key-pair failure when selinux is in enforcing mode

Bug #1284485 reported by Richard Su on 2014-02-25
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
High
Richard Su

Bug Description

After applying the patch in https://review.openstack.org/#/c/74607/, you'll still get an avc denial.

devtest fails with this error:
ERROR: Keypair data is invalid: failed to generate fingerprint (HTTP 400) (Request-ID: req-a20787f8-954d-42ae-b925-471beee1e4b0)

On the seed node, /var/log/audit/audit.log shows:
type=AVC msg=audit(1393286662.806:45550): avc: denied { open } for pid=4837 comm="ssh-keygen" path="/tmp/tmpQZ8G83/temp.pub" dev="vda1" ino=262175 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1393286662.806:45550): arch=40000003 syscall=5 success=no exit=-13 a0=b770e760 a1=8000 a2=0 a3=b770e760 items=0 ppid=4614 pid=4837 auid=4294967295 uid=996 gid=994 euid=996 suid=996 fsuid=996 egid=994 sgid=994 fsgid=994 ses=4294967295 tty=(none) comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)

What is strange is running ssh-keygen manually on the seed node to generate a file on /tmp/ succeeds.

Richard Su (rwsu) on 2014-02-25
Changed in tripleo:
status: New → Triaged
importance: Undecided → High

Fix proposed to branch: master
Review: https://review.openstack.org/107233

Changed in tripleo:
assignee: nobody → Richard Su (rwsu)
status: Triaged → In Progress

Reviewed: https://review.openstack.org/107233
Committed: https://git.openstack.org/cgit/openstack/tripleo-image-elements/commit/?id=77d89ebad41d50458ec178cb94fa75d7e8cb3ae2
Submitter: Jenkins
Branch: master

commit 77d89ebad41d50458ec178cb94fa75d7e8cb3ae2
Author: Richard Su <email address hidden>
Date: Tue Jul 15 18:06:54 2014 -0700

    Custom policy for ssh-keygen failure

    This patch contains a custom policy to allow ssh-keygen to write to
    /tmp. This action is blocked by SELinux. The custom policy is needed
    until the upstream SELinux policy is updated for Fedora or nova is
    modified to call ssh-keygen to write out to a different directory.

    Partial-Bug: 1284485
    Change-Id: I59de4e88d9343e093a95436432e2e4d68f425d06

Richard Su (rwsu) on 2014-08-24
tags: added: selinux
Ben Nemec (bnemec) on 2016-04-19
Changed in tripleo:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.