True true. I was just trying to keep it simple. Most people I deal with, I don't have time to explain rules. -----Original Message----- From: centos-bounces@xxxxxxxxxx [mailto:centos-bounces@xxxxxxxxxx] On Behalf Of James Hogarth Sent: Saturday, May 09, 2015 1:47 AM To: CentOS mailing list Subject: Re: Q: respecting .ssh/id_rsa On 8 May 2015 20:41, "Conley, Matthew M CTR GXM" < matthew.m.conley1.ctr@xxxxxxxx> wrote: > > chmod 0700 .ssh > chmod 0600 .ssh/* > > Keys can fail if you don't have that setup correctly. > Also do: > grep sshd /var/log/audit/audit.log| audit2allow -m sshd # Will let you > see what modules it will create. > grep sshd /var/log/audit/audit.log| audit2allow -M sshd # Creates the > modules > > semodule -I sshd.pp > > grep ssh /var/log/audit/audit.log| audit2allow -m ssh # Will let you > see what modules it will create. > grep ssh /var/log/audit/audit.log| audit2allow -M ssh # Creates the > modules > > semodule -I ssh.pp > > sshd is the server; ssh is the client. > > <cleveland>No no no no nooooo </Cleveland> Blindly running audit2allow and creating modules weakens your security not enhances it. If you have not messed up your labeling then SSH will have no problem reading keys - SSH keys are fully supported under the policy shipped with CentOS. If you are mounting your home elsewhere do: semanage fcontext -a -e /home /mynewspecialhome restorecon -Rv /mynewspecialhome That will fix any selinux labelling issues of your home directories properly. _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos