sshd key context
Daniel J Walsh
dwalsh at redhat.com
Tue Jan 8 22:07:41 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/08/2013 05:04 PM, m.roth at 5-cent.us wrote:
> Daniel J Walsh wrote:
>> On 01/08/2013 01:57 PM, m.roth at 5-cent.us wrote:
>>> Is this a bug? It's certainly a real inconsistancy, IMO.
>>>
>>> I just built a user's workstation, new, as fc-17.
>>>
>>> ll -Z /usr/sbin/sshd -rwxr-xr-x. root root
>>> system_u:object_r:sshd_exec_t:s0 /usr/sbin/sshd*
>>>
>>> ll -Z /etc/ssh/ drwxr-xr-x. root root system_u:object_r:etc_t:s0 ./
>>> drwxr-xr-x. root root system_u:object_r:etc_t:s0 ../ -rw-------.
>>> root root system_u:object_r:etc_t:s0 moduli -rw-r--r--. root
>>> root system_u:system_u:etc_t:s0 ssh_config -rw-------. root root
>>> system_u:system_u:etc_t:s0 sshd_config -rw-------. root root
>>> system_u:system_u:etc_t:s0 sshd_config.rpmnew -rw-------. root
>>> root system_u:system_u:sshd_key_t:s0 ssh_host_dsa_key -rw-r--r--. root
>>> root system_u:system_u:sshd_key_t:s0 ssh_host_dsa_key.pub -rw-------.
>>> root root system_u:system_u:sshd_key_t:s0 ssh_host_key -rw-r--r--.
>>> root root system_u:system_u:sshd_key_t:s0 ssh_host_key.pub -rw-------.
>>> root root system_u:system_u:sshd_key_t:s0 ssh_host_rsa_key -rw-r--r--.
>>> root root system_u:system_u:sshd_key_t:s0 ssh_host_rsa_key.pub
>>> -rw-r--r--. root root system_u:system_u:etc_t:s0 ssh_known_hosts
>>>
>>> sealert tells me that the ssh_host_*_key should be etc_t, not, as I
>>> set it, sshd_key_t.
>>>
>> What does matchpathcon /etc/ssh/ssh_host*
>>
>> Say?
> <snip> matchpathcon /etc/ssh/ssh_host* /etc/ssh/ssh_host_dsa_key
> system_u:object_r:sshd_key_t:s0 /etc/ssh/ssh_host_dsa_key.pub
> system_u:object_r:sshd_key_t:s0 /etc/ssh/ssh_host_key
> system_u:object_r:sshd_key_t:s0 /etc/ssh/ssh_host_key.pub
> system_u:object_r:sshd_key_t:s0 /etc/ssh/ssh_host_rsa_key
> system_u:object_r:sshd_key_t:s0 /etc/ssh/ssh_host_rsa_key.pub
> system_u:object_r:sshd_key_t:s0
>
> mark
>
can you attach the sealert message?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlDsmKwACgkQrlYvE4MpobNoCQCaA3ok6r062Dniotk6OyJp1jhR
40EAoIKVQAQNVEoR5vnDGFDBoq65MHuU
=JZ5+
-----END PGP SIGNATURE-----
More information about the selinux
mailing list