On 02/23/2016 03:57 PM, m.roth@xxxxxxxxx wrote: > I assume that this is created by ssh when the user goes to ssh from their > system. So, why would I get > If you want to allow ksh93 to have create access on the kmeyer.pem file > Then you need to change the label on <username>.pem > Do > # semanage fcontext -a -t FILE_TYPE '<username>.pem' > where FILE_TYPE is one of the following: abrt_var_cache_t, auth_cache_t, > auth_home_t, cgroup_t, faillog_t, gitosis_var_lib_t, gkeyringd_tmp_t, > krb5_host_rcache_t, lastlog_t, mozilla_plugin_tmp_t, > mozilla_plugin_tmpfs_t, nfs_t, openshift_tmp_t, pam_var_run_t, ssh_home_t, > sshd_var_run_t, systemd_passwd_var_run_t, user_tmp_t, var_auth_t. > Then execute: > restorecon -v '<username>.pem' > > ll -aZ /var/lib/ssh-x509-auth/ > drwx------. adm root system_u:object_r:var_lib_t:s0 . > drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 .. > -rw-------. adm adm system_u:object_r:var_lib_t:s0 <username> > -rw-------. adm adm system_u:object_r:var_lib_t:s0 <username>.pem > > Is this a bug, a mislabeling, or...? $ matchpathcon var/lib/ssh-x509-auth/ /var/lib/ssh-x509-auth system_u:object_r:var_lib_t:s0 It is a default system labeling. What is your AVC? > > mark > > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx > -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
