On 4/07/13 3:52 AM, "m.roth(a)5-cent.us" <m.roth(a)5-cent.us> wrote:
Ok, small problem: where I work is a US federal gov't agency, and
required to use data from our PIV cards (the same as US DoD CAC cards). We
store the user's public keys from those cards, so they are, in effect,
their ssh keys for going to other systems. Selinux complains about the
types. The sealert offers, among other obviously inappropriate types,
these: nx_server_home_ssh_t, etc_t, rssh_ro_t, ssh_home_t, cert_type,
home_root_t, sshd_t, selinux_login_config_t, ssh_home_t.
Could you please provide the relevant audit log messages? If not, at least
a little more information, mainly: source domain, target type and access
What *would* be an appropriate type?
You can determine this with sesearch, provided you know the information
sesearch --allow --auditallow --target=type_t --class=class
If it comes back with nothing appropriate, you may need to write your own
policy defining the required types and allowed access vectors.