Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 744966

Summary:

.ssh/authorized_keys labeling problem

Product:

Red Hat Enterprise Linux 6

Reporter:

Honggang LI <honli>

Component:

selinux-policy

Assignee:

Miroslav Grepl <mgrepl>

Status:

CLOSED NOTABUG

QA Contact:

Milos Malik <mmalik>

Severity:

low

Docs Contact:

Priority:

low

Version:

6.1

CC:

dwalsh, mmalik

Target Milestone:

Target Release:

---

Hardware:

All

OS:

Linux

Whiteboard:

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2011-10-12 18:24:24 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Attachments:

Description	Flags
beaker job xml file for infiniband perftest	none

Description Honggang LI 2011-10-11 02:10:19 UTC

Created attachment 527355 [details]
beaker job xml file for infiniband perftest

Description of problem:
   Beaker complains AVC error in multi-hosts automatic test case for infiniband perftest since .ssh/authorized_keys labeling problem.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. delete two lines '/sbin/restorecon -R -v /root' in the attachment perftest_multi_host_i386.xml
2. bkr job-submit perftest_multi_host_i386.xml
3. 
  
Actual results:
Info: Searching AVC errors produced since 1318239982.02 (Mon Oct 10 05:46:22 2011)
Searching logs...
Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 10/10/2011 05:46:22 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.LLmn7z 2>&1'
----
time->Mon Oct 10 05:57:39 2011
type=SYSCALL msg=audit(1318240659.495:192438): arch=40000003 syscall=5 success=no exit=-13 a0=2133e58 a1=8800 a2=0 a3=212ea20 items=0 ppid=7206 pid=13464 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1318240659.495:192438): avc:  denied  { read } for  pid=13464 comm="sshd" name="authorized_keys" dev=dm-0 ino=1962391 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
Fail: AVC messages found.
Checking for errors...
Using stronger AVC checks.
	Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems.
Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.LLmn7z | /sbin/ausearch -m AVC -m SELINUX_ERR'
Fail: AVC messages found.
Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.4iFPnP 2>&1'
Info: No AVC messages found.
/bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log
No AVC messages found in dmesg
Running '/usr/sbin/sestatus'
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
Running 'rpm -q selinux-policy || true'
selinux-policy-3.7.19-107.el6.noarch


Expected results:


Additional info:
Failed : https://beaker.engineering.redhat.com/jobs/141273
Succeed ： https://beaker.engineering.redhat.com/jobs/141287

Comment 2 Miroslav Grepl 2011-10-11 06:40:02 UTC

I don't see how /root/.ssh dir is created from the attached xml. If you create it by hand

# mkdir /root/.ssh

then you need to run restorecon.

Comment 3 Honggang LI 2011-10-11 06:53:28 UTC

Hi, Miroslav
/root/.ssh was created by the kickstart script, not the attached xml. /sbin/restorecon -R -v /root fix the issue. However, even without run restorecon ,these is no avc error when I run the test manually.

Comment 4 Miroslav Grepl 2011-10-11 07:05:47 UTC

Then this kickstart should contain

[ -x /sbin/restorecon ] && /sbin/restorecon /root/.ssh

in the %post.

How do you run it manually? Which steps?

Comment 5 Honggang LI 2011-10-11 09:05:11 UTC

In fact, the error message arose when the test script setup passwordless ssh-connections with an auto-expect script. But there is no avc error when I executed 'ssh_copy_id_exp rdma1' manually. 

###### script trigger avc error #########

function ssh_copy_id_exp {

TARGET_HOST=$1   # $1=rdma1

/usr/bin/expect << EOF

set force_conservative 0  ;# set to 1 to force conservative mode even if
			  ;# script wasn't run conservatively originally
if {\$force_conservative} {
	set send_slow {1 .1}
	proc send {ignore arg} {
		sleep .1
		exp_send -s -- \$arg
	}
}


set timeout -1
spawn ssh-copy-id ${TARGET_HOST}
match_max 100000
expect -exact "root@${TARGET_HOST}'s password: "
send -- "xxxxxx\r"
expect eof
EOF
}

ssh_copy_id_exp rdma1

Comment 6 Honggang LI 2011-10-11 09:07:37 UTC

Sorry for the typo, I executed manually 'ssh_copy_id rdma1', not 'ssh_copy_id_exp rdma1'.

Comment 7 Miroslav Grepl 2011-10-11 09:48:22 UTC

ssh-copy-id contains "restorecon" so this is reason why it works.

Comment 8 Honggang LI 2011-10-11 10:08:56 UTC

However, as comment #5 saying, the auto-expect script call ssh-copy-id too. As the avc error message can be eliminated with '/sbin/restorecon', it is ok to close the bug. I will run restorecon with the kickstart post script, when I run multi-hosts test which need ssh-connections.

Comment 9 Miroslav Grepl 2011-10-11 12:25:40 UTC

Are we talking about the same host?

Comment 10 Honggang LI 2011-10-12 01:44:20 UTC

Yes, all of the automatic tests run on rdma1.rhts.eng.bos.redhat.com and rdma2.rhts.eng.bos.redhat.com.

Comment 11 Miroslav Grepl 2011-10-12 09:54:46 UTC

Ok, I would say to leave restorecon in the %post. Could you send the kickstart?

Comment 12 Honggang LI 2011-10-12 10:14:44 UTC

the main kickstart file:
http://download.lab.bos.redhat.com/qa/rhts/lookaside/rdma-testing/rdma-setup.sh

And I attached a few kickstart statement in the beaker job xml file.