On Tue, Feb 10, 2015 at 09:34:13AM -0500, James B. Byrne wrote: > I am startled to learn, if it is a fact, that existing SELinux policy > is tied to the default file names. Given that the host key file names > are user configurable in in sshd_config one would think that a > slightly more flexible approach is called for. If you choose names that aren't part of the policy, you can always supplement the policy with your own rules. The existing policy in CentOS7 is pretty flexible, it should mark files with the following patterns as sshd_key_t: /etc/ssh/ssh_host.*_key, /etc/ssh/ssh_host.*_key.pub, /etc/ssh/primes In CentOS6, the policy is for: /etc/ssh/ssh_host_key.pub, /etc/ssh/ssh_host_rsa_key.pub, /etc/ssh/ssh_host_dsa_key.pub, /etc/ssh/primes, /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key ... which is a bit less flexible. If you want to supplement the policy, you can run: semanage fcontext -a -t sshd_key_t "/etc/ssh/whatever_keyname_I_want" ... to update the local policy with your own rules. Then a `restorecon` will choose the correct type. -- Jonathan Billings <billings@xxxxxxxxxx> _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos