Description of problem: When running RHTS test (/CoreOS/openssh/sshd/sanity) with SELIUNX in enforcing mode I get the following AVC denials: type=AVC msg=audit(1259764917.385:27): avc: denied { search } for pid=3122 comm="ssh-keygen" name="selinux" dev=dm-0 ino=81199398 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir type=AVC msg=audit(1259764917.386:28): avc: denied { search } for pid=3122 comm="ssh-keygen" name="/" dev=selinuxfs ino=329 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir type=AVC msg=audit(1259764917.697:29): avc: denied { search } for pid=3122 comm="ssh-keygen" name="home" dev=dm-0 ino=60358657 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1259764917.697:30): avc: denied { search } for pid=3122 comm="ssh-keygen" name="home" dev=dm-0 ino=60358657 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1259764917.698:31): avc: denied { search } for pid=3122 comm="ssh-keygen" name="home" dev=dm-0 ino=60358657 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1259764917.698:32): avc: denied { search } for pid=3122 comm="ssh-keygen" name="home" dev=dm-0 ino=60358657 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1259764918.532:39): avc: denied { search } for pid=3142 comm="ssh-keygen" name="selinux" dev=dm-0 ino=81199398 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir type=AVC msg=audit(1259764918.532:40): avc: denied { search } for pid=3142 comm="ssh-keygen" name="/" dev=selinuxfs ino=329 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir type=AVC msg=audit(1259764918.898:41): avc: denied { search } for pid=3142 comm="ssh-keygen" name="home" dev=dm-0 ino=60358657 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1259764918.898:42): avc: denied { search } for pid=3142 comm="ssh-keygen" name="home" dev=dm-0 ino=60358657 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1259764918.898:43): avc: denied { search } for pid=3142 comm="ssh-keygen" name="home" dev=dm-0 ino=60358657 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1259764918.898:44): avc: denied { search } for pid=3142 comm="ssh-keygen" name="home" dev=dm-0 ino=60358657 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1259764921.095:47): avc: denied { search } for pid=3200 comm="ssh-keygen" name="selinux" dev=dm-0 ino=81199398 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir type=AVC msg=audit(1259764921.096:48): avc: denied { search } for pid=3200 comm="ssh-keygen" name="/" dev=selinuxfs ino=329 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir type=AVC msg=audit(1259764921.869:49): avc: denied { search } for pid=3200 comm="ssh-keygen" name="root" dev=dm-0 ino=38830081 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir type=AVC msg=audit(1259764921.869:50): avc: denied { search } for pid=3200 comm="ssh-keygen" name="root" dev=dm-0 ino=38830081 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir type=AVC msg=audit(1259764921.870:51): avc: denied { search } for pid=3200 comm="ssh-keygen" name="root" dev=dm-0 ino=38830081 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir type=AVC msg=audit(1259764921.871:52): avc: denied { search } for pid=3200 comm="ssh-keygen" name="root" dev=dm-0 ino=38830081 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir Version-Release number of selected component (if applicable): How reproducible: always Steps to Reproduce: 1. Run test /CoreOS/openssh/sshd/sanity with enabled SELINUX (it's disabled for now), see RHTS job https://rhts.redhat.com/cgi-bin/rhts/jobs.cgi?id=105338 Actual results: AVC denials (have to run semodule -b enableaudit.pp to get them) Expected results: No AVC denials Additional info: These AVC denials appear only whe test is run in RHTS, manual runs (which run in other SELINU context) doesn't show these denials. These denials also appear in RHEL6.
Example of failed RHEL6 job, AVC denials not shown: http://rhts.redhat.com/cgi-bin/rhts/jobs.cgi?id=104047
What is the goal of the test? If it is to simulate a user running the test,then the test should be run with a runcon command runcon -t unconfined_t ssh-keygen Currently you are running it via initrc which is causing a transition that simulates initrc running ssh-keygen
Thanks Dan, I will try it with this and report back.