Bug 752197 - /root/.ssh created with wrong selinux context
/root/.ssh created with wrong selinux context
Status: CLOSED DUPLICATE of bug 739989
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openssh (Show other bugs)
x86_64 Linux
unspecified Severity low
: rc
: ---
Assigned To: Petr Lautrbach
BaseOS QE Security Team
Depends On:
  Show dependency treegraph
Reported: 2011-11-08 14:34 EST by Michael Brown
Modified: 2012-12-07 04:20 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-12-12 11:35:37 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Michael Brown 2011-11-08 14:34:52 EST
Description of problem:
On a clean, updated RHEL 6.1 host, ssh-copy-id from a remote machine creates /root/.ssh with the wrong selinux context

How reproducible:
Every time

Steps to Reproduce:
[root@rhel ~]# ls -al /root/.ssh/
ls: cannot access /root/.ssh/: No such file or directory

(on another computer, run: 'ssh-copy-id root@rhel' and enter the password)

[root@rhel ~]# ls -alZ /root/.ssh
drwx------. root root unconfined_u:object_r:admin_home_t:s0 .
dr-xr-x---. root root system_u:object_r:admin_home_t:s0 ..
-rw-------. root root unconfined_u:object_r:admin_home_t:s0 authorized_keys

(looks like .ssh has been created with the wrong context. It can't be used to
ssh in with a key)

[root@rhel ~]# restorecon -r /root/.ssh
[root@rhel ~]# ls -alZ /root/.ssh
drwx------. root root system_u:object_r:ssh_home_t:s0  .
dr-xr-x---. root root system_u:object_r:admin_home_t:s0 ..
-rw-------. root root system_u:object_r:ssh_home_t:s0  authorized_keys

(context has been fixed - can now ssh in using a key)
Comment 1 Daniel Walsh 2011-11-08 14:36:35 EST
Please try this with RHEL6.2 policy

Preview release available on http://people.redhat.com/dwalsh/SELinux/RHEL6
Comment 3 Miroslav Grepl 2011-11-09 02:27:43 EST
Does your ssh-copy-id contain restorecon?

# mgrepl@rhel6 RHEL-6]$ grep restorecon /usr/bin/ssh-copy-id 
{ eval "$GET_ID" ; } | ssh $1 "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys; test -x /sbin/restorecon && /sbin/restorecon .ssh .ssh/authorized_keys" || exit 1

The problem probably is you do ssh-copy-id from a machine where ssh-copy-id doesn't contain restorecon which is needed for RHEL6.2
Comment 4 Petr Lautrbach 2011-12-09 10:20:42 EST
This seems to be duplicate of #739989.

What is version of openssh package on remote machine?
Comment 6 Daniel Walsh 2011-12-12 11:35:37 EST

*** This bug has been marked as a duplicate of bug 739989 ***

Note You need to log in before you can comment on or make changes to this bug.