Bug or feature, absent authorized_hosts

Vadym Chepkov vchepkov at gmail.com
Thu Aug 2 16:10:16 UTC 2012 

On Aug 2, 2012, at 11:36 AM, Daniel J Walsh wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 08/02/2012 11:10 AM, Vadym Chepkov wrote:
>> 
>> On Aug 2, 2012, at 10:33 AM, Daniel J Walsh wrote:
>> 
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>> 
>>> On 08/02/2012 09:51 AM, Vadym Chepkov wrote:
>>>> 
>>>> On Aug 2, 2012, at 8:45 AM, Daniel J Walsh wrote:
>>>> 
>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>>> 
>>>>> On 08/01/2012 07:57 PM, Vadym Chepkov wrote:
>>>>>> Hi,
>>>>>> 
>>>>>> Not sure if it's a bug or a "feature"
>>>>>> 
>>>>>> RHEL6.3 selinux-policy-targeted-3.7.19-155.el6_3.noarch
>>>>>> 
>>>>>> was getting bunch of these:
>>>>>> 
>>>>>> ---- time->Tue Jul 31 11:22:21 2012 type=SYSCALL 
>>>>>> msg=audit(1343733741.446:154): arch=c000003e syscall=2 success=no 
>>>>>> exit=-13 a0=7f740329e7d0 a1=800 a2=1 a3=24 items=0 ppid=946
>>>>>> pid=1291 auid=4294967295 uid=0 gid=0 euid=1001 suid=0 fsuid=1001
>>>>>> egid=513 sgid=0 fsgid=513 tty=(none) ses=4294967295 comm="sshd"
>>>>>> exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
>>>>>> key=(null) type=AVC msg=audit(1343733741.446:154): avc:  denied  {
>>>>>> read } for  pid=1291 comm="sshd" name="authorized_keys" dev=xvdb
>>>>>> ino=3368578 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 
>>>>>> tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file
>>>>>> 
>>>>>> authorized_keys file didn't even exist for root user, it is not
>>>>>> allowed to login remotely. Silenced it down by creating empty
>>>>>> authorized_keys file with ssh_home_t context.
>>>>>> 
>>>>>> Cheers, Vadym
>>>>>> 
>>>>>> -- selinux mailing list selinux at lists.fedoraproject.org 
>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>> 
>>>>>> 
>>>>> 
>>>>> More like a labeling problem.
>>>>> 
>>>>> restorecon -R -v /home
>>>>> 
>>>> 
>>>> root's home is /root , but I don't think it's a problem
>>>> 
>>>> # date Thu Aug  2 13:42:17 UTC 2012 # ls -dZ /root dr-xr-x---. root
>>>> root system_u:object_r:admin_home_t:s0 /root # ls -dZ /root/.ssh
>>>> drwx------. root root system_u:object_r:ssh_home_t:s0  /root/.ssh # ls
>>>> -dZ .ssh/authorized_keys ls: cannot access .ssh/authorized_keys: No
>>>> such file or directory # ssh localhost root at localhost's password:
>>>> 
>>>> # ausearch -m avc -ts recent ---- time->Thu Aug  2 13:43:03 2012 
>>>> type=SYSCALL msg=audit(1343914983.632:592368): arch=c000003e syscall=2 
>>>> success=no exit=-13 a0=7fc8d9bd8780 a1=800 a2=1 a3=24 items=0 ppid=946 
>>>> pid=28761 auid=4294967295 uid=0 gid=0 euid=1001 suid=0 fsuid=1001
>>>> egid=513 sgid=0 fsgid=513 tty=(none) ses=4294967295 comm="sshd"
>>>> exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
>>>> key=(null) type=AVC msg=audit(1343914983.632:592368): avc:  denied  {
>>>> read } for  pid=28761 comm="sshd" name="authorized_keys" dev=xvdb
>>>> ino=3368578 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 
>>>> tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file
>>>> 
>>>> 
>>>> Cheers, Vadym
>>>> 
>>> 
>>> 
>>> This avc is about sshd trying to read a file names authorized_keys that
>>> is labeled home_root_t.  home_root_t is the default label of /home or any
>>> parent directory to users homedirs.  It looks like you created a users
>>> homedir under a directory labeled /home and it did not get labeled
>>> correcty.
>>> 
>>> home_root_t has nothing to do with /root
>>> 
>> 
>> 
>> Yep, sorry for the noise, that's what it. All home's were relabeled from
>> home_root_t to user_home_t after restorecon. Since I have never ever
>> created anybody's home manually, all homes are created by 
>> oddjob-mkhomedir-0.30-5.el6.x86_64, I assume bug is in this module.
>> 
>> Thanks, Vadym
>> 
>> 
>> 
> Yes it is supposed to do the correct thing.  Strange.  If you can confirm that
> it is creating the directories with the wrong label, please open a bugzilla on it.
> 


I did confirm it, asked a co-worker to login there for the first time :

# ls -dZ /home/jscott
drwxr-xr-x. jscott Domain Users unconfined_u:object_r:home_root_t:s0 /home/jscott

compared to mine:

# ls -dZ /home/vchepkov
drwx------. vchepkov users unconfined_u:object_r:user_home_dir_t:s0 /home/vchepkov


Will open BZ

Thanks,
Vadym

More information about the selinux mailing list