Linux Archive - Bug or feature, absent authorized_hosts

Linux Archive

Linux Archive (http://www.linux-archive.org/)

- Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)

- - Bug or feature, absent authorized_hosts (http://www.linux-archive.org/fedora-selinux-support/689713-bug-feature-absent-authorized_hosts.html)

Vadym Chepkov

08-01-2012 11:57 PM

Bug or feature, absent authorized_hosts

Hi,

Not sure if it's a bug or a "feature"

RHEL6.3
selinux-policy-targeted-3.7.19-155.el6_3.noarch

was getting bunch of these:

----
time->Tue Jul 31 11:22:21 2012
type=SYSCALL msg=audit(1343733741.446:154): arch=c000003e syscall=2 success=no exit=-13 a0=7f740329e7d0 a1=800 a2=1 a3=24 items=0 ppid=946 pid=1291 auid=4294967295 uid=0 gid=0 euid=1001 suid=0 fsuid=1001 egid=513 sgid=0 fsgid=513 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1343733741.446:154): avc: denied { read } for pid=1291 comm="sshd" name="authorized_keys" dev=xvdb ino=3368578 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file

authorized_keys file didn't even exist for root user, it is not allowed to login remotely.
Silenced it down by creating empty authorized_keys file with ssh_home_t context.

Cheers,
Vadym

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh

08-02-2012 12:45 PM

Bug or feature, absent authorized_hosts

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/01/2012 07:57 PM, Vadym Chepkov wrote:
> Hi,
>
> Not sure if it's a bug or a "feature"
>
> RHEL6.3 selinux-policy-targeted-3.7.19-155.el6_3.noarch
>
> was getting bunch of these:
>
> ---- time->Tue Jul 31 11:22:21 2012 type=SYSCALL
> msg=audit(1343733741.446:154): arch=c000003e syscall=2 success=no exit=-13
> a0=7f740329e7d0 a1=800 a2=1 a3=24 items=0 ppid=946 pid=1291 auid=4294967295
> uid=0 gid=0 euid=1001 suid=0 fsuid=1001 egid=513 sgid=0 fsgid=513
> tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd"
> subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) type=AVC
> msg=audit(1343733741.446:154): avc: denied { read } for pid=1291
> comm="sshd" name="authorized_keys" dev=xvdb ino=3368578
> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file
>
> authorized_keys file didn't even exist for root user, it is not allowed to
> login remotely. Silenced it down by creating empty authorized_keys file
> with ssh_home_t context.
>
> Cheers, Vadym
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>

More like a labeling problem.

restorecon -R -v /home

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlAadmIACgkQrlYvE4MpobN2QQCdGBwDd/CdFIwTLll8gpj45iY5
ynsAoMvxQtMaWHI8Hz4gbU1wk/ZtbClg
=PurL
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Vadym Chepkov

08-02-2012 01:51 PM

Bug or feature, absent authorized_hosts

On Aug 2, 2012, at 8:45 AM, Daniel J Walsh wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 08/01/2012 07:57 PM, Vadym Chepkov wrote:
>> Hi,
>>
>> Not sure if it's a bug or a "feature"
>>
>> RHEL6.3 selinux-policy-targeted-3.7.19-155.el6_3.noarch
>>
>> was getting bunch of these:
>>
>> ---- time->Tue Jul 31 11:22:21 2012 type=SYSCALL
>> msg=audit(1343733741.446:154): arch=c000003e syscall=2 success=no exit=-13
>> a0=7f740329e7d0 a1=800 a2=1 a3=24 items=0 ppid=946 pid=1291 auid=4294967295
>> uid=0 gid=0 euid=1001 suid=0 fsuid=1001 egid=513 sgid=0 fsgid=513
>> tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd"
>> subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) type=AVC
>> msg=audit(1343733741.446:154): avc: denied { read } for pid=1291
>> comm="sshd" name="authorized_keys" dev=xvdb ino=3368578
>> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
>> tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file
>>
>> authorized_keys file didn't even exist for root user, it is not allowed to
>> login remotely. Silenced it down by creating empty authorized_keys file
>> with ssh_home_t context.
>>
>> Cheers, Vadym
>>
>> -- selinux mailing list selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>
> More like a labeling problem.
>
> restorecon -R -v /home
>

root's home is /root , but I don't think it's a problem

# date
Thu Aug 2 13:42:17 UTC 2012
# ls -dZ /root
dr-xr-x---. root root system_u:object_r:admin_home_t:s0 /root
# ls -dZ /root/.ssh
drwx------. root root system_u:object_r:ssh_home_t:s0 /root/.ssh
# ls -dZ .ssh/authorized_keys
ls: cannot access .ssh/authorized_keys: No such file or directory
# ssh localhost
root@localhost's password:

# ausearch -m avc -ts recent
----
time->Thu Aug 2 13:43:03 2012
type=SYSCALL msg=audit(1343914983.632:592368): arch=c000003e syscall=2 success=no exit=-13 a0=7fc8d9bd8780 a1=800 a2=1 a3=24 items=0 ppid=946 pid=28761 auid=4294967295 uid=0 gid=0 euid=1001 suid=0 fsuid=1001 egid=513 sgid=0 fsgid=513 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1343914983.632:592368): avc: denied { read } for pid=28761 comm="sshd" name="authorized_keys" dev=xvdb ino=3368578 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file

Cheers,
Vadym

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh

08-02-2012 02:33 PM

Bug or feature, absent authorized_hosts

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/02/2012 09:51 AM, Vadym Chepkov wrote:
>
> On Aug 2, 2012, at 8:45 AM, Daniel J Walsh wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> On 08/01/2012 07:57 PM, Vadym Chepkov wrote:
>>> Hi,
>>>
>>> Not sure if it's a bug or a "feature"
>>>
>>> RHEL6.3 selinux-policy-targeted-3.7.19-155.el6_3.noarch
>>>
>>> was getting bunch of these:
>>>
>>> ---- time->Tue Jul 31 11:22:21 2012 type=SYSCALL
>>> msg=audit(1343733741.446:154): arch=c000003e syscall=2 success=no
>>> exit=-13 a0=7f740329e7d0 a1=800 a2=1 a3=24 items=0 ppid=946 pid=1291
>>> auid=4294967295 uid=0 gid=0 euid=1001 suid=0 fsuid=1001 egid=513 sgid=0
>>> fsgid=513 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd"
>>> subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) type=AVC
>>> msg=audit(1343733741.446:154): avc: denied { read } for pid=1291
>>> comm="sshd" name="authorized_keys" dev=xvdb ino=3368578
>>> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
>>> tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file
>>>
>>> authorized_keys file didn't even exist for root user, it is not allowed
>>> to login remotely. Silenced it down by creating empty authorized_keys
>>> file with ssh_home_t context.
>>>
>>> Cheers, Vadym
>>>
>>> -- selinux mailing list selinux@lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>>
>>
>> More like a labeling problem.
>>
>> restorecon -R -v /home
>>
>
> root's home is /root , but I don't think it's a problem
>
> # date Thu Aug 2 13:42:17 UTC 2012 # ls -dZ /root dr-xr-x---. root root
> system_u:object_r:admin_home_t:s0 /root # ls -dZ /root/.ssh drwx------.
> root root system_u:object_r:ssh_home_t:s0 /root/.ssh # ls -dZ
> .ssh/authorized_keys ls: cannot access .ssh/authorized_keys: No such file
> or directory # ssh localhost root@localhost's password:
>
> # ausearch -m avc -ts recent ---- time->Thu Aug 2 13:43:03 2012
> type=SYSCALL msg=audit(1343914983.632:592368): arch=c000003e syscall=2
> success=no exit=-13 a0=7fc8d9bd8780 a1=800 a2=1 a3=24 items=0 ppid=946
> pid=28761 auid=4294967295 uid=0 gid=0 euid=1001 suid=0 fsuid=1001 egid=513
> sgid=0 fsgid=513 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd"
> subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) type=AVC
> msg=audit(1343914983.632:592368): avc: denied { read } for pid=28761
> comm="sshd" name="authorized_keys" dev=xvdb ino=3368578
> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file
>
>
> Cheers, Vadym
>

This avc is about sshd trying to read a file names authorized_keys that is
labeled home_root_t. home_root_t is the default label of /home or any parent
directory to users homedirs. It looks like you created a users homedir under
a directory labeled /home and it did not get labeled correcty.

home_root_t has nothing to do with /root

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlAaj6QACgkQrlYvE4MpobP/IACg5vwFSyWA4IwA0Af5J0CWZhj9
+lwAoKdAvqmzP2dJ4TpiIvAQOa+8zjSR
=zrfz
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Vadym Chepkov

08-02-2012 03:10 PM

Bug or feature, absent authorized_hosts

On Aug 2, 2012, at 10:33 AM, Daniel J Walsh wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 08/02/2012 09:51 AM, Vadym Chepkov wrote:
>>
>> On Aug 2, 2012, at 8:45 AM, Daniel J Walsh wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>
>>> On 08/01/2012 07:57 PM, Vadym Chepkov wrote:
>>>> Hi,
>>>>
>>>> Not sure if it's a bug or a "feature"
>>>>
>>>> RHEL6.3 selinux-policy-targeted-3.7.19-155.el6_3.noarch
>>>>
>>>> was getting bunch of these:
>>>>
>>>> ---- time->Tue Jul 31 11:22:21 2012 type=SYSCALL
>>>> msg=audit(1343733741.446:154): arch=c000003e syscall=2 success=no
>>>> exit=-13 a0=7f740329e7d0 a1=800 a2=1 a3=24 items=0 ppid=946 pid=1291
>>>> auid=4294967295 uid=0 gid=0 euid=1001 suid=0 fsuid=1001 egid=513 sgid=0
>>>> fsgid=513 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd"
>>>> subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) type=AVC
>>>> msg=audit(1343733741.446:154): avc: denied { read } for pid=1291
>>>> comm="sshd" name="authorized_keys" dev=xvdb ino=3368578
>>>> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
>>>> tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file
>>>>
>>>> authorized_keys file didn't even exist for root user, it is not allowed
>>>> to login remotely. Silenced it down by creating empty authorized_keys
>>>> file with ssh_home_t context.
>>>>
>>>> Cheers, Vadym
>>>>
>>>> -- selinux mailing list selinux@lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>
>>>>
>>>
>>> More like a labeling problem.
>>>
>>> restorecon -R -v /home
>>>
>>
>> root's home is /root , but I don't think it's a problem
>>
>> # date Thu Aug 2 13:42:17 UTC 2012 # ls -dZ /root dr-xr-x---. root root
>> system_u:object_r:admin_home_t:s0 /root # ls -dZ /root/.ssh drwx------.
>> root root system_u:object_r:ssh_home_t:s0 /root/.ssh # ls -dZ
>> .ssh/authorized_keys ls: cannot access .ssh/authorized_keys: No such file
>> or directory # ssh localhost root@localhost's password:
>>
>> # ausearch -m avc -ts recent ---- time->Thu Aug 2 13:43:03 2012
>> type=SYSCALL msg=audit(1343914983.632:592368): arch=c000003e syscall=2
>> success=no exit=-13 a0=7fc8d9bd8780 a1=800 a2=1 a3=24 items=0 ppid=946
>> pid=28761 auid=4294967295 uid=0 gid=0 euid=1001 suid=0 fsuid=1001 egid=513
>> sgid=0 fsgid=513 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd"
>> subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) type=AVC
>> msg=audit(1343914983.632:592368): avc: denied { read } for pid=28761
>> comm="sshd" name="authorized_keys" dev=xvdb ino=3368578
>> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
>> tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file
>>
>>
>> Cheers, Vadym
>>
>
>
> This avc is about sshd trying to read a file names authorized_keys that is
> labeled home_root_t. home_root_t is the default label of /home or any parent
> directory to users homedirs. It looks like you created a users homedir under
> a directory labeled /home and it did not get labeled correcty.
>
> home_root_t has nothing to do with /root
>

Yep, sorry for the noise, that's what it.
All home's were relabeled from home_root_t to user_home_t after restorecon.
Since I have never ever created anybody's home manually, all homes are created by
oddjob-mkhomedir-0.30-5.el6.x86_64, I assume bug is in this module.

Thanks,
Vadym

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh

08-02-2012 03:36 PM

Bug or feature, absent authorized_hosts

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/02/2012 11:10 AM, Vadym Chepkov wrote:
>
> On Aug 2, 2012, at 10:33 AM, Daniel J Walsh wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> On 08/02/2012 09:51 AM, Vadym Chepkov wrote:
>>>
>>> On Aug 2, 2012, at 8:45 AM, Daniel J Walsh wrote:
>>>
>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>>
>>>> On 08/01/2012 07:57 PM, Vadym Chepkov wrote:
>>>>> Hi,
>>>>>
>>>>> Not sure if it's a bug or a "feature"
>>>>>
>>>>> RHEL6.3 selinux-policy-targeted-3.7.19-155.el6_3.noarch
>>>>>
>>>>> was getting bunch of these:
>>>>>
>>>>> ---- time->Tue Jul 31 11:22:21 2012 type=SYSCALL
>>>>> msg=audit(1343733741.446:154): arch=c000003e syscall=2 success=no
>>>>> exit=-13 a0=7f740329e7d0 a1=800 a2=1 a3=24 items=0 ppid=946
>>>>> pid=1291 auid=4294967295 uid=0 gid=0 euid=1001 suid=0 fsuid=1001
>>>>> egid=513 sgid=0 fsgid=513 tty=(none) ses=4294967295 comm="sshd"
>>>>> exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
>>>>> key=(null) type=AVC msg=audit(1343733741.446:154): avc: denied {
>>>>> read } for pid=1291 comm="sshd" name="authorized_keys" dev=xvdb
>>>>> ino=3368578 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
>>>>> tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file
>>>>>
>>>>> authorized_keys file didn't even exist for root user, it is not
>>>>> allowed to login remotely. Silenced it down by creating empty
>>>>> authorized_keys file with ssh_home_t context.
>>>>>
>>>>> Cheers, Vadym
>>>>>
>>>>> -- selinux mailing list selinux@lists.fedoraproject.org
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>
>>>>>
>>>>
>>>> More like a labeling problem.
>>>>
>>>> restorecon -R -v /home
>>>>
>>>
>>> root's home is /root , but I don't think it's a problem
>>>
>>> # date Thu Aug 2 13:42:17 UTC 2012 # ls -dZ /root dr-xr-x---. root
>>> root system_u:object_r:admin_home_t:s0 /root # ls -dZ /root/.ssh
>>> drwx------. root root system_u:object_r:ssh_home_t:s0 /root/.ssh # ls
>>> -dZ .ssh/authorized_keys ls: cannot access .ssh/authorized_keys: No
>>> such file or directory # ssh localhost root@localhost's password:
>>>
>>> # ausearch -m avc -ts recent ---- time->Thu Aug 2 13:43:03 2012
>>> type=SYSCALL msg=audit(1343914983.632:592368): arch=c000003e syscall=2
>>> success=no exit=-13 a0=7fc8d9bd8780 a1=800 a2=1 a3=24 items=0 ppid=946
>>> pid=28761 auid=4294967295 uid=0 gid=0 euid=1001 suid=0 fsuid=1001
>>> egid=513 sgid=0 fsgid=513 tty=(none) ses=4294967295 comm="sshd"
>>> exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
>>> key=(null) type=AVC msg=audit(1343914983.632:592368): avc: denied {
>>> read } for pid=28761 comm="sshd" name="authorized_keys" dev=xvdb
>>> ino=3368578 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
>>> tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file
>>>
>>>
>>> Cheers, Vadym
>>>
>>
>>
>> This avc is about sshd trying to read a file names authorized_keys that
>> is labeled home_root_t. home_root_t is the default label of /home or any
>> parent directory to users homedirs. It looks like you created a users
>> homedir under a directory labeled /home and it did not get labeled
>> correcty.
>>
>> home_root_t has nothing to do with /root
>>
>
>
> Yep, sorry for the noise, that's what it. All home's were relabeled from
> home_root_t to user_home_t after restorecon. Since I have never ever
> created anybody's home manually, all homes are created by
> oddjob-mkhomedir-0.30-5.el6.x86_64, I assume bug is in this module.
>
> Thanks, Vadym
>
>
>
Yes it is supposed to do the correct thing. Strange. If you can confirm that
it is creating the directories with the wrong label, please open a bugzilla on it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlAanmoACgkQrlYvE4MpobOG9QCgwp70iUVKTF nL3etMLhyM+SUs
MK8AoMqH18Z04OAO6oOUqfprA/U1Bher
=Gjaf
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Vadym Chepkov

08-02-2012 04:10 PM

Bug or feature, absent authorized_hosts

On Aug 2, 2012, at 11:36 AM, Daniel J Walsh wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 08/02/2012 11:10 AM, Vadym Chepkov wrote:
>>
>> On Aug 2, 2012, at 10:33 AM, Daniel J Walsh wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>
>>> On 08/02/2012 09:51 AM, Vadym Chepkov wrote:
>>>>
>>>> On Aug 2, 2012, at 8:45 AM, Daniel J Walsh wrote:
>>>>
>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>>>
>>>>> On 08/01/2012 07:57 PM, Vadym Chepkov wrote:
>>>>>> Hi,
>>>>>>
>>>>>> Not sure if it's a bug or a "feature"
>>>>>>
>>>>>> RHEL6.3 selinux-policy-targeted-3.7.19-155.el6_3.noarch
>>>>>>
>>>>>> was getting bunch of these:
>>>>>>
>>>>>> ---- time->Tue Jul 31 11:22:21 2012 type=SYSCALL
>>>>>> msg=audit(1343733741.446:154): arch=c000003e syscall=2 success=no
>>>>>> exit=-13 a0=7f740329e7d0 a1=800 a2=1 a3=24 items=0 ppid=946
>>>>>> pid=1291 auid=4294967295 uid=0 gid=0 euid=1001 suid=0 fsuid=1001
>>>>>> egid=513 sgid=0 fsgid=513 tty=(none) ses=4294967295 comm="sshd"
>>>>>> exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
>>>>>> key=(null) type=AVC msg=audit(1343733741.446:154): avc: denied {
>>>>>> read } for pid=1291 comm="sshd" name="authorized_keys" dev=xvdb
>>>>>> ino=3368578 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
>>>>>> tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file
>>>>>>
>>>>>> authorized_keys file didn't even exist for root user, it is not
>>>>>> allowed to login remotely. Silenced it down by creating empty
>>>>>> authorized_keys file with ssh_home_t context.
>>>>>>
>>>>>> Cheers, Vadym
>>>>>>
>>>>>> -- selinux mailing list selinux@lists.fedoraproject.org
>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>
>>>>>>
>>>>>
>>>>> More like a labeling problem.
>>>>>
>>>>> restorecon -R -v /home
>>>>>
>>>>
>>>> root's home is /root , but I don't think it's a problem
>>>>
>>>> # date Thu Aug 2 13:42:17 UTC 2012 # ls -dZ /root dr-xr-x---. root
>>>> root system_u:object_r:admin_home_t:s0 /root # ls -dZ /root/.ssh
>>>> drwx------. root root system_u:object_r:ssh_home_t:s0 /root/.ssh # ls
>>>> -dZ .ssh/authorized_keys ls: cannot access .ssh/authorized_keys: No
>>>> such file or directory # ssh localhost root@localhost's password:
>>>>
>>>> # ausearch -m avc -ts recent ---- time->Thu Aug 2 13:43:03 2012
>>>> type=SYSCALL msg=audit(1343914983.632:592368): arch=c000003e syscall=2
>>>> success=no exit=-13 a0=7fc8d9bd8780 a1=800 a2=1 a3=24 items=0 ppid=946
>>>> pid=28761 auid=4294967295 uid=0 gid=0 euid=1001 suid=0 fsuid=1001
>>>> egid=513 sgid=0 fsgid=513 tty=(none) ses=4294967295 comm="sshd"
>>>> exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
>>>> key=(null) type=AVC msg=audit(1343914983.632:592368): avc: denied {
>>>> read } for pid=28761 comm="sshd" name="authorized_keys" dev=xvdb
>>>> ino=3368578 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
>>>> tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file
>>>>
>>>>
>>>> Cheers, Vadym
>>>>
>>>
>>>
>>> This avc is about sshd trying to read a file names authorized_keys that
>>> is labeled home_root_t. home_root_t is the default label of /home or any
>>> parent directory to users homedirs. It looks like you created a users
>>> homedir under a directory labeled /home and it did not get labeled
>>> correcty.
>>>
>>> home_root_t has nothing to do with /root
>>>
>>
>>
>> Yep, sorry for the noise, that's what it. All home's were relabeled from
>> home_root_t to user_home_t after restorecon. Since I have never ever
>> created anybody's home manually, all homes are created by
>> oddjob-mkhomedir-0.30-5.el6.x86_64, I assume bug is in this module.
>>
>> Thanks, Vadym
>>
>>
>>
> Yes it is supposed to do the correct thing. Strange. If you can confirm that
> it is creating the directories with the wrong label, please open a bugzilla on it.
>

I did confirm it, asked a co-worker to login there for the first time :

# ls -dZ /home/jscott
drwxr-xr-x. jscott Domain Users unconfined_u:object_r:home_root_t:s0 /home/jscott

compared to mine:

# ls -dZ /home/vchepkov
drwx------. vchepkov users unconfined_u:object_r:user_home_dir_t:s0 /home/vchepkov

Will open BZ

Thanks,
Vadym

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

All times are GMT. The time now is 04:59 PM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.