On Tue, February 10, 2015 04:18, Andrew Holway wrote:> On 10 February 2015 at 06:32, Mark Tinberg <mark.tinberg at wisc.edu> > wrote: > >> >> > On Feb 9, 2015, at 12:27 PM, Robert Nichols >> <rnicholsNOSPAM at comcast.net> >> wrote: >> > >> > On 02/09/2015 11:14 AM, James B. Byrne wrote: >> >> So, I decided to run restorecon -v to >> >> >> ... >> >> restorecon reset /etc/ssh/ssh_host_rsa_key_4096 context >> >> unconfined_u:object_r:sshd_key_t:s0->unconfined_u:object_r:etc_t:s0 >> > > Why are you putting your SSH key in /etc/ ? > > With SELinux its normally better to go with the flow. find out which > directories have the desired label and keep your objects in there. > > I'm guessing in this case ~/.ssh/ > >-- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
On Tue, February 10, 2015 09:25, James B. Byrne wrote: By mistake. Sorry for the otherwise empty quoted reply. I have no idea what I pressed that sent it off while I was reading. And, since I am committed to writing anyway, recall that a host key goes into /etc/ssh. Personal keys go into ~/.ssh. As to why I am not using the default name for the rsa host key. That is because I am testing and I would rather not disturb things too much given my ignorance of ssh matters. I am startled to learn, if it is a fact, that existing SELinux policy is tied to the default file names. Given that the host key file names are user configurable in in sshd_config one would think that a slightly more flexible approach is called for. -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
On Tue, Feb 10, 2015 at 09:34:13AM -0500, James B. Byrne wrote:> I am startled to learn, if it is a fact, that existing SELinux policy > is tied to the default file names. Given that the host key file names > are user configurable in in sshd_config one would think that a > slightly more flexible approach is called for.If you choose names that aren't part of the policy, you can always supplement the policy with your own rules. The existing policy in CentOS7 is pretty flexible, it should mark files with the following patterns as sshd_key_t: /etc/ssh/ssh_host.*_key, /etc/ssh/ssh_host.*_key.pub, /etc/ssh/primes In CentOS6, the policy is for: /etc/ssh/ssh_host_key.pub, /etc/ssh/ssh_host_rsa_key.pub, /etc/ssh/ssh_host_dsa_key.pub, /etc/ssh/primes, /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key ... which is a bit less flexible. If you want to supplement the policy, you can run: semanage fcontext -a -t sshd_key_t "/etc/ssh/whatever_keyname_I_want" ... to update the local policy with your own rules. Then a `restorecon` will choose the correct type. -- Jonathan Billings <billings at negate.org>