vagrant icon indicating copy to clipboard operation
vagrant copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

ssh private ssh keys need ssh_home_t selinux context

Open salderma opened this issue 5 years ago • 4 comments

Vagrant version

Vagrant 2.2.4

Host operating system

CentOS Linux release 7.6.1810 (Core)

Guest operating system

centos/7, but this is irrelevant

Vagrantfile

Vagrant.configure("2") do |config|
  config.vm.box = "centos/7"
end

Debug output

See GIST: https://gist.github.com/salderma/7fbd4a786c396cebfb568a464ac2eb8e

Expected behavior

With SELINUX set to enforcing on CentOS 7 Host, the SSH Private Keys should be usable. Vagrant ssh commands should work.

Actual behavior

Vagrant creates the private key with selinux context type user_home_t, and selinux denies access to to the key from the ssh binary. This blocks access to use vagrant ssh commands. This behavior is also present with ~/.vagrant.d/insecure_private_key, manually setting the key files to selinux context type ssh_home_t resolves this issue.

$ chcon -t ssh_home_t ~/.vagrant.d/insecure_private_key
$ chcon -t ssh_home_t ~/centos7/.vagrant/machines/default/virtualbox/private_key

The above workaround is problematic for dynamically created keys.

Steps to reproduce

See GIST: https://gist.github.com/salderma/7fbd4a786c396cebfb568a464ac2eb8e

salderma avatar May 10 '19 13:05 salderma

@briancain by adding the enhancement label, does this mean that running Vagrant with SELinux Enforcing is not intentionally supported?

salderma avatar May 16 '19 19:05 salderma

Hi @salderma - no, it just means it looks like something that should be supported and isn't. I'm not sure yet if it is actually supported. These labels are mostly for us maintainers to easily triage what kind of issue it is.

briancain avatar May 16 '19 20:05 briancain

I haven't used CentOS 7 in a long while. Not sure if this is still a problem or not. Probably can close the issue unless someone else confirms the mislabeling of the vagrant generated ssh key.

salderma avatar Jun 22 '22 01:06 salderma

Just experienced this when using https://app.vagrantup.com/gbailey/boxes/al2023; though I'm not sure if this is an issue with vagrant itself, or with the way the vagrant image is built, as e.g. other boxes such as generic/fedora37 do not show this behaviour after enabling selinux.

As a quick fix I did a restorecon on the vagrant home dir on the prepare phase of our molecule run:

restorecon -R /home/vagrant/

Afterwards, when enabling selinux everything works as expected.

/cc @nejch

dlouzan avatar Dec 15 '23 16:12 dlouzan