On 03/07/2018 03:18 PM, m.roth@xxxxxxxxx wrote: > CentUS 7.4 > > From sealert: > SELinux is preventing /usr/sbin/sshd from read access on the file > /etc/ssh/moduli. > > ***** Plugin restorecon (94.8 confidence) suggests > ************************ > > If you want to fix the label. > /etc/ssh/moduli default label should be etc_t. > Then you can run restorecon. > Do > # /sbin/restorecon -v /etc/ssh/moduli > <...> > Additional Information: > Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023 > Target Context system_u:object_r:unlabeled_t:s0 > Target Objects /etc/ssh/moduli [ file ] > Source sshd > Source Path /usr/sbin/sshd > --------- > > Except: > ls -laFZ /etc/ssh/moduli > -rw-r--r--. root root system:object_r:etc_t:s0 /etc/ssh/moduli NB: You have "system" rather than "system_u" above, unless that's a typo. Which would be an invalid user identity, and thus an invalid security context, and therefore mapped to the unlabeled context at runtime. Is it wrong in your file_contexts configuration? If not, then restorecon -F -v /etc/ssh/moduli should fix (by default, restorecon doesn't touch user identity since it reflects creator and can vary). > > ls -laFZ /usr/sbin/sshd > -rwxr-xr-x. root root system_u:object_r:sshd_exec_t:s0 /usr/sbin/sshd* > > And I even restarted sshd. So, what's selinux seeing that I'm not? > > > mark > _______________________________________________ > selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx > _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
