Bug 989714 - SELinux User Context for /root/.ssh/ incorrect after restorecon
SELinux User Context for /root/.ssh/ incorrect after restorecon
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
x86_64 Unspecified
unspecified Severity low
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
Depends On:
  Show dependency treegraph
Reported: 2013-07-29 14:44 EDT by Ryan Foster
Modified: 2013-07-29 15:31 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-07-29 15:09:10 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ryan Foster 2013-07-29 14:44:06 EDT
Description of problem:
On RHEL 6.4 x86_64, running "restorecon -r -v /root/.ssh/" only changes the Type  Context for the files within /root/.ssh/ and not their User Context.

How reproducible:
This is reproducible every time for me.

Steps to Reproduce:
1.  Login as root.

2.  Make a directory for SSH in /root/
[root@rhel ~]# mkdir /root/.ssh/

3.  Place an appropriate public key in /root/.ssh/authorized_keys using any regular file transfer method (SFTP/SCP).  I used WinSCP using.

4.  Check SELinux context on /root/.ssh/
[root@rhel ~]# ls -alZ /root/.ssh/
drwx------. root root unconfined_u:object_r:admin_home_t:s0 .
dr-xr-x---. root root system_u:object_r:admin_home_t:s0 ..
-rw-------. root root unconfined_u:object_r:admin_home_t:s0 authorized_keys

5.  Run restorecon on /root/.ssh/
[root@rhel ~]# restorecon -r -v /root/.ssh/
restorecon reset /root/.ssh context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:ssh_home_t:s0
restorecon reset /root/.ssh/authorized_keys context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:ssh_home_t:s0

6.  Check SELinux context on /root/.ssh/
[root@rhel ~]# ls -alZ
drwx------. root root unconfined_u:object_r:ssh_home_t:s0 .
dr-xr-x---. root root system_u:object_r:admin_home_t:s0 ..
-rw-------. root root unconfined_u:object_r:ssh_home_t:s0 authorized_keys

Actual results:
/root/.ssh/ and /root/.ssh/authorized_keys keep the User Context "unconfined_u".

Expected results:
/root/.ssh/ and /root/.ssh/authorized_keys change to the User Context "system_u".

Additional info:
This is similar to bug 752197, except without ssh-copy-id.  Though, in that bug's description, restorecon changes the User Context to "system_u" for /root/.ssh/ and /root/.ssh/authorized_keys.  I was expecting the User Context to change based on that bug description and this SELinux rule:

/root/\.ssh(/.*)?       system_u:object_r:ssh_home_t:s0

I've seen some sources[1][2][3][4] say that for the most part SELinux users and roles can be ignored.  In this case, SSH keys certainly work after the restorecon in Step 5, despite /root/.ssh/ and /root/.ssh/authorized_keys having User Context "unconfined_u".  Still, since the expected and actual behaviors differed, I felt filing a bug report might provide some clarity on whether or not this is actually a bug.

  [1] https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html
"Note" at the bottom
  [2] https://docs.fedoraproject.org/en-US/Fedora/12/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html
"Note" at the bottom (noted for having the same text as [1])
  [3] https://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html
Last paragraph
  [4] http://www.centos.org/docs/5/html/Deployment_Guide-en-US/rhlcommon-chapter-0017.html#sec-sel-file-relabel
"Tip" section near the top of linked section
Comment 2 Daniel Walsh 2013-07-29 15:09:10 EDT
We don't change the user context by default

restorecon -F -Rv /root/.ssh

Should get you what you want.
Comment 3 Ryan Foster 2013-07-29 15:31:15 EDT
(In reply to Daniel Walsh from comment #2)
> We don't change the user context by default
> restorecon -F -Rv /root/.ssh
> Should get you what you want.

Ah-hah.  That does indeed change the User Context.  I'm glad to finally understand that.  Going back and rereading "man restorecon", I noticed these lines:

"man restorecon" excerpts:
"This program is primarily used to reset the security context (type)
(extended attributes) on one or more files."
"If a file object has a context, restorecon will only modify the type portion of the security context.  The -F option will force a replacement of the entire context."

If I'd read it a little more closely, I could have saved you the trouble.  Sorry about that.

Thanks for responding!

Note You need to log in before you can comment on or make changes to this bug.