Mauriat Miranda     mjmwired

SELinux Preventing SSH Passwordless Login

Since upgrading to Fedora 9, I am trying much harder to work with SELinux. For the most part it is pretty easy.

I am using passwordless SSH logins between my CentOS 5.1 server and my Fedora 9 desktop. Since my Fedora 8 never used SELinux, all my file contexts were “wrong” when I mounted my /home partition. I noticed the following error when I tried to ssh from my server to Fedora (I read /var/log/messages):

setroubleshoot: SELinux is preventing access to files with the label, file_t.
For complete SELinux messages. run sealert -l f414b4c3-ed13-4b83-8a67-3df599e16723

Realizing this is a file context issue, I am pretty sure that a “relabel” (touch /.autorelabel; reboot) would fix this. However I don’t want to reboot at the moment. I ran the above recommendation (I am shortening the output here):

[mirandam@charon ~]$ sealert -l f414b4c3-ed13-4b83-8a67-3df599e16723

SELinux is preventing access to files with the label, file_t.

Allowing Access:
You can execute the following command as root to relabel your computer system:
touch /.autorelabel; reboot

Additional Information:
Source Context                system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:file_t:s0
Target Objects                /home/mirandam/.ssh/authorized_keys [ file ]

Raw Audit Messages
host=charon.lunar type=AVC msg=audit(1213619507.698:11): avc:  denied  { getattr } for  pid=2396
 comm=sshd path=**/home/mirandam/.ssh/authorized_keys** dev=sda13 ino=2950756 
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file

Simple fix (without reboot):

[mirandam@charon ~]$ /sbin/restorecon -v ~/.ssh/authorized_keys

While this was not a serious problem (I was still able to login to SSH by using password), the above steps of reading the logs and following recommendations should remedy most SELinux issues. If you are logged into your desktop console directly (e.g. GNOME) - I was not, the SELinux Troubleshooter would help with all of the above with graphical tools.

Posted in: F9, Security, Tips,