Just found this in the .bashrc of a rhev hypervisor. Good to know…
# aliases used for the temporary
function mod_vi() {
/bin/vi $@
restorecon -v $@ >/dev/null 2>&1
}
alias vi="mod_vi"
Archivi tag: selinux
Sshh… and See Linux – authorized keys
ssh-copy-id doesn’t really work ootb with root user and SeLinux enabled.
Tailing the audit.log we’ll see that sshd – being in the ssh_t context – can’t read() the authorized_keys file – which is in
admin_home_t.
type=AVC msg=audit(1354703208.714:285): avc: denied { read } for pid=9759 comm="sshd"
name="authorized_keys" dev=dm-0 ino=17461
scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:admin_home_t:s0
tclass=file
Checking with ls -Z we found that DAC permissions are ok, but the MAC are not:
-rw-------. root root unconfined_u:object_r:admin_home_t:s0 authorized_keys
Despite messing with audit2allow to modify policies, we just need to run:
# restorecon -v -R .ssh/
This will search in the already provided selinux policies and set the right fcontext for the given path.
To list the involved policies:
#semanage fcontext -l | grep ssh