Hide Forgot
Description of problem: was trying to remove an old key and ran into this: --- bad# ssh-keygen -R XXX -f /etc/ssh/ssh_known_hosts link /etc/ssh/ssh_known_hosts to /etc/ssh/ssh_known_hosts.old: Permission denied --- and in the logs... --- Jan 23 16:21:32 XXX kernel: : type=1400 audit(1327353692.321:19991): avc: denied { link } for pid=19831 comm="ssh-keygen" name="ssh_known_hosts" dev=sda2 ino=282651 scontext=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file --- looking at the file and ssh-keygen... --- bad# ls -alZ /etc/ssh/ssh_known_hosts `which ssh-keygen` -rw-r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/ssh/ssh_known_hosts -rwxr-xr-x. root root system_u:object_r:ssh_keygen_exec_t:s0 /usr/bin/ssh-keygen --- tried restorecon, no change... --- bad# restorecon /ssh/ssh_known_hosts `which ssh-keygen` bad# ls -alZ /etc/ssh/ssh_known_hosts `which ssh-keygen` -rw-r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/ssh/ssh_known_hosts -rwxr-xr-x. root root system_u:object_r:ssh_keygen_exec_t:s0 /usr/bin/ssh-keygen --- interestingly some almost identical systems weren't having the problem, looking there... --- works# ls -alZ /etc/ssh/ssh_known_hosts `which ssh-keygen` -rw-r--r--. root root unconfined_u:object_r:sshd_key_t:s0 /etc/ssh/ssh_known_hosts -rwxr-xr-x. root root system_u:object_r:ssh_keygen_exec_t:s0 /usr/bin/ssh-keygen --- did --- bad# chcon unconfined_u:object_r:sshd_key_t:s0 /etc/ssh/ssh_known_hosts --- and then it's happy (no error, and I can remove the old key). restorecon changes it to the broken state --- works# restorecon /etc/ssh/ssh_known_hosts badnow# ls -alZ /etc/ssh/ssh_known_hosts -rw-------. root root system_u:object_r:etc_t:s0 /etc/ssh/ssh_known_hosts --- and removing an old key fails Version-Release number of selected component (if applicable): policycoreutils-2.0.83-19.8.el6_0.x86_64 selinux-policy-targeted-3.7.19-126.el6_2.4.noarch How reproducible: always I don't know why a few systems *didn't* end up broken, but I can break them by running restorecon Steps to Reproduce: 1. run 'restorecon /etc/ssh/ssh_known_hosts' 2. try to remove an old key (ssh -R [system] -f /etc/ssh/ssh_known_hosts) Actual results: avc denied generated, permission denied error, old key not removed Expected results: no avc, no perm error, old key removed Additional info:
You can try the latest RHEL6 policy from http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/ -134.el6 packages which make this working again.
Good catch. # rpm -qa selinux-policy\* selinux-policy-minimum-3.7.19-126.el6_2.4.noarch selinux-policy-doc-3.7.19-126.el6_2.4.noarch selinux-policy-mls-3.7.19-126.el6_2.4.noarch selinux-policy-targeted-3.7.19-126.el6_2.4.noarch selinux-policy-3.7.19-126.el6_2.4.noarch # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted # touch /etc/ssh/ssh_known_hosts # restorecon -Rv /etc/ssh/ # ssh-keygen -R xxx.redhat.com -f /etc/ssh/ssh_known_hosts link /etc/ssh/ssh_known_hosts to /etc/ssh/ssh_known_hosts.old: Permission denied # echo $? 255 # ausearch -m avc -ts recent ---- time->Wed Jan 25 02:32:40 2012 type=SYSCALL msg=audit(1327476760.911:12074): arch=c000003e syscall=86 success=no exit=-13 a0=7f8f1a459b80 a1=7fffc0d9b6f0 a2=2 a3=0 items=0 ppid=12566 pid=12763 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=734 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1327476760.911:12074): avc: denied { link } for pid=12763 comm="ssh-keygen" name="ssh_known_hosts" dev=sdb1 ino=1461765 scontext=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file ----
The -134 package from comment 2 resolves the problem. And then using ssh-keygen automagically corrects the context? nifty, didn't expect that. --- bad# ls -alZ /etc/ssh/ssh_known_hosts -rw-r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/ssh/ssh_known_hosts bad# ssh-keygen -R frappe -f /etc/ssh/ssh_known_hosts link /etc/ssh/ssh_known_hosts to /etc/ssh/ssh_known_hosts.old: Permission denied bad# yum install http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/selinux-policy-targeted-3.7.19-134.el6.noarch.rpm http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/selinux-policy-3.7.19-134.el6.noarch.rpm ... stillbad?# ls -alZ /etc/ssh/ssh_known_hosts -rw-r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/ssh/ssh_known_hosts works# ssh-keygen -R frappe -f /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts updated. Original contents retained as /etc/ssh/ssh_known_hosts.old autofixed?# ls -alZ /etc/ssh/ssh_known_hosts -rw-------. root root unconfined_u:object_r:sshd_key_t:s0 /etc/ssh/ssh_known_hosts ---
Fixed in selinux-policy-3.7.19-134.el6
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0780.html