From time to time, something changes selinux context on ~jenkins/.ssh file:
# restorecon -Fnv ~jenkins/.ssh/authorized_keys
restorecon reset /var/lib/jenkins/.ssh/authorized_keys context system_u:object_r:container_file_t:s0->system_u:object_r:ssh_home_t:s0
# restorecon -Fnv ~jenkins/.ssh
restorecon reset /var/lib/jenkins/.ssh context system_u:object_r:container_file_t:s0->system_u:object_r:ssh_home_t:s0
- How to track what can change this context?
- How to detect this change?
Ad2. I can trigger a hook, via monit program or something similar, which invokes the script with restorecon. However, I can't trace this change in the logs, I don't know how.
Finally, the Jenkins agent cannot run, because it cannot use the ssh key.
aureport -a reports nothing, sealert -a /var/log/audit/audit.log also noting, and audit2allow -aw is silent as well.
The new, broken context, matches the docker but I'm not sure. The SELinux is in enforcing mode, and with the targeted type.
Edit:
Added command:
auditctl -w /var/lib/jenkins/.ssh/authorized_keys -p wa -k jenkins-authorized_keys and waiting for ausearch -k jenkins-authorized_keys