Description of problem: I use pam_ssh to add ssh keys to ssh-agent during login. This worked fine in FC6 and is broken in F8 with selinux enforcing. Problem goes away with selinux permissive. This affects both command line logins (on vt at least) and kdm login. Version-Release number of selected component (if applicable): pam_ssh-1.92-2.fc8.x86_64 pam_ssh-1.92-2.fc8.i386 selinux-policy-targeted-3.0.8-47.fc8.noarch How reproducible: always This is what I have in system-auth: auth required pam_env.so auth required pam_unix.so nullok try_first_pass auth optional pam_ssh.so use_first_pass and: session optional pam_keyinit.so revoke session required pam_limits.so session [success=2 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ssh.so Just protect ssh key with your login password and try to login. ssh-add -l should list that key but it does not. There will be some setroubleshoot messages and audit messages related to at least inability to run ssh-agent.
What avc's are you seeing? /var/log/audit/audit.log or /var/log/messages
Created attachment 259561 [details] audit.log for root logging in, selinux enforcing
Created attachment 259571 [details] audit.log for root logging in, selinux permissive
Created attachment 259581 [details] audit.log for normal user (home on nfs) logging in, selinux enforcing
Created attachment 259591 [details] audit.log for normal user (home on nfs) logging in, selinux permissive
The above attachments are for console login. KDM has the same problem (and I think it also applies to gdm). If you need logs for graphical login please let me know.
If you chcon -R -t var_auth /var/run/pam_ssh And update to selinux-policy-3.0.8-53 Does it fix the problem?
If think you meant: chcon -R -t var_auth /var/run/pam_ssh? If so - running it and updating policy does not help. Login cannot start ssh-agent and cannot access private keys. I attach two additional logs from a run with new policy and changes to pam_ssh context.
Created attachment 260821 [details] audit.log for root logging in, selinux enforcing
Created attachment 260831 [details] audit.log for normal user (home on nfs) logging in, selinux enforcing
Could you login in permissive mode and show me all the avcs.
You can allow this for now by executing # audit2allow -M mypol -i /var/log/audit/audit.log # semodule -i mypol.pp
Created attachment 263441 [details] audit.log for root logging in, selinux permissive
Created attachment 263451 [details] audit.log for normal user (home on nfs) logging in, selinux permissive
Fixed in selinux-policy-3.0.8-58.fc8
It's not. I am getting an extra: bind: permission denied when logging in on console. Logs follow.
Created attachment 266701 [details] audit.log for root logging in, selinux enforcing
Created attachment 266711 [details] audit.log for root logging in, selinux permissive
Created attachment 266721 [details] audit.log for normal user (home on nfs) logging in, selinux enforcing
Created attachment 266731 [details] audit.log for normal user (home on nfs) logging in, selinux permissive
Ok relooking at this, I beleive session optional pam_ssh.so Should not be in the system-auth file at all. It needs to be in each one of the login pam modules after the pam_selinux open call. This will ensure that ssh_agent is running on behalf of the user. auth optional pam_ssh.so use_first_pass can probably stay in the system-auth although does this need to be run by tools like su and sudo?
With this change, I only need to allow login programs to write to userdomain tmp sockets.
Daniel, could you please look at the fixes that have been proposed in the other bug? Also could it be possible to avoid the dependency on policycoreutils? Last it would be nice if you or somebody knowledgable could do some policy, especially for http://fedoraproject.org/wiki/Packaging/ScriptletSnippets or in the guidelines proper, it would be nice. *** This bug has been marked as a duplicate of 397131 ***