On 4/07/13 3:52 AM, "m.roth@xxxxxxxxx" <m.roth@xxxxxxxxx> wrote: >Ok, small problem: where I work is a US federal gov't agency, and we're >required to use data from our PIV cards (the same as US DoD CAC cards). We >store the user's public keys from those cards, so they are, in effect, >their ssh keys for going to other systems. Selinux complains about the >types. The sealert offers, among other obviously inappropriate types, >these: nx_server_home_ssh_t, etc_t, rssh_ro_t, ssh_home_t, cert_type, >home_root_t, sshd_t, selinux_login_config_t, ssh_home_t. Could you please provide the relevant audit log messages? If not, at least a little more information, mainly: source domain, target type and access vector. >What *would* be an appropriate type? You can determine this with sesearch, provided you know the information above. sesearch --allow --auditallow --target=type_t --class=class --perm=perm1,perm2,perm3 If it comes back with nothing appropriate, you may need to write your own policy defining the required types and allowed access vectors. Cheers, Doug -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
