Hi, folks,
Our system gets/creates /var/lib/ssh-x509-auth/<username>,pem, then deletes it when the log out. selinux (in permissive mode) complains. First, I changed the context to cert_t, and *now* it complains that ksh93 wants write, etc access on the directory. grep ssh-x509-auth /var/log/audit/audit.log | audit2allow offers me this: #============= sshd_t ============== allow sshd_t cert_t:dir write; allow sshd_t var_lib_t:file { write getattr create open ioctl };
So: first, is this an expected behavior; second, is that the correct fcontext, and, finally, is it safe for me to create this as a local policy?
Thanks in advance.
mark
Hi Mark, how exactly did you change the context?
I seems to me that you changed context of the whole directory (/var/lib/ssh-x509-auth/). When creating the file "<username>.pem", sshd would need to have write permission to /var/lib/ssh-x509-auth/ which corresponds to allow sshd_t cert_tir write;
The second permission (allow sshd_t var_lib_t:file { write getattr create open ioctl } could be caused by older AVC (before you changed the context). Try erasing the audit log before reproducing the issue (which should be done in permissive mode), or use ausearch -m avc -te recent | audit2allow
Hope this helps.
Vit Mojzis SELinux Solutions Red Hat, Inc.
----- Original Message ----- From: "m roth" m.roth@5-cent.us To: "CentOS" centos@centos.org, "selinux" selinux@lists.fedoraproject.org Sent: Tuesday, April 26, 2016 5:31:16 PM Subject: username.pem
Hi, folks,
Our system gets/creates /var/lib/ssh-x509-auth/<username>,pem, then deletes it when the log out. selinux (in permissive mode) complains. First, I changed the context to cert_t, and *now* it complains that ksh93 wants write, etc access on the directory. grep ssh-x509-auth /var/log/audit/audit.log | audit2allow offers me this: #============= sshd_t ============== allow sshd_t cert_t:dir write; allow sshd_t var_lib_t:file { write getattr create open ioctl };
So: first, is this an expected behavior; second, is that the correct fcontext, and, finally, is it safe for me to create this as a local policy?
Thanks in advance.
mark -- selinux mailing list selinux@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
To answer your last question, it would be better to solve this without adding new rules. Try changing the context of /var/lib/ssh-x509-auth/ directory to var_auth_t (sshd already has write access to it). #chcon -R -t var_auth_t /var/lib/ssh-x509-auth/
If this solves the issue, please file a bug so that we can change the context permanently.
Vit Mojzis SELinux Solutions Red Hat, Inc.
----- Original Message ----- From: "m roth" m.roth@5-cent.us To: "CentOS" centos@centos.org, "selinux" selinux@lists.fedoraproject.org Sent: Tuesday, April 26, 2016 5:31:16 PM Subject: username.pem
Hi, folks,
Our system gets/creates /var/lib/ssh-x509-auth/<username>,pem, then deletes it when the log out. selinux (in permissive mode) complains. First, I changed the context to cert_t, and *now* it complains that ksh93 wants write, etc access on the directory. grep ssh-x509-auth /var/log/audit/audit.log | audit2allow offers me this: #============= sshd_t ============== allow sshd_t cert_t:dir write; allow sshd_t var_lib_t:file { write getattr create open ioctl };
So: first, is this an expected behavior; second, is that the correct fcontext, and, finally, is it safe for me to create this as a local policy?
Thanks in advance.
mark -- selinux mailing list selinux@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
Vit Mojzis wrote:
To answer your last question, it would be better to solve this without adding new rules. Try changing the context of /var/lib/ssh-x509-auth/ directory to var_auth_t (sshd already has write access to it). #chcon -R -t var_auth_t /var/lib/ssh-x509-auth/
If this solves the issue, please file a bug so that we can change the context permanently.
Hi. Thanks.
I didn't remember which box this was on - that turned out to be the third CentOS 7 box I looked at... and *both* of the other two where var_auth_t. I changed the context, and logged in as myself, and it seems to not be complaining now. So I'm not sure how it wound up with the wrong context....
Btw, two things: a) no, I didn't want to run chcon, I wanted semanage fcontext... and b) and this *is* a redhat thing, the manpage for semanage has changed from the one in 6, and it's much shorter, does not list the options, and has *no* examples. I had to do a man semange on a 6 box to get the manpage that gives *examples*, like semanate fcontext -m -t var_auth_t "/var/lib/ssh-x509-auth(/.*)?".....
mark
----- Original Message ----- From: "m roth" m.roth@5-cent.us To: "CentOS" centos@centos.org, "selinux" selinux@lists.fedoraproject.org Sent: Tuesday, April 26, 2016 5:31:16 PM Subject: username.pem
Hi, folks,
Our system gets/creates /var/lib/ssh-x509-auth/<username>,pem, then deletes it when the log out. selinux (in permissive mode) complains. First, I changed the context to cert_t, and *now* it complains that ksh93 wants write, etc access on the directory. grep ssh-x509-auth /var/log/audit/audit.log | audit2allow offers me this: #============= sshd_t ============== allow sshd_t cert_t:dir write; allow sshd_t var_lib_t:file { write getattr create open ioctl };
So: first, is this an expected behavior; second, is that the correct fcontext, and, finally, is it safe for me to create this as a local policy?
Thanks in advance.
mark
-- selinux mailing list selinux@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
selinux@lists.fedoraproject.org