Bug 492519 - SELinux denies ssh-keygen from system_u:object_r:initrc_exec_t
Summary: SELinux denies ssh-keygen from system_u:object_r:initrc_exec_t
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.3
Hardware: All
OS: Linux
urgent
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE
URL:
Whiteboard:
Depends On:
Blocks: 538453
TreeView+ depends on / blocked
 
Reported: 2009-03-27 08:16 UTC by Qian Cai
Modified: 2012-10-15 13:58 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-03-30 07:49:06 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2010:0182 0 normal SHIPPED_LIVE selinux-policy bug fix update 2010-03-29 12:19:53 UTC

Description Qian Cai 2009-03-27 08:16:56 UTC
Description of problem:
The following init script failed to run and there was no AVC message,

# cat /etc/init.d/try
#!/bin/bash -x
rm -rf /root/.ssh
mkdir /root/.ssh
chmod 700 /root/.ssh
cd /root/.ssh
ssh-keygen -t rsa -N '' -f id_rsa

# ls -lZ /etc/init.d/try 
-rwxr-xr-x  root root system_u:object_r:initrc_exec_t  /etc/init.d/try

# /etc/init.d/try
+ rm -rf /root/.ssh
+ mkdir /root/.ssh
+ chmod 700 /root/.ssh
+ cd /root/.ssh
+ ssh-keygen -t rsa -N '' -f id_rsa
Generating public/private rsa key pair.
open id_rsa failed: Permission denied.
Saving the key failed: id_rsa.

# ausearch -m AVC
...

Change the script to use the following works,

runcon -u root -r system_r -t initrc_t -- ssh-keygen -t rsa -N '' -f id_rsa

Version-Release number of selected component (if applicable):
kernel-2.6.18-128.el5
selinux-policy-2.4.6-203.el5
selinux-policy-targeted-2.4.6-203.el5

How reproducible:
always

Steps to Reproduce:
See the description.
  
Actual results:
Generating public/private rsa key pair.
open id_rsa failed: Permission denied.
Saving the key failed: id_rsa.

Expected results:
Generating public/private rsa key pair.
Your identification has been saved in id_rsa.
Your public key has been saved in id_rsa.pub.
The key fingerprint is:
...

Comment 1 Daniel Walsh 2009-04-13 14:13:07 UTC
If you add a restorecon /root/.ssh, after you create it, does the script work?

Comment 2 Qian Cai 2009-04-14 09:34:53 UTC
Still the same.

# /etc/init.d/try
+ rm -rf /root/.ssh
+ mkdir /root/.ssh
+ chmod 700 /root/.ssh
+ restorecon /root/.ssh
+ cd /root/.ssh
+ ssh-keygen -t rsa -N '' -f id_rsa
Generating public/private rsa key pair.
open id_rsa failed: Permission denied.
Saving the key failed: id_rsa.

Comment 3 Qian Cai 2009-04-14 09:37:28 UTC
More verbose output.

# /etc/init.d/try
+ rm -rf /root/.ssh
+ mkdir /root/.ssh
+ ls -lZd /root/.ssh
drwxr-xr-x  root root root:object_r:user_home_dir_t    /root/.ssh
+ chmod 700 /root/.ssh
+ restorecon /root/.ssh
+ ls -lZd /root/.ssh
drwx------  root root root:object_r:user_home_t        /root/.ssh
+ cd /root/.ssh
+ ssh-keygen -t rsa -N '' -f id_rsa
Generating public/private rsa key pair.
open id_rsa failed: Permission denied.
Saving the key failed: id_rsa.

Comment 4 Daniel Walsh 2009-04-14 13:04:53 UTC
Just for testing purposes, try

chcon -t user_home_ssh_t /root/.ssh

rather then restorecon

Comment 5 Qian Cai 2009-04-14 13:16:38 UTC
# /etc/init.d/try
+ rm -rf /root/.ssh
+ mkdir /root/.ssh
+ chmod 700 /root/.ssh
+ chcon -t user_home_ssh_t /root/.ssh
chcon: failed to change context of /root/.ssh to root:object_r:user_home_ssh_t: Invalid argument
+ ls -lZd /root/.ssh
drwx------  root root root:object_r:user_home_dir_t    /root/.ssh
+ cd /root/.ssh
+ ssh-keygen -t rsa -N '' -f id_rsa
Generating public/private rsa key pair.
open id_rsa failed: Permission denied.
Saving the key failed: id_rsa.

Comment 7 Daniel Walsh 2009-06-18 19:00:33 UTC
Fixed in selinux-policy-2.4.6-247.el5

Comment 14 Daniel Walsh 2009-07-21 18:44:36 UTC
What is /etc/init.d/try labeled?

ls -lZ /etc/init.d/try

If this is labeled initrc_exec_t, I believe it will work either way.  If you run ssh-keygen directly it will not work since it will run as unconfined_t.

No transition happens so the directory does not get created with the correct label.

Comment 16 Milos Malik 2009-07-22 08:34:28 UTC
selinux-policy-2.4.6-253.el5 knows 2 user home contexts (user_home_t and user_home_dir_t). /root/.ssh is associated with the first context, dontaudit rule for /usr/bin/ssh-keygen is associated with the second context. That's the reason why AVCs mentioned in comment #10 still appear.

# sesearch -s ssh_keygen_t -t user_home_t -c dir --all

Found 5 role allow rules:
   allow system_r sysadm_r ;
   allow user_r sysadm_r ;
   allow user_r system_r ;
   allow sysadm_r user_r ;
   allow sysadm_r system_r ;

# sesearch -s ssh_keygen_t -t user_home_dir_t -c dir --all
Found 1 av rules:
   dontaudit ssh_keygen_t user_home_dir_t : dir { getattr search }; 

Found 5 role allow rules:
   allow system_r sysadm_r ;
   allow user_r sysadm_r ;
   allow user_r system_r ;
   allow sysadm_r user_r ;
   allow sysadm_r system_r ;

Comment 17 Milos Malik 2009-07-22 08:52:00 UTC
# rpm -qa selinux-policy\*
selinux-policy-2.4.6-253.el5
selinux-policy-targeted-2.4.6-253.el5
# cd /root
# rm -rf .ssh
# mkdir .ssh
# restorecon -Rv .
# ls -Zd .ssh
drwxr-xr-x  root root root:object_r:user_home_t        .ssh
#

Comment 18 Milos Malik 2009-07-22 09:03:48 UTC
(In reply to comment #14)
> What is /etc/init.d/try labeled?
> 
> ls -lZ /etc/init.d/try
> 
> If this is labeled initrc_exec_t, I believe it will work either way.  If you
> run ssh-keygen directly it will not work since it will run as unconfined_t.
> 
> No transition happens so the directory does not get created with the correct
> label.  

# ls -Z /etc/init.d/try
-rwxr-xr-x  root root system_u:object_r:initrc_exec_t  /etc/init.d/try

Comment 20 Daniel Walsh 2009-10-15 17:51:13 UTC
Malik Fixed in selinux-policy-2.4.6-260.el5

Comment 25 errata-xmlrpc 2010-03-30 07:49:06 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0182.html


Note You need to log in before you can comment on or make changes to this bug.