From: dwalsh@redhat.com (Daniel J Walsh) Date: Thu, 13 Sep 2012 11:40:12 -0400 Subject: [refpolicy] [PATCH 1/2] Properly label /etc/ssh/ssh_host_ecdsa_key private key In-Reply-To: <1347479800-9847-1-git-send-email-bigon@debian.org> References: <1347479800-9847-1-git-send-email-bigon@debian.org> Message-ID: <5051FE5C.1090600@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/12/2012 03:56 PM, Laurent Bigonville wrote: > From: Laurent Bigonville > > Since version 5.7, openssh supports ECDSA keys; properly label the private > key file. --- policy/modules/services/ssh.fc | 1 + 1 file changed, 1 > insertion(+) > > diff --git a/policy/modules/services/ssh.fc > b/policy/modules/services/ssh.fc index 078bcd7..64b3e11 100644 --- > a/policy/modules/services/ssh.fc +++ b/policy/modules/services/ssh.fc @@ > -3,6 +3,7 @@ HOME_DIR/\.ssh(/.*)? > gen_context(system_u:object_r:ssh_home_t,s0) /etc/ssh/primes -- > gen_context(system_u:object_r:sshd_key_t,s0) /etc/ssh/ssh_host_key -- > gen_context(system_u:object_r:sshd_key_t,s0) /etc/ssh/ssh_host_dsa_key -- > gen_context(system_u:object_r:sshd_key_t,s0) +/etc/ssh/ssh_host_ecdsa_key > -- gen_context(system_u:object_r:sshd_key_t,s0) /etc/ssh/ssh_host_rsa_key > -- gen_context(system_u:object_r:sshd_key_t,s0) > > /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0) > How about /etc/ssh/.*_key -- gen_context(system_u:object_r:sshd_key_t,s0) Then we will not need to worry about this. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBR/lwACgkQrlYvE4MpobOvdgCeMKvMsbrUyPdHySoDNqBGgYsT 9McAoJJpYrWXiPVGAsLCsU5JXwhwkgnD =LvlC -----END PGP SIGNATURE-----