10:31 a.m.
Hi, folks,
Our system gets/creates /var/lib/ssh-x509-auth/<username>,pem, then
deletes it when the log out. selinux (in permissive mode) complains.
First, I changed the context to cert_t, and *now* it complains that
ksh93 wants write, etc access on the directory. grep ssh-x509-auth
/var/log/audit/audit.log | audit2allow offers me this:
#============= sshd_t ==============
allow sshd_t cert_t:dir write;
allow sshd_t var_lib_t:file { write getattr create open ioctl };
So: first, is this an expected behavior; second, is that the correct
fcontext, and, finally, is it safe for me to create this as a local
policy?
Thanks in advance.
mark
4:36 a.m.
Hi Mark,
how exactly did you change the context?
I seems to me that you changed context of the whole directory (/var/lib/ssh-x509-auth/).
When creating the file "<username>.pem", sshd would need to have write
permission to /var/lib/ssh-x509-auth/
which corresponds to
allow sshd_t cert_tir write;
The second permission (allow sshd_t var_lib_t:file { write getattr create open ioctl }
could be caused by older AVC (before you changed the context).
Try erasing the audit log before reproducing the issue (which should be done in permissive
mode), or use
ausearch -m avc -te recent | audit2allow
Hope this helps.
Vit Mojzis
SELinux Solutions
Red Hat, Inc.
----- Original Message -----
From: "m roth" <m.roth(a)5-cent.us>
To: "CentOS" <centos(a)centos.org>, "selinux"
<selinux(a)lists.fedoraproject.org>
Sent: Tuesday, April 26, 2016 5:31:16 PM
Subject: username.pem
Hi, folks,
Our system gets/creates /var/lib/ssh-x509-auth/<username>,pem, then
deletes it when the log out. selinux (in permissive mode) complains.
First, I changed the context to cert_t, and *now* it complains that
ksh93 wants write, etc access on the directory. grep ssh-x509-auth
/var/log/audit/audit.log | audit2allow offers me this:
#============= sshd_t ==============
allow sshd_t cert_t:dir write;
allow sshd_t var_lib_t:file { write getattr create open ioctl };
So: first, is this an expected behavior; second, is that the correct
fcontext, and, finally, is it safe for me to create this as a local
policy?
Thanks in advance.
mark
--
selinux mailing list
selinux(a)lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
10:06 a.m.
To answer your last question, it would be better to solve this without adding new rules.
Try changing the context of /var/lib/ssh-x509-auth/ directory to var_auth_t (sshd already
has write access to it).
#chcon -R -t var_auth_t /var/lib/ssh-x509-auth/
If this solves the issue, please file a bug so that we can change the context
permanently.
Vit Mojzis
SELinux Solutions
Red Hat, Inc.
----- Original Message -----
From: "m roth" <m.roth(a)5-cent.us>
To: "CentOS" <centos(a)centos.org>, "selinux"
<selinux(a)lists.fedoraproject.org>
Sent: Tuesday, April 26, 2016 5:31:16 PM
Subject: username.pem
Hi, folks,
Our system gets/creates /var/lib/ssh-x509-auth/<username>,pem, then
deletes it when the log out. selinux (in permissive mode) complains.
First, I changed the context to cert_t, and *now* it complains that
ksh93 wants write, etc access on the directory. grep ssh-x509-auth
/var/log/audit/audit.log | audit2allow offers me this:
#============= sshd_t ==============
allow sshd_t cert_t:dir write;
allow sshd_t var_lib_t:file { write getattr create open ioctl };
So: first, is this an expected behavior; second, is that the correct
fcontext, and, finally, is it safe for me to create this as a local
policy?
Thanks in advance.
mark
--
selinux mailing list
selinux(a)lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
10:20 a.m.
Vit Mojzis wrote:
To answer your last question, it would be better to solve this
without
adding new rules.
Try changing the context of /var/lib/ssh-x509-auth/ directory to
var_auth_t (sshd already has write access to it).
#chcon -R -t var_auth_t /var/lib/ssh-x509-auth/
If this solves the issue, please file a bug so that we can change the
context permanently.
Hi. Thanks.
I didn't remember which box this was on - that turned out to be the third
CentOS 7 box I looked at... and *both* of the other two where var_auth_t.
I changed the context, and logged in as myself, and it seems to not be
complaining now. So I'm not sure how it wound up with the wrong
context....
Btw, two things: a) no, I didn't want to run chcon, I wanted semanage
fcontext... and b) and this *is* a redhat thing, the manpage for semanage
has changed from the one in 6, and it's much shorter, does not list the
options, and has *no* examples. I had to do a man semange on a 6 box to
get the manpage that gives *examples*, like semanate fcontext -m -t
var_auth_t "/var/lib/ssh-x509-auth(/.*)?".....
mark
----- Original Message -----
From: "m roth" <m.roth(a)5-cent.us>
To: "CentOS" <centos(a)centos.org>, "selinux"
<selinux(a)lists.fedoraproject.org>
Sent: Tuesday, April 26, 2016 5:31:16 PM
Subject: username.pem
Hi, folks,
Our system gets/creates /var/lib/ssh-x509-auth/<username>,pem, then
deletes it when the log out. selinux (in permissive mode) complains.
First, I changed the context to cert_t, and *now* it complains that
ksh93 wants write, etc access on the directory. grep ssh-x509-auth
/var/log/audit/audit.log | audit2allow offers me this:
#============= sshd_t ==============
allow sshd_t cert_t:dir write;
allow sshd_t var_lib_t:file { write getattr create open ioctl };
So: first, is this an expected behavior; second, is that the correct
fcontext, and, finally, is it safe for me to create this as a local
policy?
Thanks in advance.
mark
--
selinux mailing list
selinux(a)lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
2921
days inactive
2922
days old
selinux@lists.fedoraproject.org
3 comments
2 participants
participants (2)
-
mark -
Vit Mojzis