RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 773641 - SELinux prevents ssh-keygen write access to NFS home dirs
Summary: SELinux prevents ssh-keygen write access to NFS home dirs
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.2
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-01-12 13:39 UTC by Trond H. Amundsen
Modified: 2018-11-30 20:10 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.7.19-135.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-20 12:30:21 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0780 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2012-06-19 20:34:59 UTC

Description Trond H. Amundsen 2012-01-12 13:39:21 UTC 
Description of problem:
SELinux does not permit ssh-keygen to create files in ~/.ssh on NFS-mounted home directories:

[trondham@tux ~]$ df ~
Filesystem           1K-blocks      Used Available Use% Mounted on
nfsserver:/nfshome   178257920 147720384  30537536  83% /nfshome
[trondham@tux ~]$ ls -Zd .ssh
drwx------. trondham usit system_u:object_r:nfs_t:s0       .ssh
[trondham@tux ~]$ cd
[trondham@tux ~]$ ssh-keygen -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/nfshome/trondham/.ssh/id_rsa): 
Could not create directory '/nfshome/trondham/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
open /nfshome/trondham/.ssh/id_rsa failed: Permission denied.
Saving the key failed: /nfshome/trondham/.ssh/id_rsa.

Note that the use_nfs_home_dirs is set to "on".

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-126.el6_2.4.noarch

How reproducible:
Always

Steps to Reproduce:
1. Use an NFS mounted home directory
2. run ssh-keygen
  
Actual results:
ssh-keygen fails to generate key as demonstrated above

Expected results:
ssh-keygen generates key without issues

Additional info:
Running ssh-keygen while in permissive mode, the following appears in audit.log:

# grep ssh-keygen /var/log/audit/audit.log
type=AVC msg=audit(1326375335.616:51497): avc:  denied  { write } for  pid=12412 comm="ssh-keygen" name=".ssh" dev=0:51 ino=25846406 scontext=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=AVC msg=audit(1326375335.616:51497): avc:  denied  { add_name } for  pid=12412 comm="ssh-keygen" name="id_rsa" scontext=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=AVC msg=audit(1326375335.616:51497): avc:  denied  { create } for  pid=12412 comm="ssh-keygen" name="id_rsa" scontext=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:nfs_t:s0 tclass=file
type=AVC msg=audit(1326375335.616:51497): avc:  denied  { open } for  pid=12412 comm="ssh-keygen" name="id_rsa" dev=0:51 ino=14226765 scontext=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file
type=SYSCALL msg=audit(1326375335.616:51497): arch=c000003e syscall=2 success=yes exit=3 a0=7f2b0e42eb80 a1=241 a2=180 a3=fffffff6 items=0 ppid=10147 pid=12412 auid=45150 uid=45150 gid=55150 euid=45150 suid=45150 fsuid=45150 egid=55150 sgid=55150 fsgid=55150 tty=pts38 ses=265 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 key=(null)

Audit2allow translates this to:

# grep ssh-keygen /var/log/audit/audit.log | audit2allow -m foo

module foo 1.0;

require {
        type ssh_keygen_t;
        type nfs_t;
        class dir { write add_name };
        class file { create open };
}

#============= ssh_keygen_t ==============
#!!!! The source type 'ssh_keygen_t' can write to a 'dir' of the following types:
# user_home_dir_t, etc_t, ssh_home_t, admin_home_t

allow ssh_keygen_t nfs_t:dir { write add_name };
allow ssh_keygen_t nfs_t:file { create open };
Comment 2 Miroslav Grepl 2012-01-12 14:19:45 UTC 
We made some fixes for ssh_keygen which allow it. But I think we should add a boolean for this too.
Comment 3 Trond H. Amundsen 2012-01-12 14:28:28 UTC 
Hm.. just curious.. what would be the point in adding an extra boolean? We already have this one:

use_nfs_home_dirs              -> on    Support NFS home directories
Comment 4 Miroslav Grepl 2012-01-12 15:02:10 UTC 
Yes, I want to add this boolean for ssh_keygen_t.
Comment 6 Miroslav Grepl 2012-01-25 16:57:25 UTC 
Fixed in selinux-policy-3.7.19-135.el6
Comment 9 errata-xmlrpc 2012-06-20 12:30:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html
Note You need to log in before you can comment on or make changes to this bug.