Red Hat Bugzilla – Bug 989714
SELinux User Context for /root/.ssh/ incorrect after restorecon
Last modified: 2013-07-29 15:31:15 EDT
Description of problem: On RHEL 6.4 x86_64, running "restorecon -r -v /root/.ssh/" only changes the Type Context for the files within /root/.ssh/ and not their User Context. How reproducible: This is reproducible every time for me. Steps to Reproduce: 1. Login as root. 2. Make a directory for SSH in /root/ [root@rhel ~]# mkdir /root/.ssh/ 3. Place an appropriate public key in /root/.ssh/authorized_keys using any regular file transfer method (SFTP/SCP). I used WinSCP using. 4. Check SELinux context on /root/.ssh/ [root@rhel ~]# ls -alZ /root/.ssh/ drwx------. root root unconfined_u:object_r:admin_home_t:s0 . dr-xr-x---. root root system_u:object_r:admin_home_t:s0 .. -rw-------. root root unconfined_u:object_r:admin_home_t:s0 authorized_keys 5. Run restorecon on /root/.ssh/ [root@rhel ~]# restorecon -r -v /root/.ssh/ restorecon reset /root/.ssh context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:ssh_home_t:s0 restorecon reset /root/.ssh/authorized_keys context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:ssh_home_t:s0 6. Check SELinux context on /root/.ssh/ [root@rhel ~]# ls -alZ drwx------. root root unconfined_u:object_r:ssh_home_t:s0 . dr-xr-x---. root root system_u:object_r:admin_home_t:s0 .. -rw-------. root root unconfined_u:object_r:ssh_home_t:s0 authorized_keys Actual results: /root/.ssh/ and /root/.ssh/authorized_keys keep the User Context "unconfined_u". Expected results: /root/.ssh/ and /root/.ssh/authorized_keys change to the User Context "system_u". Additional info: This is similar to bug 752197, except without ssh-copy-id. Though, in that bug's description, restorecon changes the User Context to "system_u" for /root/.ssh/ and /root/.ssh/authorized_keys. I was expecting the User Context to change based on that bug description and this SELinux rule: /root/\.ssh(/.*)? system_u:object_r:ssh_home_t:s0 I've seen some sources[1][2][3][4] say that for the most part SELinux users and roles can be ignored. In this case, SSH keys certainly work after the restorecon in Step 5, despite /root/.ssh/ and /root/.ssh/authorized_keys having User Context "unconfined_u". Still, since the expected and actual behaviors differed, I felt filing a bug report might provide some clarity on whether or not this is actually a bug. [1] https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html "Note" at the bottom [2] https://docs.fedoraproject.org/en-US/Fedora/12/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html "Note" at the bottom (noted for having the same text as [1]) [3] https://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html Last paragraph [4] http://www.centos.org/docs/5/html/Deployment_Guide-en-US/rhlcommon-chapter-0017.html#sec-sel-file-relabel "Tip" section near the top of linked section
We don't change the user context by default restorecon -F -Rv /root/.ssh Should get you what you want.
(In reply to Daniel Walsh from comment #2) > We don't change the user context by default > > restorecon -F -Rv /root/.ssh > > Should get you what you want. Ah-hah. That does indeed change the User Context. I'm glad to finally understand that. Going back and rereading "man restorecon", I noticed these lines: "man restorecon" excerpts: "This program is primarily used to reset the security context (type) (extended attributes) on one or more files." "If a file object has a context, restorecon will only modify the type portion of the security context. The -F option will force a replacement of the entire context." If I'd read it a little more closely, I could have saved you the trouble. Sorry about that. Thanks for responding!