SSH AuthorizedKeysCommand and SELinux

selinuxsshsshd

I'm trying to use the SSH AuthorizedKeysCommand in a CentOS 6.5 machine, but I'm encountering an SELinux error. When I switch SELinux to permissive mode – using setenforce 0 – it works, but when I turn SELinux back to enforcing, the command no longer works.

I get the following readout in my audit log (all one line):

type=AVC msg=audit(1404210795.382:917): avc: denied { execute } for pid=2924 comm="sshd"
name="get-keys" dev=dm-0 ino=167467 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=file

The SELinux policy for the get-keys command was different before. I set it to the same settings as the sshd command. I've also tried setting all SSH-relevant SELinux Booleans to true – all the ones I could find with grep:

$ getsebool -a | grep ssh
allow_ssh_keysign --> on
fenced_can_ssh --> on
ssh_chroot_full_access --> on
ssh_chroot_manage_apache_content --> on
ssh_chroot_rw_homedirs --> on
ssh_sysadm_login --> on

/usr/bin/get-ssh-keys/ contains the get-keys command. Here are the permissions for that directory:

$ ls -laZ /usr/bin/get-ssh-keys/
drwxr--r--. root root unconfined_u:object_r:etc_t:s0   .
dr-xr-xr-x. root root system_u:object_r:bin_t:s0       ..
-rwx--x--x. root root system_u:system_r:sshd_t:s0-s0:c0.c1023 get-keys

[...]

$ ls -laZ /usr/
drwxr-xr-x. root root system_u:object_r:usr_t:s0       .
dr-xr-xr-x. root root system_u:object_r:root_t:s0      ..

[...]

And here are the relevant /etc/ssh/sshd_config settings:

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
AuthorizedKeysCommand /usr/bin/get-ssh-keys/get-keys
AuthorizedKeysCommandRunAs root

The get-keys command is connecting over a socket to another server as well as writing to log files in /var/log/get-ssh-keys/error_log. Maybe that's why SELinux is preventing access, but I don't think so.

Is there something plainly obvious I'm missing?

There's some confusion about the AuthorizedKeysCommand. It doesn't actually read keys from the ~/.ssh/ directory. Instead, the AuthorizedKeysCommand setting specifies a program that will print all keys for a given user to stdout as individual lines.

The command I've specified, get-keys, works with SELinux set to permissive, but fails when set to enforcing.

I get prompted for a password with SELinux enforcing, but I'm allowed to log in using the keys the command retrieves with SELinux permissive.

Best Answer

Mate I'm sure you figured out already but just in case:

  1. you need a tool to troubleshoot selinux yum install setroubleshoot
  2. see if the alert has been logged and after you review create a policy sealert -a /var/log/audit/audit.log

the tool will tell you what to do

[root@zabbix audit]# sealert -a /var/log/audit/audit.log
 49% done'list' object has no attribute 'split'
 100% done
found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/bin/python2.7 from name_connect access on the       tcp_socket port 3306.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that python2.7 should be allowed name_connect access on the      port 3306 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep python /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Related Question