Re: SELinux context for ssh host keys?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Tue, Feb 10, 2015 at 09:34:13AM -0500, James B. Byrne wrote:
> I am startled to learn, if it is a fact, that existing SELinux policy
> is tied to the default file names.  Given that the host key file names
> are user configurable in in sshd_config one would think that a
> slightly more flexible approach is called for.

If you choose names that aren't part of the policy, you can always
supplement the policy with your own rules.  The existing policy in
CentOS7 is pretty flexible, it should mark files with the following
patterns as sshd_key_t:
            /etc/ssh/ssh_host.*_key,
            /etc/ssh/ssh_host.*_key.pub,
            /etc/ssh/primes

In CentOS6, the policy is for:
            /etc/ssh/ssh_host_key.pub,
            /etc/ssh/ssh_host_rsa_key.pub,
            /etc/ssh/ssh_host_dsa_key.pub,
            /etc/ssh/primes,
            /etc/ssh/ssh_host_key,
            /etc/ssh/ssh_host_dsa_key,
            /etc/ssh/ssh_host_rsa_key

... which is a bit less flexible.

If you want to supplement the policy, you can run:

semanage fcontext -a -t sshd_key_t "/etc/ssh/whatever_keyname_I_want"

... to update the local policy with your own rules.  Then a
`restorecon` will choose the correct type.

-- 
Jonathan Billings <billings@xxxxxxxxxx>
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux