-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/02/2012 09:51 AM, Vadym Chepkov wrote:
>
> On Aug 2, 2012, at 8:45 AM, Daniel J Walsh wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> On 08/01/2012 07:57 PM, Vadym Chepkov wrote:
>>> Hi,
>>>
>>> Not sure if it's a bug or a "feature"
>>>
>>> RHEL6.3 selinux-policy-targeted-3.7.19-155.el6_3.noarch
>>>
>>> was getting bunch of these:
>>>
>>> ---- time->Tue Jul 31 11:22:21 2012 type=SYSCALL
>>> msg=audit(1343733741.446:154): arch=c000003e syscall=2 success=no
>>> exit=-13 a0=7f740329e7d0 a1=800 a2=1 a3=24 items=0 ppid=946 pid=1291
>>> auid=4294967295 uid=0 gid=0 euid=1001 suid=0 fsuid=1001 egid=513 sgid=0
>>> fsgid=513 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd"
>>> subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) type=AVC
>>> msg=audit(1343733741.446:154): avc: denied { read } for pid=1291
>>> comm="sshd" name="authorized_keys" dev=xvdb ino=3368578
>>> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
>>> tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file
>>>
>>> authorized_keys file didn't even exist for root user, it is not allowed
>>> to login remotely. Silenced it down by creating empty authorized_keys
>>> file with ssh_home_t context.
>>>
>>> Cheers, Vadym
>>>
>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>>
>>
>> More like a labeling problem.
>>
>> restorecon -R -v /home
>>
>
> root's home is /root , but I don't think it's a problem
>
> # date Thu Aug 2 13:42:17 UTC 2012 # ls -dZ /root dr-xr-x---. root root
> system_u:object_r:admin_home_t:s0 /root # ls -dZ /root/.ssh drwx------.
> root root system_u:object_r:ssh_home_t:s0 /root/.ssh # ls -dZ
> .ssh/authorized_keys ls: cannot access .ssh/authorized_keys: No such file
> or directory # ssh localhost root@localhost's password:
>
> # ausearch -m avc -ts recent ---- time->Thu Aug 2 13:43:03 2012
> type=SYSCALL msg=audit(1343914983.632:592368): arch=c000003e syscall=2
> success=no exit=-13 a0=7fc8d9bd8780 a1=800 a2=1 a3=24 items=0 ppid=946
> pid=28761 auid=4294967295 uid=0 gid=0 euid=1001 suid=0 fsuid=1001 egid=513
> sgid=0 fsgid=513 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd"
> subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) type=AVC
> msg=audit(1343914983.632:592368): avc: denied { read } for pid=28761
> comm="sshd" name="authorized_keys" dev=xvdb ino=3368578
> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file
>
>
> Cheers, Vadym
>
This avc is about sshd trying to read a file names authorized_keys that is
labeled home_root_t. home_root_t is the default label of /home or any parent
directory to users homedirs. It looks like you created a users homedir under
a directory labeled /home and it did not get labeled correcty.
home_root_t has nothing to do with /root
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAlAaj6QACgkQrlYvE4MpobP/IACg5vwFSyWA4IwA0Af5J0CWZhj9
+lwAoKdAvqmzP2dJ4TpiIvAQOa+8zjSR
=zrfz
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
