From: dwalsh@redhat.com (Daniel J Walsh) Date: Thu, 13 Sep 2012 16:33:57 -0400 Subject: [refpolicy] [PATCH 1/2] Properly label /etc/ssh/ssh_host_ecdsa_key private key In-Reply-To: <20120913182419.4c73f1e2@eldamar.bigon.be> References: <1347479800-9847-1-git-send-email-bigon@debian.org> <5051FE5C.1090600@redhat.com> <20120913182419.4c73f1e2@eldamar.bigon.be> Message-ID: <50524335.6020003@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/13/2012 12:24 PM, Laurent Bigonville wrote: > Le Thu, 13 Sep 2012 11:40:12 -0400, Daniel J Walsh a > ?crit : > >> How about /etc/ssh/.*_key -- >> gen_context(system_u:object_r:sshd_key_t,s0) >> >> Then we will not need to worry about this. > > That could be indeed be a solution. > > I've another question about the labels on these files. > > On Debian, ssh-keygen is run by the post-installation script of the package > which could run in the unconfined_t domain, that means that the files could > not be labeled correctly at their creation. > > Dominick was suggesting to use named file transitions so they would be > labeled correctly even in that case. > > Does anybody have a opinion on this? > > Cheers > > Laurent Bigonville > We are currently running ssh_keygen as ssh_keygen_t, but using named file trans is a better solution. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBSQzUACgkQrlYvE4MpobNf9gCgjyWWnnkV0r72TPuYRk4m6Bpi qDQAn3urAdRPqYrJDA2f/TwxvB1dJyz/ =AuVK -----END PGP SIGNATURE-----