Bug 491541 - SELinux isue with pam_ssh
Summary: SELinux isue with pam_ssh
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 10
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-03-22 20:33 UTC by Jochen Schmitt
Modified: 2009-03-31 16:49 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-03-31 16:49:43 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Jochen Schmitt 2009-03-22 20:33:18 UTC
when I'm using pam_ssh with my ssh key, I will got the following SELinux error messages:

Raw-Audit-Meldungen           

node=zeus.herr-schmitt.de type=AVC msg=audit(1237749010.790:63): avc:  denied  { read } for  pid=2959 comm="login" name="id_rsa" dev=dm-1 ino=3183866 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file

node=zeus.herr-schmitt.de type=SYSCALL msg=audit(1237749010.790:63): arch=c000003e syscall=2 success=yes exit=3 a0=139e450 a1=0 a2=7fff7cc3e168 a3=349cb6da70 items=0 ppid=1 pid=2959 auid=4294967295 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=tty3 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)

Comment 1 Daniel Walsh 2009-03-23 17:07:19 UTC
restorecon -R -v /home /root

You have some mislabeled key files.  There was a problem with the update from F8 and Maybe F9 that could have caused this problem.

Also make sure you have the latest selinux policy installed.

Comment 2 Jochen Schmitt 2009-03-23 19:09:10 UTC
Yes, I know, that I can relable the complaint file with the restorecon command. But it's seem, that the mislable situation will be occurs after the next login, because pam_ssh will access the the key file.

Comment 3 Daniel Walsh 2009-03-24 14:28:30 UTC
But the file should not be mislabeled any longer.  The file became mislabeled because of a failure in the upgrade.  Once it gets labeled correctly it should not be possible to create the mislabeled file again. (Well no confined domain should be able to create it anyways).

Comment 4 Jochen Schmitt 2009-03-31 16:49:43 UTC
I will close this bug, because your hint works on my system.


Note You need to log in before you can comment on or make changes to this bug.