Description of problem: The following init script failed to run and there was no AVC message, # cat /etc/init.d/try #!/bin/bash -x rm -rf /root/.ssh mkdir /root/.ssh chmod 700 /root/.ssh cd /root/.ssh ssh-keygen -t rsa -N '' -f id_rsa # ls -lZ /etc/init.d/try -rwxr-xr-x root root system_u:object_r:initrc_exec_t /etc/init.d/try # /etc/init.d/try + rm -rf /root/.ssh + mkdir /root/.ssh + chmod 700 /root/.ssh + cd /root/.ssh + ssh-keygen -t rsa -N '' -f id_rsa Generating public/private rsa key pair. open id_rsa failed: Permission denied. Saving the key failed: id_rsa. # ausearch -m AVC ... Change the script to use the following works, runcon -u root -r system_r -t initrc_t -- ssh-keygen -t rsa -N '' -f id_rsa Version-Release number of selected component (if applicable): kernel-2.6.18-128.el5 selinux-policy-2.4.6-203.el5 selinux-policy-targeted-2.4.6-203.el5 How reproducible: always Steps to Reproduce: See the description. Actual results: Generating public/private rsa key pair. open id_rsa failed: Permission denied. Saving the key failed: id_rsa. Expected results: Generating public/private rsa key pair. Your identification has been saved in id_rsa. Your public key has been saved in id_rsa.pub. The key fingerprint is: ...
If you add a restorecon /root/.ssh, after you create it, does the script work?
Still the same. # /etc/init.d/try + rm -rf /root/.ssh + mkdir /root/.ssh + chmod 700 /root/.ssh + restorecon /root/.ssh + cd /root/.ssh + ssh-keygen -t rsa -N '' -f id_rsa Generating public/private rsa key pair. open id_rsa failed: Permission denied. Saving the key failed: id_rsa.
More verbose output. # /etc/init.d/try + rm -rf /root/.ssh + mkdir /root/.ssh + ls -lZd /root/.ssh drwxr-xr-x root root root:object_r:user_home_dir_t /root/.ssh + chmod 700 /root/.ssh + restorecon /root/.ssh + ls -lZd /root/.ssh drwx------ root root root:object_r:user_home_t /root/.ssh + cd /root/.ssh + ssh-keygen -t rsa -N '' -f id_rsa Generating public/private rsa key pair. open id_rsa failed: Permission denied. Saving the key failed: id_rsa.
Just for testing purposes, try chcon -t user_home_ssh_t /root/.ssh rather then restorecon
# /etc/init.d/try + rm -rf /root/.ssh + mkdir /root/.ssh + chmod 700 /root/.ssh + chcon -t user_home_ssh_t /root/.ssh chcon: failed to change context of /root/.ssh to root:object_r:user_home_ssh_t: Invalid argument + ls -lZd /root/.ssh drwx------ root root root:object_r:user_home_dir_t /root/.ssh + cd /root/.ssh + ssh-keygen -t rsa -N '' -f id_rsa Generating public/private rsa key pair. open id_rsa failed: Permission denied. Saving the key failed: id_rsa.
Fixed in selinux-policy-2.4.6-247.el5
What is /etc/init.d/try labeled? ls -lZ /etc/init.d/try If this is labeled initrc_exec_t, I believe it will work either way. If you run ssh-keygen directly it will not work since it will run as unconfined_t. No transition happens so the directory does not get created with the correct label.
selinux-policy-2.4.6-253.el5 knows 2 user home contexts (user_home_t and user_home_dir_t). /root/.ssh is associated with the first context, dontaudit rule for /usr/bin/ssh-keygen is associated with the second context. That's the reason why AVCs mentioned in comment #10 still appear. # sesearch -s ssh_keygen_t -t user_home_t -c dir --all Found 5 role allow rules: allow system_r sysadm_r ; allow user_r sysadm_r ; allow user_r system_r ; allow sysadm_r user_r ; allow sysadm_r system_r ; # sesearch -s ssh_keygen_t -t user_home_dir_t -c dir --all Found 1 av rules: dontaudit ssh_keygen_t user_home_dir_t : dir { getattr search }; Found 5 role allow rules: allow system_r sysadm_r ; allow user_r sysadm_r ; allow user_r system_r ; allow sysadm_r user_r ; allow sysadm_r system_r ;
# rpm -qa selinux-policy\* selinux-policy-2.4.6-253.el5 selinux-policy-targeted-2.4.6-253.el5 # cd /root # rm -rf .ssh # mkdir .ssh # restorecon -Rv . # ls -Zd .ssh drwxr-xr-x root root root:object_r:user_home_t .ssh #
(In reply to comment #14) > What is /etc/init.d/try labeled? > > ls -lZ /etc/init.d/try > > If this is labeled initrc_exec_t, I believe it will work either way. If you > run ssh-keygen directly it will not work since it will run as unconfined_t. > > No transition happens so the directory does not get created with the correct > label. # ls -Z /etc/init.d/try -rwxr-xr-x root root system_u:object_r:initrc_exec_t /etc/init.d/try
Malik Fixed in selinux-policy-2.4.6-260.el5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2010-0182.html