-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/02/2012 11:10 AM, Vadym Chepkov wrote:
On Aug 2, 2012, at 10:33 AM, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>
> On 08/02/2012 09:51 AM, Vadym Chepkov wrote:
>>
>> On Aug 2, 2012, at 8:45 AM, Daniel J Walsh wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>
>>> On 08/01/2012 07:57 PM, Vadym Chepkov wrote:
>>>> Hi,
>>>>
>>>> Not sure if it's a bug or a "feature"
>>>>
>>>> RHEL6.3 selinux-policy-targeted-3.7.19-155.el6_3.noarch
>>>>
>>>> was getting bunch of these:
>>>>
>>>> ---- time->Tue Jul 31 11:22:21 2012 type=SYSCALL
>>>> msg=audit(1343733741.446:154): arch=c000003e syscall=2 success=no
>>>> exit=-13 a0=7f740329e7d0 a1=800 a2=1 a3=24 items=0 ppid=946
>>>> pid=1291 auid=4294967295 uid=0 gid=0 euid=1001 suid=0 fsuid=1001
>>>> egid=513 sgid=0 fsgid=513 tty=(none) ses=4294967295
comm="sshd"
>>>> exe="/usr/sbin/sshd"
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
>>>> key=(null) type=AVC msg=audit(1343733741.446:154): avc: denied {
>>>> read } for pid=1291 comm="sshd"
name="authorized_keys" dev=xvdb
>>>> ino=3368578 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
>>>> tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file
>>>>
>>>> authorized_keys file didn't even exist for root user, it is not
>>>> allowed to login remotely. Silenced it down by creating empty
>>>> authorized_keys file with ssh_home_t context.
>>>>
>>>> Cheers, Vadym
>>>>
>>>> -- selinux mailing list selinux(a)lists.fedoraproject.org
>>>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>
>>>>
>>>
>>> More like a labeling problem.
>>>
>>> restorecon -R -v /home
>>>
>>
>> root's home is /root , but I don't think it's a problem
>>
>> # date Thu Aug 2 13:42:17 UTC 2012 # ls -dZ /root dr-xr-x---. root
>> root system_u:object_r:admin_home_t:s0 /root # ls -dZ /root/.ssh
>> drwx------. root root system_u:object_r:ssh_home_t:s0 /root/.ssh # ls
>> -dZ .ssh/authorized_keys ls: cannot access .ssh/authorized_keys: No
>> such file or directory # ssh localhost root@localhost's password:
>>
>> # ausearch -m avc -ts recent ---- time->Thu Aug 2 13:43:03 2012
>> type=SYSCALL msg=audit(1343914983.632:592368): arch=c000003e syscall=2
>> success=no exit=-13 a0=7fc8d9bd8780 a1=800 a2=1 a3=24 items=0 ppid=946
>> pid=28761 auid=4294967295 uid=0 gid=0 euid=1001 suid=0 fsuid=1001
>> egid=513 sgid=0 fsgid=513 tty=(none) ses=4294967295 comm="sshd"
>> exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
>> key=(null) type=AVC msg=audit(1343914983.632:592368): avc: denied {
>> read } for pid=28761 comm="sshd" name="authorized_keys"
dev=xvdb
>> ino=3368578 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
>> tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file
>>
>>
>> Cheers, Vadym
>>
>
>
> This avc is about sshd trying to read a file names authorized_keys that
> is labeled home_root_t. home_root_t is the default label of /home or any
> parent directory to users homedirs. It looks like you created a users
> homedir under a directory labeled /home and it did not get labeled
> correcty.
>
> home_root_t has nothing to do with /root
>
Yep, sorry for the noise, that's what it. All home's were relabeled from
home_root_t to user_home_t after restorecon. Since I have never ever
created anybody's home manually, all homes are created by
oddjob-mkhomedir-0.30-5.el6.x86_64, I assume bug is in this module.
Thanks, Vadym
Yes it is supposed to do the correct thing. Strange. If you can confirm that
it is creating the directories with the wrong label, please open a bugzilla on it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org/
iEYEARECAAYFAlAanmoACgkQrlYvE4MpobOG9QCgwp70iUVKTFnL3etMLhyM+SUs
MK8AoMqH18Z04OAO6oOUqfprA/U1Bher
=Gjaf
-----END PGP SIGNATURE-----