Miroslav Grepl wrote:
> On 02/23/2016 03:57 PM, m.roth@xxxxxxxxx wrote:
>> I assume that this is created by ssh when the user goes to ssh from
>> their system. So, why would I get
>> If you want to allow ksh93 to have create access on the kmeyer.pem file
>> Then you need to change the label on <username>.pem
>> Do # semanage fcontext -a -t FILE_TYPE '<username>.pem'
>> where FILE_TYPE is one of the following: abrt_var_cache_t, auth_cache_t,
>> auth_home_t, cgroup_t, faillog_t, gitosis_var_lib_t, gkeyringd_tmp_t,
>> krb5_host_rcache_t, lastlog_t, mozilla_plugin_tmp_t,
>> mozilla_plugin_tmpfs_t, nfs_t, openshift_tmp_t, pam_var_run_t,
>> ssh_home_t, sshd_var_run_t, systemd_passwd_var_run_t, user_tmp_t,
>> var_auth_t.
>> Then execute:
>> restorecon -v '<username>.pem'
>>
>> ll -aZ /var/lib/ssh-x509-auth/
>> drwx------. adm root system_u:object_r:var_lib_t:s0 .
>> drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 ..
>> -rw-------. adm adm system_u:object_r:var_lib_t:s0 <username>
>> -rw-------. adm adm system_u:object_r:var_lib_t:s0 <username>.pem
>>
>> Is this a bug, a mislabeling, or...?
>
> $ matchpathcon var/lib/ssh-x509-auth/
> /var/lib/ssh-x509-auth system_u:object_r:var_lib_t:s0
>
> It is a default system labeling.
>
> What is your AVC?
Well, I just logged onto that user's workstation as me, and got a bunch of
varying ones. One similar is, excerpted from the setroubleshoot report:
Raw Audit Messages
type=AVC msg=audit(1456332138.947:141150): avc: denied { getattr } for
pid=6552 comm="grep" path="/var/lib/ssh-x509-auth/rothmb" dev="sda3"
ino=1277468 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_lib_t:s0 tclass=file
Is that what you're looking for?
mark
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
