Bug 475378 - selinux policy denies sshd access to /root/.ssh files
selinux policy denies sshd access to /root/.ssh files
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2008-12-08 18:32 EST by Gilles Detillieux
Modified: 2008-12-09 14:29 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-12-09 14:29:37 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Gilles Detillieux 2008-12-08 18:32:27 EST
Description of problem:
selinux-policy-targeted-3.6.1-6.fc11 causes avc denied messages in /var/log/audit/audit.log, and blocks sshd's access to /root/.ssh/authorized_hosts.  The default file context for these files is system_u:object_r:admin_home_t:s0, to which sshd is not allowed access.  Turning off enforcing or changing file context to system_u:object_r:home_ssh_t:s0 clears up the problem.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Set up a public key and add it to rawhide system's /root/.ssh/authorized_hosts
2. Use ssh from another system to login as root on rawhide system.
3. Login by providing password.
4. Look at /var/log/audit/audit.log
5. setenforce 0
6. Repeat steps 2-4, step 3 will allow passwordless login.
7. setenforce 1
8. chcon -R system_u:object_r:home_ssh_t:s0 /root/.ssh
9. Repeat step 6.
Actual results:
Passwordless access denied because sshd denied access to /root/.ssh by default.  audit.log entry example:

type=AVC msg=audit(1228775617.887:106): avc:  denied  { read } for  pid=3338 comm="sshd" name="authorized_keys" dev=sda8 ino=343691 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

Expected results:
sshd should be allowed access to /root/.ssh files regardless of whether enforcing is enabled or not.

Additional info:
Please either fix the default context for /root/.ssh, or change sshd's policy to allow access to admin_home_t files.  Probably the first fix is preferable.
Comment 1 Daniel Walsh 2008-12-09 14:29:21 EST
Fixed in selinux-policy-3.6.1-9.fc11

Note You need to log in before you can comment on or make changes to this bug.