Sshh… and See Linux – authorized keys

ssh-copy-id doesn’t really work ootb with root user and SeLinux enabled.

Tailing the audit.log we’ll see that sshd – being in the ssh_t context – can’t read() the authorized_keys file – which is in

type=AVC msg=audit(1354703208.714:285): avc: denied { read } for pid=9759 comm="sshd"
name="authorized_keys" dev=dm-0 ino=17461

Checking with ls -Z we found that DAC permissions are ok, but the MAC are not:
-rw-------. root root unconfined_u:object_r:admin_home_t:s0 authorized_keys

Despite messing with audit2allow to modify policies, we just need to run:

# restorecon -v -R .ssh/

This will search in the already provided selinux policies and set the right fcontext for the given path.

To list the involved policies:

#semanage fcontext -l | grep ssh