773641 – SELinux prevents ssh-keygen write access to NFS home dirs

Bug 773641 - SELinux prevents ssh-keygen write access to NFS home dirs

Summary: SELinux prevents ssh-keygen write access to NFS home dirs

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.2
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-01-12 13:39 UTC by Trond H. Amundsen
Modified:	2018-11-30 20:10 UTC (History)
CC List:	4 users (show)
Fixed In Version:	selinux-policy-3.7.19-135.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-06-20 12:30:21 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:0780	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2012-06-19 20:34:59 UTC

Description Trond H. Amundsen 2012-01-12 13:39:21 UTC

Description of problem:
SELinux does not permit ssh-keygen to create files in ~/.ssh on NFS-mounted home directories:

[trondham@tux ~]$ df ~
Filesystem           1K-blocks      Used Available Use% Mounted on
nfsserver:/nfshome   178257920 147720384  30537536  83% /nfshome
[trondham@tux ~]$ ls -Zd .ssh
drwx------. trondham usit system_u:object_r:nfs_t:s0       .ssh
[trondham@tux ~]$ cd
[trondham@tux ~]$ ssh-keygen -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/nfshome/trondham/.ssh/id_rsa): 
Could not create directory '/nfshome/trondham/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
open /nfshome/trondham/.ssh/id_rsa failed: Permission denied.
Saving the key failed: /nfshome/trondham/.ssh/id_rsa.

Note that the use_nfs_home_dirs is set to "on".

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-126.el6_2.4.noarch

How reproducible:
Always

Steps to Reproduce:
1. Use an NFS mounted home directory
2. run ssh-keygen
  
Actual results:
ssh-keygen fails to generate key as demonstrated above

Expected results:
ssh-keygen generates key without issues

Additional info:
Running ssh-keygen while in permissive mode, the following appears in audit.log:

# grep ssh-keygen /var/log/audit/audit.log
type=AVC msg=audit(1326375335.616:51497): avc:  denied  { write } for  pid=12412 comm="ssh-keygen" name=".ssh" dev=0:51 ino=25846406 scontext=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=AVC msg=audit(1326375335.616:51497): avc:  denied  { add_name } for  pid=12412 comm="ssh-keygen" name="id_rsa" scontext=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=AVC msg=audit(1326375335.616:51497): avc:  denied  { create } for  pid=12412 comm="ssh-keygen" name="id_rsa" scontext=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:nfs_t:s0 tclass=file
type=AVC msg=audit(1326375335.616:51497): avc:  denied  { open } for  pid=12412 comm="ssh-keygen" name="id_rsa" dev=0:51 ino=14226765 scontext=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file
type=SYSCALL msg=audit(1326375335.616:51497): arch=c000003e syscall=2 success=yes exit=3 a0=7f2b0e42eb80 a1=241 a2=180 a3=fffffff6 items=0 ppid=10147 pid=12412 auid=45150 uid=45150 gid=55150 euid=45150 suid=45150 fsuid=45150 egid=55150 sgid=55150 fsgid=55150 tty=pts38 ses=265 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 key=(null)

Audit2allow translates this to:

# grep ssh-keygen /var/log/audit/audit.log | audit2allow -m foo

module foo 1.0;

require {
        type ssh_keygen_t;
        type nfs_t;
        class dir { write add_name };
        class file { create open };
}

#============= ssh_keygen_t ==============
#!!!! The source type 'ssh_keygen_t' can write to a 'dir' of the following types:
# user_home_dir_t, etc_t, ssh_home_t, admin_home_t

allow ssh_keygen_t nfs_t:dir { write add_name };
allow ssh_keygen_t nfs_t:file { create open };

Comment 2 Miroslav Grepl 2012-01-12 14:19:45 UTC

We made some fixes for ssh_keygen which allow it. But I think we should add a boolean for this too.

Comment 3 Trond H. Amundsen 2012-01-12 14:28:28 UTC

Hm.. just curious.. what would be the point in adding an extra boolean? We already have this one:

use_nfs_home_dirs              -> on    Support NFS home directories

Comment 4 Miroslav Grepl 2012-01-12 15:02:10 UTC

Yes, I want to add this boolean for ssh_keygen_t.

Comment 6 Miroslav Grepl 2012-01-25 16:57:25 UTC

Fixed in selinux-policy-3.7.19-135.el6

Comment 9 errata-xmlrpc 2012-06-20 12:30:21 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html

Note You need to log in before you can comment on or make changes to this bug.