Re: SELinux context for ssh host keys?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



> On Feb 9, 2015, at 12:27 PM, Robert Nichols <rnicholsNOSPAM@xxxxxxxxxxx> wrote:
> 
> On 02/09/2015 11:14 AM, James B. Byrne wrote:
>> So, I decided to run restorecon -v to
>> 
...
>> restorecon reset /etc/ssh/ssh_host_rsa_key_4096 context
>> unconfined_u:object_r:sshd_key_t:s0->unconfined_u:object_r:etc_t:s0
>> 
...
>> There is no REQUIREMENT that a host key have a particular file name is
>> there?  The sshd_config provides for setting one explicitly and doing
>> so seems to cause no problems with ssh connections that I have yet
>> encountered.
> 
> The "system_u" vs. "unconfined_u" is inconsequential. That just comes
> from process that set the label.
> 
> Looking at the file labeling rules, only the 7 specific file names
> get a type of "sshd_key_t", and, strangely, not the /etc/ssh directory
> itself, so /restorecon/ will just make any other file there inherit
> the type of the directory, which is "etc_t". At first glance that looks
> like a bug, but perhaps there is come reason for that.

If you want to use a non-default filename for something, so that the pre-defined regexes which restorecon uses won’t match on it, you can either add a new regex to the policy which will be persistent or just use chcon to set the type manually.
— 
Mark Tinberg
mark.tinberg@xxxxxxxx

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos





[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux