Bug 492519 - SELinux denies ssh-keygen from system_u:object_r:initrc_exec_t
SELinux denies ssh-keygen from system_u:object_r:initrc_exec_t
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.3
All Linux
urgent Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE
: ZStream
Depends On:
Blocks: 538453
  Show dependency treegraph
 
Reported: 2009-03-27 04:16 EDT by CAI Qian
Modified: 2012-10-15 09:58 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-03-30 03:49:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description CAI Qian 2009-03-27 04:16:56 EDT
Description of problem:
The following init script failed to run and there was no AVC message,

# cat /etc/init.d/try
#!/bin/bash -x
rm -rf /root/.ssh
mkdir /root/.ssh
chmod 700 /root/.ssh
cd /root/.ssh
ssh-keygen -t rsa -N '' -f id_rsa

# ls -lZ /etc/init.d/try 
-rwxr-xr-x  root root system_u:object_r:initrc_exec_t  /etc/init.d/try

# /etc/init.d/try
+ rm -rf /root/.ssh
+ mkdir /root/.ssh
+ chmod 700 /root/.ssh
+ cd /root/.ssh
+ ssh-keygen -t rsa -N '' -f id_rsa
Generating public/private rsa key pair.
open id_rsa failed: Permission denied.
Saving the key failed: id_rsa.

# ausearch -m AVC
...

Change the script to use the following works,

runcon -u root -r system_r -t initrc_t -- ssh-keygen -t rsa -N '' -f id_rsa

Version-Release number of selected component (if applicable):
kernel-2.6.18-128.el5
selinux-policy-2.4.6-203.el5
selinux-policy-targeted-2.4.6-203.el5

How reproducible:
always

Steps to Reproduce:
See the description.
  
Actual results:
Generating public/private rsa key pair.
open id_rsa failed: Permission denied.
Saving the key failed: id_rsa.

Expected results:
Generating public/private rsa key pair.
Your identification has been saved in id_rsa.
Your public key has been saved in id_rsa.pub.
The key fingerprint is:
...
Comment 1 Daniel Walsh 2009-04-13 10:13:07 EDT
If you add a restorecon /root/.ssh, after you create it, does the script work?
Comment 2 CAI Qian 2009-04-14 05:34:53 EDT
Still the same.

# /etc/init.d/try
+ rm -rf /root/.ssh
+ mkdir /root/.ssh
+ chmod 700 /root/.ssh
+ restorecon /root/.ssh
+ cd /root/.ssh
+ ssh-keygen -t rsa -N '' -f id_rsa
Generating public/private rsa key pair.
open id_rsa failed: Permission denied.
Saving the key failed: id_rsa.
Comment 3 CAI Qian 2009-04-14 05:37:28 EDT
More verbose output.

# /etc/init.d/try
+ rm -rf /root/.ssh
+ mkdir /root/.ssh
+ ls -lZd /root/.ssh
drwxr-xr-x  root root root:object_r:user_home_dir_t    /root/.ssh
+ chmod 700 /root/.ssh
+ restorecon /root/.ssh
+ ls -lZd /root/.ssh
drwx------  root root root:object_r:user_home_t        /root/.ssh
+ cd /root/.ssh
+ ssh-keygen -t rsa -N '' -f id_rsa
Generating public/private rsa key pair.
open id_rsa failed: Permission denied.
Saving the key failed: id_rsa.
Comment 4 Daniel Walsh 2009-04-14 09:04:53 EDT
Just for testing purposes, try

chcon -t user_home_ssh_t /root/.ssh

rather then restorecon
Comment 5 CAI Qian 2009-04-14 09:16:38 EDT
# /etc/init.d/try
+ rm -rf /root/.ssh
+ mkdir /root/.ssh
+ chmod 700 /root/.ssh
+ chcon -t user_home_ssh_t /root/.ssh
chcon: failed to change context of /root/.ssh to root:object_r:user_home_ssh_t: Invalid argument
+ ls -lZd /root/.ssh
drwx------  root root root:object_r:user_home_dir_t    /root/.ssh
+ cd /root/.ssh
+ ssh-keygen -t rsa -N '' -f id_rsa
Generating public/private rsa key pair.
open id_rsa failed: Permission denied.
Saving the key failed: id_rsa.
Comment 7 Daniel Walsh 2009-06-18 15:00:33 EDT
Fixed in selinux-policy-2.4.6-247.el5
Comment 14 Daniel Walsh 2009-07-21 14:44:36 EDT
What is /etc/init.d/try labeled?

ls -lZ /etc/init.d/try

If this is labeled initrc_exec_t, I believe it will work either way.  If you run ssh-keygen directly it will not work since it will run as unconfined_t.

No transition happens so the directory does not get created with the correct label.
Comment 16 Milos Malik 2009-07-22 04:34:28 EDT
selinux-policy-2.4.6-253.el5 knows 2 user home contexts (user_home_t and user_home_dir_t). /root/.ssh is associated with the first context, dontaudit rule for /usr/bin/ssh-keygen is associated with the second context. That's the reason why AVCs mentioned in comment #10 still appear.

# sesearch -s ssh_keygen_t -t user_home_t -c dir --all

Found 5 role allow rules:
   allow system_r sysadm_r ;
   allow user_r sysadm_r ;
   allow user_r system_r ;
   allow sysadm_r user_r ;
   allow sysadm_r system_r ;

# sesearch -s ssh_keygen_t -t user_home_dir_t -c dir --all
Found 1 av rules:
   dontaudit ssh_keygen_t user_home_dir_t : dir { getattr search }; 

Found 5 role allow rules:
   allow system_r sysadm_r ;
   allow user_r sysadm_r ;
   allow user_r system_r ;
   allow sysadm_r user_r ;
   allow sysadm_r system_r ;
Comment 17 Milos Malik 2009-07-22 04:52:00 EDT
# rpm -qa selinux-policy\*
selinux-policy-2.4.6-253.el5
selinux-policy-targeted-2.4.6-253.el5
# cd /root
# rm -rf .ssh
# mkdir .ssh
# restorecon -Rv .
# ls -Zd .ssh
drwxr-xr-x  root root root:object_r:user_home_t        .ssh
#
Comment 18 Milos Malik 2009-07-22 05:03:48 EDT
(In reply to comment #14)
> What is /etc/init.d/try labeled?
> 
> ls -lZ /etc/init.d/try
> 
> If this is labeled initrc_exec_t, I believe it will work either way.  If you
> run ssh-keygen directly it will not work since it will run as unconfined_t.
> 
> No transition happens so the directory does not get created with the correct
> label.  

# ls -Z /etc/init.d/try
-rwxr-xr-x  root root system_u:object_r:initrc_exec_t  /etc/init.d/try
Comment 20 Daniel Walsh 2009-10-15 13:51:13 EDT
Malik Fixed in selinux-policy-2.4.6-260.el5
Comment 25 errata-xmlrpc 2010-03-30 03:49:06 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0182.html

Note You need to log in before you can comment on or make changes to this bug.