sshd key context

Daniel J Walsh dwalsh at redhat.com
Tue Jan 8 22:07:41 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/08/2013 05:04 PM, m.roth at 5-cent.us wrote:
> Daniel J Walsh wrote:
>> On 01/08/2013 01:57 PM, m.roth at 5-cent.us wrote:
>>> Is this a bug? It's certainly a real inconsistancy, IMO.
>>> 
>>> I just built a user's workstation, new, as fc-17.
>>> 
>>> ll -Z /usr/sbin/sshd -rwxr-xr-x. root root 
>>> system_u:object_r:sshd_exec_t:s0 /usr/sbin/sshd*
>>> 
>>> ll -Z /etc/ssh/ drwxr-xr-x. root root system_u:object_r:etc_t:s0 ./ 
>>> drwxr-xr-x. root root system_u:object_r:etc_t:s0       ../ -rw-------. 
>>> root root system_u:object_r:etc_t:s0       moduli -rw-r--r--. root
>>> root system_u:system_u:etc_t:s0       ssh_config -rw-------. root root 
>>> system_u:system_u:etc_t:s0       sshd_config -rw-------. root root 
>>> system_u:system_u:etc_t:s0       sshd_config.rpmnew -rw-------. root 
>>> root system_u:system_u:sshd_key_t:s0  ssh_host_dsa_key -rw-r--r--. root
>>> root system_u:system_u:sshd_key_t:s0  ssh_host_dsa_key.pub -rw-------.
>>> root root system_u:system_u:sshd_key_t:s0  ssh_host_key -rw-r--r--.
>>> root root system_u:system_u:sshd_key_t:s0  ssh_host_key.pub -rw-------.
>>> root root system_u:system_u:sshd_key_t:s0  ssh_host_rsa_key -rw-r--r--.
>>> root root system_u:system_u:sshd_key_t:s0  ssh_host_rsa_key.pub
>>> -rw-r--r--. root root system_u:system_u:etc_t:s0       ssh_known_hosts
>>> 
>>> sealert tells me that the ssh_host_*_key should be etc_t, not, as I
>>> set it, sshd_key_t.
>>> 
>> What does matchpathcon /etc/ssh/ssh_host*
>> 
>> Say?
> <snip> matchpathcon /etc/ssh/ssh_host* /etc/ssh/ssh_host_dsa_key
> system_u:object_r:sshd_key_t:s0 /etc/ssh/ssh_host_dsa_key.pub
> system_u:object_r:sshd_key_t:s0 /etc/ssh/ssh_host_key
> system_u:object_r:sshd_key_t:s0 /etc/ssh/ssh_host_key.pub
> system_u:object_r:sshd_key_t:s0 /etc/ssh/ssh_host_rsa_key
> system_u:object_r:sshd_key_t:s0 /etc/ssh/ssh_host_rsa_key.pub
> system_u:object_r:sshd_key_t:s0
> 
> mark
> 
can you attach the sealert message?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlDsmKwACgkQrlYvE4MpobNoCQCaA3ok6r062Dniotk6OyJp1jhR
40EAoIKVQAQNVEoR5vnDGFDBoq65MHuU
=JZ5+
-----END PGP SIGNATURE-----

More information about the selinux mailing list