From: dwalsh@redhat.com (Daniel J Walsh)
Date: Thu, 13 Sep 2012 16:33:57 -0400
Subject: [refpolicy] [PATCH 1/2] Properly label
 /etc/ssh/ssh_host_ecdsa_key private key
In-Reply-To: <20120913182419.4c73f1e2@eldamar.bigon.be>
References: <1347479800-9847-1-git-send-email-bigon@debian.org>
	<5051FE5C.1090600@redhat.com>
	<20120913182419.4c73f1e2@eldamar.bigon.be>
Message-ID: <50524335.6020003@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/13/2012 12:24 PM, Laurent Bigonville wrote:
> Le Thu, 13 Sep 2012 11:40:12 -0400, Daniel J Walsh <dwalsh@redhat.com> a
> ?crit :
> 
>> How about /etc/ssh/.*_key -- 
>> gen_context(system_u:object_r:sshd_key_t,s0)
>> 
>> Then we will not need to worry about this.
> 
> That could be indeed be a solution.
> 
> I've another question about the labels on these files.
> 
> On Debian, ssh-keygen is run by the post-installation script of the package
> which could run in the unconfined_t domain, that means that the files could
> not be labeled correctly at their creation.
> 
> Dominick was suggesting to use named file transitions so they would be 
> labeled correctly even in that case.
> 
> Does anybody have a opinion on this?
> 
> Cheers
> 
> Laurent Bigonville
> 
We are currently running ssh_keygen as ssh_keygen_t, but using named file
trans is a better solution.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBSQzUACgkQrlYvE4MpobNf9gCgjyWWnnkV0r72TPuYRk4m6Bpi
qDQAn3urAdRPqYrJDA2f/TwxvB1dJyz/
=AuVK
-----END PGP SIGNATURE-----