From: bigon@debian.org (Laurent Bigonville)
Date: Thu, 13 Sep 2012 18:24:19 +0200
Subject: [refpolicy] [PATCH 1/2] Properly label
 /etc/ssh/ssh_host_ecdsa_key private key
In-Reply-To: <5051FE5C.1090600@redhat.com>
References: <1347479800-9847-1-git-send-email-bigon@debian.org>
	<5051FE5C.1090600@redhat.com>
Message-ID: <20120913182419.4c73f1e2@eldamar.bigon.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Le Thu, 13 Sep 2012 11:40:12 -0400,
Daniel J Walsh <dwalsh@redhat.com> a ?crit :

> How about /etc/ssh/.*_key --
> gen_context(system_u:object_r:sshd_key_t,s0)
> 
> Then we will not need to worry about this.

That could be indeed be a solution.

I've another question about the labels on these files.

On Debian, ssh-keygen is run by the post-installation script of the
package which could run in the unconfined_t domain, that means that the
files could not be labeled correctly at their creation.

Dominick was suggesting to use named file transitions so they would be
labeled correctly even in that case.

Does anybody have a opinion on this?

Cheers

Laurent Bigonville