Bug 212851 - SElinux prevents ssh-keygen from writing generated SSH keys to disk
Summary: SElinux prevents ssh-keygen from writing generated SSH keys to disk
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 6
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-10-29 17:57 UTC by Gabriel Schulhof
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-11-28 20:49:11 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Gabriel Schulhof 2006-10-29 17:57:49 UTC 
Description of problem:

[nix@achilles .ssh]$ ssh-keygen -q  -t rsa
Enter file in which to save the key (/home/nix/.ssh/id_rsa): 
Could not create directory '/home/nix/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
open /home/nix/.ssh/id_rsa failed: Permission denied.
Saving the key failed: /home/nix/.ssh/id_rsa.

Oct 29 08:47:20 achilles kernel: audit(1162129640.406:25): avc:  denied  {
search } for  pid=24939 comm="ssh-keygen" name="home" dev=hda1 ino=2681729
scontext=system_u:system_r:ssh_keygen_t:s0
tcontext=system_u:object_r:home_root_t:s0 tclass=dir
Oct 29 08:47:20 achilles kernel: audit(1162129640.426:26): avc:  denied  {
search } for  pid=24939 comm="ssh-keygen" name="home" dev=hda1 ino=2681729
scontext=system_u:system_r:ssh_keygen_t:s0
tcontext=system_u:object_r:home_root_t:s0 tclass=dir
Oct 29 08:47:20 achilles kernel: audit(1162129640.446:27): avc:  denied  {
search } for  pid=24939 comm="ssh-keygen" name="home" dev=hda1 ino=2681729
scontext=system_u:system_r:ssh_keygen_t:s0
tcontext=system_u:object_r:home_root_t:s0 tclass=dir
Oct 29 08:47:23 achilles kernel: audit(1162129643.310:28): avc:  denied  {
search } for  pid=24939 comm="ssh-keygen" name="home" dev=hda1 ino=2681729
scontext=system_u:system_r:ssh_keygen_t:s0
tcontext=system_u:object_r:home_root_t:s0 tclass=dir

[nix@achilles .ssh]$ ssh-keygen -q -f /tmp/test_key_rsa -t rsa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
open /tmp/test_key_rsa failed: Permission denied.
Saving the key failed: /tmp/test_key_rsa.

Oct 29 08:48:55 achilles kernel: audit(1162129735.772:29): avc:  denied  {
search } for  pid=25474 comm="ssh-keygen" name="tmp" dev=hda1 ino=3532033
scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:tmp_t:s0
tclass=dir
Oct 29 08:48:57 achilles kernel: audit(1162129737.096:30): avc:  denied  {
search } for  pid=25474 comm="ssh-keygen" name="tmp" dev=hda1 ino=3532033
scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:tmp_t:s0
tclass=dir

In other words, ssh-keygen is not allowed to look in the user's home directory
(because it's inside the home directories' root), nor in /tmp. Thus it cannot
place the generated key anywhere useful.

Version-Release number of selected component (if applicable):

openssh-4.3p2-10
selinux-policy-2.4.1-3.fc6

How reproducible:
Always

Steps to Reproduce:
1. ssh-keygen -q  -t rsa # To produce first failure
2. ssh-keygen -q -f /tmp/test_key_rsa -t rsa # To produce second failure
3.
  
Actual results:
SElinux policy prevents key file creation.

Expected results:
SElinux policy allows key file creation.

Additional info:
Comment 1 Daniel Walsh 2006-11-28 20:49:11 UTC 
This looks like a labeleing problem.  Sorry about dropping the ball on this one.  
touch /.autorelabel
reboot

Should fix the problem
Note You need to log in before you can comment on or make changes to this bug.