Vit Mojzis wrote:
To answer your last question, it would be better to solve this
without
adding new rules.
Try changing the context of /var/lib/ssh-x509-auth/ directory to
var_auth_t (sshd already has write access to it).
#chcon -R -t var_auth_t /var/lib/ssh-x509-auth/
If this solves the issue, please file a bug so that we can change the
context permanently.
Hi. Thanks.
I didn't remember which box this was on - that turned out to be the third
CentOS 7 box I looked at... and *both* of the other two where var_auth_t.
I changed the context, and logged in as myself, and it seems to not be
complaining now. So I'm not sure how it wound up with the wrong
context....
Btw, two things: a) no, I didn't want to run chcon, I wanted semanage
fcontext... and b) and this *is* a redhat thing, the manpage for semanage
has changed from the one in 6, and it's much shorter, does not list the
options, and has *no* examples. I had to do a man semange on a 6 box to
get the manpage that gives *examples*, like semanate fcontext -m -t
var_auth_t "/var/lib/ssh-x509-auth(/.*)?".....
mark
----- Original Message -----
From: "m roth" <m.roth(a)5-cent.us>
To: "CentOS" <centos(a)centos.org>, "selinux"
<selinux(a)lists.fedoraproject.org>
Sent: Tuesday, April 26, 2016 5:31:16 PM
Subject: username.pem
Hi, folks,
Our system gets/creates /var/lib/ssh-x509-auth/<username>,pem, then
deletes it when the log out. selinux (in permissive mode) complains.
First, I changed the context to cert_t, and *now* it complains that
ksh93 wants write, etc access on the directory. grep ssh-x509-auth
/var/log/audit/audit.log | audit2allow offers me this:
#============= sshd_t ==============
allow sshd_t cert_t:dir write;
allow sshd_t var_lib_t:file { write getattr create open ioctl };
So: first, is this an expected behavior; second, is that the correct
fcontext, and, finally, is it safe for me to create this as a local
policy?
Thanks in advance.
mark
--
selinux mailing list
selinux(a)lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org