Bug 491541 - SELinux isue with pam_ssh
SELinux isue with pam_ssh
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
: Reopened
Depends On:
  Show dependency treegraph
Reported: 2009-03-22 16:33 EDT by Jochen Schmitt
Modified: 2009-03-31 12:49 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-03-31 12:49:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jochen Schmitt 2009-03-22 16:33:18 EDT
when I'm using pam_ssh with my ssh key, I will got the following SELinux error messages:


node=zeus.herr-schmitt.de type=AVC msg=audit(1237749010.790:63): avc:  denied  { read } for  pid=2959 comm="login" name="id_rsa" dev=dm-1 ino=3183866 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file

node=zeus.herr-schmitt.de type=SYSCALL msg=audit(1237749010.790:63): arch=c000003e syscall=2 success=yes exit=3 a0=139e450 a1=0 a2=7fff7cc3e168 a3=349cb6da70 items=0 ppid=1 pid=2959 auid=4294967295 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=tty3 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2009-03-23 13:07:19 EDT
restorecon -R -v /home /root

You have some mislabeled key files.  There was a problem with the update from F8 and Maybe F9 that could have caused this problem.

Also make sure you have the latest selinux policy installed.
Comment 2 Jochen Schmitt 2009-03-23 15:09:10 EDT
Yes, I know, that I can relable the complaint file with the restorecon command. But it's seem, that the mislable situation will be occurs after the next login, because pam_ssh will access the the key file.
Comment 3 Daniel Walsh 2009-03-24 10:28:30 EDT
But the file should not be mislabeled any longer.  The file became mislabeled because of a failure in the upgrade.  Once it gets labeled correctly it should not be possible to create the mislabeled file again. (Well no confined domain should be able to create it anyways).
Comment 4 Jochen Schmitt 2009-03-31 12:49:43 EDT
I will close this bug, because your hint works on my system.

Note You need to log in before you can comment on or make changes to this bug.