Hi Mark,
how exactly did you change the context?
I seems to me that you changed context of the whole directory (/var/lib/ssh-x509-auth/).
When creating the file "<username>.pem", sshd would need to have write permission to /var/lib/ssh-x509-auth/
which corresponds to
allow sshd_t cert_tir write;
The second permission (allow sshd_t var_lib_t:file { write getattr create open ioctl } could be caused by older AVC (before you changed the context).
Try erasing the audit log before reproducing the issue (which should be done in permissive mode), or use
ausearch -m avc -te recent | audit2allow
Hope this helps.
Vit Mojzis
SELinux Solutions
Red Hat, Inc.
----- Original Message -----
From: "m roth" <m.roth@xxxxxxxxx>
To: "CentOS" <centos@xxxxxxxxxx>, "selinux" <selinux@xxxxxxxxxxxxxxxxxxxxxxx>
Sent: Tuesday, April 26, 2016 5:31:16 PM
Subject: username.pem
Hi, folks,
Our system gets/creates /var/lib/ssh-x509-auth/<username>,pem, then
deletes it when the log out. selinux (in permissive mode) complains.
First, I changed the context to cert_t, and *now* it complains that
ksh93 wants write, etc access on the directory. grep ssh-x509-auth
/var/log/audit/audit.log | audit2allow offers me this:
#============= sshd_t ==============
allow sshd_t cert_t:dir write;
allow sshd_t var_lib_t:file { write getattr create open ioctl };
So: first, is this an expected behavior; second, is that the correct
fcontext, and, finally, is it safe for me to create this as a local
policy?
Thanks in advance.
mark
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
