tmp/test_key_rsa failed: Permission denied.
Saving the key failed: /tmp/test_key_rsa.

Oct 29 08:48:55 achilles kernel: audit(1162129735.772:29): avc:  denied  {
search } for  pid=25474 comm="ssh-keygen" name="tmp" dev=hda1 ino=3532033
scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:tmp_t:s0
tclass=dir
Oct 29 08:48:57 achilles kernel: audit(1162129737.096:30): avc:  denied  {
search } for  pid=25474 comm="ssh-keygen" name="tmp" dev=hda1 ino=3532033
scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:tmp_t:s0
tclass=dir

In other words, ssh-keygen is not allowed to look in the user's home directory
(because it's inside the home directories' root), nor in /tmp. Thus it cannot
place the generated key anywhere useful.

Version-Release number of selected component (if applicable):

openssh-4.3p2-10
selinux-policy-2.4.1-3.fc6

How reproducible:
Always

Steps to Reproduce:
1. ssh-keygen -q  -t rsa # To produce first failure
2. ssh-keygen -q -f /tmp/test_key_rsa -t rsa # To produce second failure
3.
  
Actual results:
SElinux policy prevents key file creation.

Expected results:
SElinux policy allows key file creation.

Additional info:
Comment 1 Daniel Walsh 2006-11-28 15:49:11 EST
This looks like a labeleing problem.  Sorry about dropping the ball on this one.  
touch /.autorelabel
reboot

Should fix the problem

Note You need to log in before you can comment on or make changes to this bug.