SELinux Preventing SSH Passwordless Login
Since upgrading to Fedora 9, I am trying much harder to work with SELinux. For the most part it is pretty easy.
I am using passwordless SSH logins between my CentOS 5.1 server and my Fedora 9 desktop. Since my Fedora 8 never used SELinux, all my file contexts were “wrong” when I mounted my /home partition. I noticed the following error when I tried to ssh from my server to Fedora (I read /var/log/messages):
setroubleshoot: SELinux is preventing access to files with the label, file_t.
For complete SELinux messages. run sealert -l f414b4c3-ed13-4b83-8a67-3df599e16723
Realizing this is a file context issue, I am pretty sure that a “relabel” (touch /.autorelabel; reboot) would fix this. However I don’t want to reboot at the moment. I ran the above recommendation (I am shortening the output here):
[mirandam@charon ~]$ sealert -l f414b4c3-ed13-4b83-8a67-3df599e16723
Summary:
SELinux is preventing access to files with the label, file_t.
Allowing Access:
You can execute the following command as root to relabel your computer system:
touch /.autorelabel; reboot
Additional Information:
Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context system_u:object_r:file_t:s0
Target Objects /home/mirandam/.ssh/authorized_keys [ file ]
Raw Audit Messages
host=charon.lunar type=AVC msg=audit(1213619507.698:11): avc: denied { getattr } for pid=2396
comm=sshd path=**/home/mirandam/.ssh/authorized_keys** dev=sda13 ino=2950756
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file
Simple fix (without reboot):
[mirandam@charon ~]$ /sbin/restorecon -v ~/.ssh/authorized_keys
While this was not a serious problem (I was still able to login to SSH by using password), the above steps of reading the logs and following recommendations should remedy most SELinux issues. If you are logged into your desktop console directly (e.g. GNOME) - I was not, the SELinux Troubleshooter would help with all of the above with graphical tools.