when I'm using pam_ssh with my ssh key, I will got the following SELinux error messages: Raw-Audit-Meldungen node=zeus.herr-schmitt.de type=AVC msg=audit(1237749010.790:63): avc: denied { read } for pid=2959 comm="login" name="id_rsa" dev=dm-1 ino=3183866 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file node=zeus.herr-schmitt.de type=SYSCALL msg=audit(1237749010.790:63): arch=c000003e syscall=2 success=yes exit=3 a0=139e450 a1=0 a2=7fff7cc3e168 a3=349cb6da70 items=0 ppid=1 pid=2959 auid=4294967295 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=tty3 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
restorecon -R -v /home /root You have some mislabeled key files. There was a problem with the update from F8 and Maybe F9 that could have caused this problem. Also make sure you have the latest selinux policy installed.
Yes, I know, that I can relable the complaint file with the restorecon command. But it's seem, that the mislable situation will be occurs after the next login, because pam_ssh will access the the key file.
But the file should not be mislabeled any longer. The file became mislabeled because of a failure in the upgrade. Once it gets labeled correctly it should not be possible to create the mislabeled file again. (Well no confined domain should be able to create it anyways).
I will close this bug, because your hint works on my system.