Resolves bz971279
description of problem: Previously with selinux in enforcing mode, could prevent ssh-keygen from generating keys. Support for selinux policy for allowing applications to access ssh-keygen for generating ssh keys was added with selinux-policy-3.7.19-126.el6_2.6 and RHEL 6.3 ships selinux-policy-targeted-3.7.19-142.el6 which already has the support for ssh_keygen_t.
Solutions: Because of the context was added for ssh key generation, so the keys were generated without fliping from enforcing mode to permissive mode for ssh key generation. This patch removes selinux code which switches between enforcing and permissive modes.
Signed-off-by: arthur zzou@redhat.com --- kdumpctl | 12 ------------ 1 file changed, 12 deletions(-)
diff --git a/kdumpctl b/kdumpctl index 358ef05..b626f61 100755 --- a/kdumpctl +++ b/kdumpctl @@ -317,13 +317,6 @@ function propagate_ssh_key() exit 1 fi
- #Check if selinux is on... must flip to permissive mode - #for the moment to create key, then flip back... - se_enforce=`/usr/sbin/sestatus | grep -c "^Current mode.*enforcing"` - if [ "$se_enforce" -ge 1 ]; then - /usr/sbin/setenforce 0 2>&1 > /dev/null - fi - local KEYFILE=$SSH_KEY_LOCATION local errmsg="Failed to propagate ssh key"
@@ -335,11 +328,6 @@ function propagate_ssh_key() /usr/bin/ssh-keygen -t rsa -f $KEYFILE -N "" 2>&1 > /dev/null echo "done." fi - - #If necessary, flip selinux back to enforcing - if [ "$se_enforce" -ge 1 ]; then - /usr/sbin/setenforce 1 2>&1 > /dev/null - fi #now find the target ssh user and server to contact. SSH_USER=`echo $DUMP_TARGET | cut -d\ -f2 | cut -d@ -f1`
On 10/14/13 at 01:40pm, Zhi Zou wrote:
Resolves bz971279
description of problem:
Previously with selinux in enforcing mode, could prevent ssh-keygen from generating keys. Support for selinux policy for allowing applications to access ssh-keygen for generating ssh keys was added with selinux-policy-3.7.19-126.el6_2.6 and RHEL 6.3 ships selinux-policy-targeted-3.7.19-142.el6 which already has the support for ssh_keygen_t.
Does fedora ship selinux with ssh_keygen_t support? If yes, you might want to remove the rhel6 part from your changelog.
Thanks WANG Chao
Solutions: Because of the context was added for ssh key generation, so the keys were generated without fliping from enforcing mode to permissive mode for ssh key generation. This patch removes selinux code which switches between enforcing and permissive modes.
Signed-off-by: arthur zzou@redhat.com
kdumpctl | 12 ------------ 1 file changed, 12 deletions(-)
diff --git a/kdumpctl b/kdumpctl index 358ef05..b626f61 100755 --- a/kdumpctl +++ b/kdumpctl @@ -317,13 +317,6 @@ function propagate_ssh_key() exit 1 fi
- #Check if selinux is on... must flip to permissive mode
- #for the moment to create key, then flip back...
- se_enforce=`/usr/sbin/sestatus | grep -c "^Current mode.*enforcing"`
- if [ "$se_enforce" -ge 1 ]; then
/usr/sbin/setenforce 0 2>&1 > /dev/null- fi
- local KEYFILE=$SSH_KEY_LOCATION local errmsg="Failed to propagate ssh key"
@@ -335,11 +328,6 @@ function propagate_ssh_key() /usr/bin/ssh-keygen -t rsa -f $KEYFILE -N "" 2>&1 > /dev/null echo "done." fi
#If necessary, flip selinux back to enforcing
if [ "$se_enforce" -ge 1 ]; then
/usr/sbin/setenforce 1 2>&1 > /dev/nullfi
#now find the target ssh user and server to contact. SSH_USER=`echo $DUMP_TARGET | cut -d\ -f2 | cut -d@ -f1`
-- 1.8.3.1
kexec mailing list kexec@lists.fedoraproject.org https://lists.fedoraproject.org/mailman/listinfo/kexec
On Tue, Oct 15, 2013 at 01:20:12PM +0800, WANG Chao wrote:
On 10/14/13 at 01:40pm, Zhi Zou wrote:
Resolves bz971279
description of problem:
Previously with selinux in enforcing mode, could prevent ssh-keygen from generating keys. Support for selinux policy for allowing applications to access ssh-keygen for generating ssh keys was added with selinux-policy-3.7.19-126.el6_2.6 and RHEL 6.3 ships selinux-policy-targeted-3.7.19-142.el6 which already has the support for ssh_keygen_t.
Does fedora ship selinux with ssh_keygen_t support? If yes, you might want to remove the rhel6 part from your changelog.
Yep. This is fedora kdump list and all the descrprition and context should be w.r.t fedora. What selinux policy is shipped with RHEL6, should be immaterial here.
Thanks Vivek
Thanks WANG Chao
Solutions: Because of the context was added for ssh key generation, so the keys were generated without fliping from enforcing mode to permissive mode for ssh key generation. This patch removes selinux code which switches between enforcing and permissive modes.
Signed-off-by: arthur zzou@redhat.com
kdumpctl | 12 ------------ 1 file changed, 12 deletions(-)
diff --git a/kdumpctl b/kdumpctl index 358ef05..b626f61 100755 --- a/kdumpctl +++ b/kdumpctl @@ -317,13 +317,6 @@ function propagate_ssh_key() exit 1 fi
- #Check if selinux is on... must flip to permissive mode
- #for the moment to create key, then flip back...
- se_enforce=`/usr/sbin/sestatus | grep -c "^Current mode.*enforcing"`
- if [ "$se_enforce" -ge 1 ]; then
/usr/sbin/setenforce 0 2>&1 > /dev/null- fi
- local KEYFILE=$SSH_KEY_LOCATION local errmsg="Failed to propagate ssh key"
@@ -335,11 +328,6 @@ function propagate_ssh_key() /usr/bin/ssh-keygen -t rsa -f $KEYFILE -N "" 2>&1 > /dev/null echo "done." fi
#If necessary, flip selinux back to enforcing
if [ "$se_enforce" -ge 1 ]; then
/usr/sbin/setenforce 1 2>&1 > /dev/nullfi
#now find the target ssh user and server to contact. SSH_USER=`echo $DUMP_TARGET | cut -d\ -f2 | cut -d@ -f1`
-- 1.8.3.1
kexec mailing list kexec@lists.fedoraproject.org https://lists.fedoraproject.org/mailman/listinfo/kexec
kexec mailing list kexec@lists.fedoraproject.org https://lists.fedoraproject.org/mailman/listinfo/kexec
-
Arthur Zou -
Vivek Goyal -
WANG Chao