SELinux, ssh and network $HOME/.ssh

[davidbiesack]

Passwordless ssh to my CentOS 7.3 desktop fails (I must enter my password each time, then it continues). I believe this is due to SELinux which is enabled. My `/var/log/audit` contains
```
type=PATH msg=audit(1494957305.620:18822): item=0 name="/u/userid/.ssh/authorized_keys" objtype=UNKNOWN
```

However, I can't change the context of `~/.ssh` as per the SELinux Troubleshooter
```
$ ls -dZ ~/.ssh/ ~/.ssh/authorized_keys
drwx------. sasdjb users system_u:object_r:nfs_t:s0 /u/sasdjb/.ssh/
-rwx------. sasdjb users system_u:object_r:nfs_t:s0 /u/sasdjb/.ssh/authorized_keys

$ semanage fcontext -a -t ssh_home_t ~/.ssh/
ValueError: SELinux policy is not managed or store cannot be accessed.
...
```

Presumably this is because my `$HOME` is on an NFS volume, `/r/server-name/vol/vol220/path...` which does not support SELinux contexts.
(This is further confirmed by running `sudo setenforce 0` after which passwordless ssh works.)

I'm trying to verify the correct solution for this - I've seen recommendations to not disable SELinux, but I can't find w way to grant `sshd` to my `~/.ssh` access without the wider change of disabling SELinux.

Perhaps in `/etc/selinux/config` changing
```
SELINUX=enforcing
```
to
```
SELINUX=permissive
```
is the best fix? (Even though that seems like it is effectively disabling SELinux...) Should I leave
```
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
```
as is? Or perhaps only change that to `minimum` and leave `SELINUX=enforcing`? I don't want to experiment. I can't find good answers in the FAQ.

LSB Version: :core-4.1-amd64:core-4.1-noarch:cxx-4.1-amd64:cxx-4.1-noarch:desktop-4.1-amd64:desktop-4.1-noarch:languages-4.1-amd64:languages-4.1-noarch:printing-4.1-amd64:printing-4.1-noarch
Distributor ID: CentOS
Description: CentOS Linux release 7.3.1611 (Core)
Release: 7.3.1611
Codename: Core

[TrevorH]

Try running setsebool -P use_nfs_home_dirs on and see if that helps.

[davidbiesack]

Try running setsebool -P use_nfs_home_dirs on and see if that helps.

Did not seem to help. I'm still prompted for a password. `/var/log/audit` shows

Code: Select all

type=PATH msg=audit(1495033263.067:16851): item=0 name="/u/sasdjb/.ssh/authorized_keys" objtype=UNKNOWN1
type=USER_AUTH msg=audit(1495033263.068:16852): pid=6591 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="sasdjb" exe="/usr/sbin/sshd" hostname=? addr=10.220.52.192 terminal=ssh res=failed'

[TrevorH]

What do you get from the output of aureport -a around the time of the login attempt? Take the number off the right hand end of any aureport -a entries at the correct time and feed that into ausearch -a nnnn (nnn being the number) and post that here.

[davidbiesack]

the ssh attempt results in

Code: Select all

56. 05/17/17 16:01:44 sshd system_u:system_r:sshd_t:s0-s0:c0.c1023 2 lnk_file read unconfined_u:object_r:default_t:s0 denied 37304

but no results:

Code: Select all

$ sudo ausearch -n 37304
<no matches>

[TrevorH]

ausearch -a 37304 not -n

[davidbiesack]

ausearch -a 37304 not -n

oops, my bad. here ya go:

Code: Select all

$ sudo ausearch -a 37304
----
time->Wed May 17 16:01:44 2017
type=PATH msg=audit(1495051304.726:37304): item=0 name="/u/sasdjb/.ssh/authorized_keys" objtype=UNKNOWN
type=CWD msg=audit(1495051304.726:37304):  cwd="/"
type=SYSCALL msg=audit(1495051304.726:37304): arch=c000003e syscall=2 success=no exit=-13 a0=7f5ba8934440 a1=800 a2=1 a3=7f5ba2a8c2e0 items=1 ppid=1621 pid=10601 auid=4294967295 uid=0 gid=0 euid=394 suid=0 fsuid=394 egid=10 sgid=0 fsgid=10 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1495051304.726:37304): avc:  denied  { read } for  pid=10601 comm="sshd" name="sasdjb" dev="dm-0" ino=4923607 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file
sasdjb@d77781.na.sas.com /local/src/libav (master)

[TrevorH]

That means not very much to me. In the absence of any other reponses here you might want to post to the selinux mailing list and see if you get more help there.