Description of problem: When running following command from init script ssh-keygen -t rsa -f /root/.ssh/id_rsa -P "" SELinux prevents creating the key and command fails. When run under root from login shell the command passes. Generating public/private rsa key pair. Could not create directory '/root/.ssh'. open /root/.ssh/id_rsa failed: Permission denied. Saving the key failed: /root/.ssh/id_rsa. There is a workaround for the problem. If '-f id_rsa' is used instead of '-f /root/.ssh/id_rsa' the key creation succeeds. However, changing to directory /root/.ssh is needed. Version-Release number of selected component (if applicable): RHEL5.5-Server-20100310.0 x86_64 # rpm -qa selinux-\* selinux-policy-2.4.6-279.el5 selinux-policy-targeted-2.4.6-279.el5 selinux-policy-devel-2.4.6-279.el5 How reproducible: 100% Steps to Reproduce: 1. create file /etc/init.d/run with following content: #!/bin/bash rm -rf /root/.ssh mkdir /root/.ssh restorecon -Rv /root/.ssh/ ssh-keygen -t rsa -f /root/.ssh/id_rsa -P "" 2. setenforce Enforcing 3. chcon -t initrc_exec_t /etc/init.d/run 4. execute /etc/init.d/run under root Actual results: SSH key creation fails Expected results: SSH key creation succeeds Additional info: When running # semodule -DB before the test I got following messages printed in log: type=AVC msg=audit(1269020149.639:786): avc: denied { search } for pid=6860 comm="ssh-keygen" name="selinux" dev=dm-0 ino=15630363 scontext=root:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir type=AVC msg=audit(1269020149.639:786): avc: denied { read } for pid=6860 comm="ssh-keygen" name="config" dev=dm-0 ino=15631881 scontext=root:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=AVC msg=audit(1269020149.640:787): avc: denied { getattr } for pid=6860 comm="ssh-keygen" path="/etc/selinux/config" dev=dm-0 ino=15631881 scontext=root:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=AVC msg=audit(1269020149.641:788): avc: denied { search } for pid=6860 comm="ssh-keygen" name="/" dev=selinuxfs ino=463 scontext=root:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir type=AVC msg=audit(1269020149.641:788): avc: denied { read } for pid=6860 comm="ssh-keygen" name="mls" dev=selinuxfs ino=12 scontext=root:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file type=AVC msg=audit(1269020150.617:789): avc: denied { search } for pid=6860 comm="ssh-keygen" name="root" dev=dm-0 ino=9666561 scontext=root:system_r:ssh_keygen_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
Could you try the RHEL5.5 policy? http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch
(In reply to comment #1) > Could you try the RHEL5.5 policy? > > http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch After upgrade the result is almost the same (getattr and read actions are no longer in audit log). # rpm -qa selinux\* selinux-policy-2.4.6-280.el5 selinux-policy-targeted-2.4.6-280.el5 # /etc/init.d/run restorecon reset /root/.ssh context root:object_r:user_home_dir_t:s0->root:object_r:sshd_key_t:s0 Generating public/private rsa key pair. Could not create directory '/root/.ssh'. open /root/.ssh/id_rsa failed: Permission denied. Saving the key failed: /root/.ssh/id_rsa. [root@dhcp-lab-247 ~]# type=AVC msg=audit(1276179018.776:157): avc: denied { search } for pid=2183 comm="ssh-keygen" name="selinux" dev=dm-0 ino=190415 scontext=root:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir type=SYSCALL msg=audit(1276179018.776:157): arch=c000003e syscall=2 success=no exit=-13 a0=2b705b8d0a04 a1=0 a2=1b6 a3=0 items=0 ppid=2178 pid=2183 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:system_r:ssh_keygen_t:s0 key=(null) type=AVC msg=audit(1276179018.777:158): avc: denied { search } for pid=2183 comm="ssh-keygen" name="/" dev=selinuxfs ino=321 scontext=root:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir type=SYSCALL msg=audit(1276179018.777:158): arch=c000003e syscall=2 success=no exit=-13 a0=7fff7bac0dc0 a1=0 a2=0 a3=0 items=0 ppid=2178 pid=2183 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:system_r:ssh_keygen_t:s0 key=(null) type=AVC msg=audit(1276179019.229:159): avc: denied { search } for pid=2183 comm="ssh-keygen" name="root" dev=dm-0 ino=63425 scontext=root:system_r:ssh_keygen_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir type=SYSCALL msg=audit(1276179019.229:159): arch=c000003e syscall=4 success=no exit=-13 a0=7fff7bac09e0 a1=7fff7bab9910 a2=7fff7bab9910 a3=0 items=0 ppid=2178 pid=2183 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:system_r:ssh_keygen_t:s0 key=(null) type=AVC msg=audit(1276179019.230:160): avc: denied { search } for pid=2183 comm="ssh-keygen" name="root" dev=dm-0 ino=63425 scontext=root:system_r:ssh_keygen_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir type=SYSCALL msg=audit(1276179019.230:160): arch=c000003e syscall=83 success=no exit=-13 a0=7fff7bac09e0 a1=1c0 a2=ffffffff a3=0 items=0 ppid=2178 pid=2183 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:system_r:ssh_keygen_t:s0 key=(null) type=AVC msg=audit(1276179019.230:161): avc: denied { search } for pid=2183 comm="ssh-keygen" name="root" dev=dm-0 ino=63425 scontext=root:system_r:ssh_keygen_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir type=SYSCALL msg=audit(1276179019.230:161): arch=c000003e syscall=4 success=no exit=-13 a0=2b70586d7960 a1=7fff7bab9910 a2=7fff7bab9910 a3=0 items=0 ppid=2178 pid=2183 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:system_r:ssh_keygen_t:s0 key=(null) type=AVC msg=audit(1276179019.231:162): avc: denied { search } for pid=2183 comm="ssh-keygen" name="root" dev=dm-0 ino=63425 scontext=root:system_r:ssh_keygen_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir type=SYSCALL msg=audit(1276179019.231:162): arch=c000003e syscall=2 success=no exit=-13 a0=2b70586d7960 a1=241 a2=180 a3=632e746168646572 items=0 ppid=2178 pid=2183 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=root:system_r:ssh_keygen_t:s0 key=(null)
restorecon -R -v /root/.ssh
(In reply to comment #3) > restorecon -R -v /root/.ssh This is included in reproducer I've been running. # cat /etc/init.d/run #!/bin/bash rm -rf /root/.ssh mkdir /root/.ssh restorecon -Rv /root/.ssh/ ssh-keygen -t rsa -f /root/.ssh/id_rsa -P ""
Afaik it was fixed in the latest selinux-policy-targeted-2.4.6-279.el5. I am trying to test it with selinux-policy-targeted-2.4.6-280.el5 and I am not seeing this issue. Jan, could you check the default context for /root/.ssh # matchpathcon /root/.ssh /root/.ssh root:object_r:sshd_key_t Also could you try to modify your test script to # cat /etc/init.d/run #!/bin/bash rm -rf /root/.ssh mkdir /root/.ssh restorecon -Rv /root/.ssh/ ls -dZ /root/.ssh ssh-keygen -t rsa -f /root/.ssh/id_rsa -P ""
[root@dhcp-lab-247 ~]# rpm -qa selinux-policy-targeted selinux-policy-targeted-2.4.6-280.el5 [root@dhcp-lab-247 ~]# [root@dhcp-lab-247 ~]# matchpathcon /root/.ssh /root/.ssh root:object_r:sshd_key_t [root@dhcp-lab-247 ~]# [root@dhcp-lab-247 ~]# cat /etc/init.d/run #!/bin/bash rm -rf /root/.ssh mkdir /root/.ssh restorecon -R -v /root/.ssh ls -dZ /root/.ssh ssh-keygen -t rsa -f /root/.ssh/id_rsa -P "" [root@dhcp-lab-247 ~]# /etc/init.d/run restorecon reset /root/.ssh context root:object_r:user_home_dir_t:s0->root:object_r:sshd_key_t:s0 drwxr-xr-x root root root:object_r:sshd_key_t /root/.ssh Generating public/private rsa key pair. Could not create directory '/root/.ssh'. open /root/.ssh/id_rsa failed: Permission denied. Saving the key failed: /root/.ssh/id_rsa.
Fixed in selinux-policy-2.4.6-281.el5.noarch
Yes, it works now. [root@dhcp-lab-247 ~]# rpm -qa selinux-\* selinux-policy-2.4.6-281.el5 selinux-policy-targeted-2.4.6-281.el5 [root@dhcp-lab-247 ~]# matchpathcon /root/.ssh /root/.ssh root:object_r:sshd_key_t [root@dhcp-lab-247 ~]# cat /etc/init.d/run #!/bin/bash rm -rf /root/.ssh mkdir /root/.ssh restorecon -R -v /root/.ssh ls -dZ /root/.ssh ssh-keygen -t rsa -f /root/.ssh/id_rsa -P "" [root@dhcp-lab-247 ~]# /etc/init.d/run restorecon reset /root/.ssh context root:object_r:user_home_dir_t:s0->root:object_r:sshd_key_t:s0 drwxr-xr-x root root root:object_r:sshd_key_t /root/.ssh Generating public/private rsa key pair. Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 1b:86:4f:f3:41:91:b3:e9:2a:89:80:10:0a:78:f1:86 root.brq.redhat.com
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: When SELinux was enabled, an attempt to generate a key pair from an init script using the following command failed with an error: ssh-keygen -t rsa -f /root/.ssh/id_rsa -P "" These updated selinux-policy packages provide corrected SELinux rules that allow the "ssh_keygen_t" domain to search the content of the /root/.ssh/ directory, so that the key pair creation no longer fails.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0026.html