Resolves bz971279
Description of problem: Previously with selinux in enforcing mode, could prevent ssh-keygen from generating keys. Support for selinux policy for allowing applications to access ssh-keygen for generating ssh keys was added in selinux-policy-3.7.19-126.el6_2.6.
Solutions: Because of the context was added for ssh key generation, so the keys were generated without fliping from enforcing mode to permissive mode for ssh key generation. This patch removes selinux code which switches between enforcing and permissive modes.
Signed-off-by: arthur zzou@redhat.com --- kdumpctl | 12 ------------ 1 file changed, 12 deletions(-)
diff --git a/kdumpctl b/kdumpctl index 46ae633..d27557a 100755 --- a/kdumpctl +++ b/kdumpctl @@ -317,13 +317,6 @@ function propagate_ssh_key() exit 1 fi
- #Check if selinux is on... must flip to permissive mode - #for the moment to create key, then flip back... - se_enforce=`/usr/sbin/sestatus | grep -c "^Current mode.*enforcing"` - if [ "$se_enforce" -ge 1 ]; then - /usr/sbin/setenforce 0 2>&1 > /dev/null - fi - local KEYFILE=$SSH_KEY_LOCATION local errmsg="Failed to propagate ssh key"
@@ -336,11 +329,6 @@ function propagate_ssh_key() echo "done." fi
- #If necessary, flip selinux back to enforcing - if [ "$se_enforce" -ge 1 ]; then - /usr/sbin/setenforce 1 2>&1 > /dev/null - fi - #now find the target ssh user and server to contact. SSH_USER=`echo $DUMP_TARGET | cut -d\ -f2 | cut -d@ -f1` SSH_SERVER=`echo $DUMP_TARGET | sed -e's/(.*@)(.*$)/\2/'`
On Mon, Feb 17, 2014 at 03:34:13PM +0800, arthur wrote:
Resolves bz971279
Description of problem: Previously with selinux in enforcing mode, could prevent ssh-keygen from generating keys. Support for selinux policy for allowing applications to access ssh-keygen for generating ssh keys was added in selinux-policy-3.7.19-126.el6_2.6.
Solutions: Because of the context was added for ssh key generation, so the keys were generated without fliping from enforcing mode to permissive mode for ssh key generation. This patch removes selinux code which switches between enforcing and permissive modes.
Signed-off-by: arthur zzou@redhat.com
Looks good to me. Changing selinux mode temporarily sounds like a security issue to me. So good that we are getting rid of this code.
Acked-by: Vivek Goyal vgoyal@redhat.com
Thanks Vivek
kdumpctl | 12 ------------ 1 file changed, 12 deletions(-)
diff --git a/kdumpctl b/kdumpctl index 46ae633..d27557a 100755 --- a/kdumpctl +++ b/kdumpctl @@ -317,13 +317,6 @@ function propagate_ssh_key() exit 1 fi
- #Check if selinux is on... must flip to permissive mode
- #for the moment to create key, then flip back...
- se_enforce=`/usr/sbin/sestatus | grep -c "^Current mode.*enforcing"`
- if [ "$se_enforce" -ge 1 ]; then
/usr/sbin/setenforce 0 2>&1 > /dev/null
- fi
- local KEYFILE=$SSH_KEY_LOCATION local errmsg="Failed to propagate ssh key"
@@ -336,11 +329,6 @@ function propagate_ssh_key() echo "done." fi
- #If necessary, flip selinux back to enforcing
- if [ "$se_enforce" -ge 1 ]; then
/usr/sbin/setenforce 1 2>&1 > /dev/null
- fi
- #now find the target ssh user and server to contact. SSH_USER=`echo $DUMP_TARGET | cut -d\ -f2 | cut -d@ -f1` SSH_SERVER=`echo $DUMP_TARGET | sed -e's/(.*@)(.*$)/\2/'`
-- 1.8.4.2