Thank you for the responce, but of course I'd tried this before asking.
It has no effect. Selinux still prevents to open authorized_keys.
I suppose there is something wrong with file contexts at my cephfs. For
instance, 'ls -Z' shows just a '?' as a context, and chcon fails with
"Operation not supported" message. Where should I look for error?
You can setup a custom SELinux module to enable access. We use the
following snippet to allow sshd to access authorized keys in home
directories on CephFS:
module local-ceph-ssh-auth 1.0;
require {
type cephfs_t;
type sshd_t;
class file { read getattr open };
}
#============= sshd_t ==============
allow sshd_t cephfs_t:file { read getattr open };
Compiling and persistently installing such a module is covered by
various documentation, such as:
https://wiki.centos.org/HowTos/SELinux#head-aa437f65e1c7873cddbafd9e9a73bbf9d102c072
(7.1. Manually Customizing Policy Modules). Also covered there is
using audit2allow to create your own module from SELinux audit logs.
thanks,
Ben
On Tue, Sep 17, 2019 at 9:22 AM Andrey Suharev <A.M.Suharev@xxxxxxxxxx> wrote:
Hi all,
I would like to have my home dir at cephfs and to keep selinux enabled
at the same time.
The trouble is selinux prevents sshd to access ~/.ssh/authorized_keys
file. Any ideas how to fix it?
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
