On Aug 2, 2012, at 10:33 AM, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 08/02/2012 09:51 AM, Vadym Chepkov wrote:
>>
>> On Aug 2, 2012, at 8:45 AM, Daniel J Walsh wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>
>>> On 08/01/2012 07:57 PM, Vadym Chepkov wrote:
>>>> Hi,
>>>>
>>>> Not sure if it's a bug or a "feature"
>>>>
>>>> RHEL6.3 selinux-policy-targeted-3.7.19-155.el6_3.noarch
>>>>
>>>> was getting bunch of these:
>>>>
>>>> ---- time->Tue Jul 31 11:22:21 2012 type=SYSCALL
>>>> msg=audit(1343733741.446:154): arch=c000003e syscall=2 success=no
>>>> exit=-13 a0=7f740329e7d0 a1=800 a2=1 a3=24 items=0 ppid=946 pid=1291
>>>> auid=4294967295 uid=0 gid=0 euid=1001 suid=0 fsuid=1001 egid=513 sgid=0
>>>> fsgid=513 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd"
>>>> subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) type=AVC
>>>> msg=audit(1343733741.446:154): avc: denied { read } for pid=1291
>>>> comm="sshd" name="authorized_keys" dev=xvdb ino=3368578
>>>> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
>>>> tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file
>>>>
>>>> authorized_keys file didn't even exist for root user, it is not allowed
>>>> to login remotely. Silenced it down by creating empty authorized_keys
>>>> file with ssh_home_t context.
>>>>
>>>> Cheers, Vadym
>>>>
>>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>
>>>>
>>>
>>> More like a labeling problem.
>>>
>>> restorecon -R -v /home
>>>
>>
>> root's home is /root , but I don't think it's a problem
>>
>> # date Thu Aug 2 13:42:17 UTC 2012 # ls -dZ /root dr-xr-x---. root root
>> system_u:object_r:admin_home_t:s0 /root # ls -dZ /root/.ssh drwx------.
>> root root system_u:object_r:ssh_home_t:s0 /root/.ssh # ls -dZ
>> .ssh/authorized_keys ls: cannot access .ssh/authorized_keys: No such file
>> or directory # ssh localhost root@localhost's password:
>>
>> # ausearch -m avc -ts recent ---- time->Thu Aug 2 13:43:03 2012
>> type=SYSCALL msg=audit(1343914983.632:592368): arch=c000003e syscall=2
>> success=no exit=-13 a0=7fc8d9bd8780 a1=800 a2=1 a3=24 items=0 ppid=946
>> pid=28761 auid=4294967295 uid=0 gid=0 euid=1001 suid=0 fsuid=1001 egid=513
>> sgid=0 fsgid=513 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd"
>> subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) type=AVC
>> msg=audit(1343914983.632:592368): avc: denied { read } for pid=28761
>> comm="sshd" name="authorized_keys" dev=xvdb ino=3368578
>> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
>> tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file
>>
>>
>> Cheers, Vadym
>>
>
>
> This avc is about sshd trying to read a file names authorized_keys that is
> labeled home_root_t. home_root_t is the default label of /home or any parent
> directory to users homedirs. It looks like you created a users homedir under
> a directory labeled /home and it did not get labeled correcty.
>
> home_root_t has nothing to do with /root
>
Yep, sorry for the noise, that's what it.
All home's were relabeled from home_root_t to user_home_t after restorecon.
Since I have never ever created anybody's home manually, all homes are created by
oddjob-mkhomedir-0.30-5.el6.x86_64, I assume bug is in this module.
Thanks,
Vadym
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
