[refpolicy] [PATCH 1/2] Properly label /etc/ssh/ssh_host_ecdsa_key private key

Daniel J Walsh dwalsh at redhat.com
Thu Sep 13 10:40:12 CDT 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/12/2012 03:56 PM, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon at bigon.be>
> 
> Since version 5.7, openssh supports ECDSA keys; properly label the private
> key file. --- policy/modules/services/ssh.fc |    1 + 1 file changed, 1
> insertion(+)
> 
> diff --git a/policy/modules/services/ssh.fc
> b/policy/modules/services/ssh.fc index 078bcd7..64b3e11 100644 ---
> a/policy/modules/services/ssh.fc +++ b/policy/modules/services/ssh.fc @@
> -3,6 +3,7 @@ HOME_DIR/\.ssh(/.*)?
> gen_context(system_u:object_r:ssh_home_t,s0) /etc/ssh/primes			--
> gen_context(system_u:object_r:sshd_key_t,s0) /etc/ssh/ssh_host_key 		--
> gen_context(system_u:object_r:sshd_key_t,s0) /etc/ssh/ssh_host_dsa_key	--
> gen_context(system_u:object_r:sshd_key_t,s0) +/etc/ssh/ssh_host_ecdsa_key
> --	gen_context(system_u:object_r:sshd_key_t,s0) /etc/ssh/ssh_host_rsa_key
> --	gen_context(system_u:object_r:sshd_key_t,s0)
> 
> /usr/bin/ssh			--	gen_context(system_u:object_r:ssh_exec_t,s0)
> 
How about /etc/ssh/.*_key --	gen_context(system_u:object_r:sshd_key_t,s0)

Then we will not need to worry about this.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBR/lwACgkQrlYvE4MpobOvdgCeMKvMsbrUyPdHySoDNqBGgYsT
9McAoJJpYrWXiPVGAsLCsU5JXwhwkgnD
=LvlC
-----END PGP SIGNATURE-----


More information about the refpolicy mailing list