Bug 509138 - Enforcing policy is preventing ssh login via ssh keys
Enforcing policy is preventing ssh login via ssh keys
Status: CLOSED DUPLICATE of bug 508584
Product: Fedora
Classification: Fedora
Component: openssh (Show other bugs)
11
All Linux
high Severity medium
: ---
: ---
Assigned To: Jan F. Chadima
Fedora Extras Quality Assurance
: Regression, Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-07-01 10:09 EDT by David Kovalsky
Modified: 2014-03-31 19:45 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-02 09:23:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Kovalsky 2009-07-01 10:09:40 EDT
I've copied my public ssh key from F10 to a fully updated f11, but if selinux is in enforcing more I can't login. 

I used `ssh-copy-id -i .ssh/id_rsa.pub root@the-new-system' from F10.

The new F11 box logs this info:
/var/log/messages:
type=AVC msg=audit(1246454396.024:20950): avc:  denied  { getattr } for  pid=3145 comm="sshd" path="/root/.ssh/authorized_keys" dev=dm-0 ino=100773002 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
type=AVC msg=audit(1246454402.940:20961): avc:  denied  { read } for  pid=3187 comm="sshd" name="authorized_keys" dev=dm-0 ino=100773002 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
type=AVC msg=audit(1246454402.940:20961): avc:  denied  { open } for  pid=3187 comm="sshd" name="authorized_keys" dev=dm-0 ino=100773002 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

(repeated many times)

[root@f11dave ~]# ls -lZ /root/.ssh/
-rw-------. root root unconfined_u:object_r:admin_home_t:s0 authorized_keys

selinux-policy-3.6.12-53.fc11.noarch


Seems this is a regression from F10, since I never had issues with this kind of setup since Fedora Core 4 :)

Let me know if you need more info to properly debug the issue.
Comment 1 Daniel Walsh 2009-07-01 13:24:48 EDT
restorecon -R -v /root

Should fix the labeling.
Comment 2 David Kovalsky 2009-07-02 04:57:34 EDT
Thanks Dan, works like charm. 

Perhaps ssh-copy-id could try to set the context properly? Reopening against openssh.
openssh-clients-5.1p1-3.fc10.i386
Comment 3 Jan F. Chadima 2009-07-02 09:23:57 EDT
ssh-copy-id is repaired in f10 f11 and rawhide please update
this bug is duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=508584 already closed

*** This bug has been marked as a duplicate of bug 508584 ***

Note You need to log in before you can comment on or make changes to this bug.