Re: [CentOS] SELinux context for ssh host keys?
On Tue, February 10, 2015 04:18, Andrew Holway wrote: On 10 February 2015 at 06:32, Mark Tinberg mark.tinb...@wisc.edu wrote: On Feb 9, 2015, at 12:27 PM, Robert Nichols rnicholsnos...@comcast.net wrote: On 02/09/2015 11:14 AM, James B. Byrne wrote: So, I decided to run restorecon -v to ... restorecon reset /etc/ssh/ssh_host_rsa_key_4096 context unconfined_u:object_r:sshd_key_t:s0-unconfined_u:object_r:etc_t:s0 Why are you putting your SSH key in /etc/ ? With SELinux its normally better to go with the flow. find out which directories have the desired label and keep your objects in there. I'm guessing in this case ~/.ssh/ -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux context for ssh host keys?
On Tue, Feb 10, 2015 at 09:34:13AM -0500, James B. Byrne wrote: I am startled to learn, if it is a fact, that existing SELinux policy is tied to the default file names. Given that the host key file names are user configurable in in sshd_config one would think that a slightly more flexible approach is called for. If you choose names that aren't part of the policy, you can always supplement the policy with your own rules. The existing policy in CentOS7 is pretty flexible, it should mark files with the following patterns as sshd_key_t: /etc/ssh/ssh_host.*_key, /etc/ssh/ssh_host.*_key.pub, /etc/ssh/primes In CentOS6, the policy is for: /etc/ssh/ssh_host_key.pub, /etc/ssh/ssh_host_rsa_key.pub, /etc/ssh/ssh_host_dsa_key.pub, /etc/ssh/primes, /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key ... which is a bit less flexible. If you want to supplement the policy, you can run: semanage fcontext -a -t sshd_key_t /etc/ssh/whatever_keyname_I_want ... to update the local policy with your own rules. Then a `restorecon` will choose the correct type. -- Jonathan Billings billi...@negate.org ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux context for ssh host keys?
On Tue, February 10, 2015 09:25, James B. Byrne wrote: By mistake. Sorry for the otherwise empty quoted reply. I have no idea what I pressed that sent it off while I was reading. And, since I am committed to writing anyway, recall that a host key goes into /etc/ssh. Personal keys go into ~/.ssh. As to why I am not using the default name for the rsa host key. That is because I am testing and I would rather not disturb things too much given my ignorance of ssh matters. I am startled to learn, if it is a fact, that existing SELinux policy is tied to the default file names. Given that the host key file names are user configurable in in sshd_config one would think that a slightly more flexible approach is called for. -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux context for ssh host keys?
On 10 February 2015 at 06:32, Mark Tinberg mark.tinb...@wisc.edu wrote: On Feb 9, 2015, at 12:27 PM, Robert Nichols rnicholsnos...@comcast.net wrote: On 02/09/2015 11:14 AM, James B. Byrne wrote: So, I decided to run restorecon -v to ... restorecon reset /etc/ssh/ssh_host_rsa_key_4096 context unconfined_u:object_r:sshd_key_t:s0-unconfined_u:object_r:etc_t:s0 Why are you putting your SSH key in /etc/ ? With SELinux its normally better to go with the flow. find out which directories have the desired label and keep your objects in there. I'm guessing in this case ~/.ssh/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux context for ssh host keys?
On Feb 9, 2015, at 12:27 PM, Robert Nichols rnicholsnos...@comcast.net wrote: On 02/09/2015 11:14 AM, James B. Byrne wrote: So, I decided to run restorecon -v to ... restorecon reset /etc/ssh/ssh_host_rsa_key_4096 context unconfined_u:object_r:sshd_key_t:s0-unconfined_u:object_r:etc_t:s0 ... There is no REQUIREMENT that a host key have a particular file name is there? The sshd_config provides for setting one explicitly and doing so seems to cause no problems with ssh connections that I have yet encountered. The system_u vs. unconfined_u is inconsequential. That just comes from process that set the label. Looking at the file labeling rules, only the 7 specific file names get a type of sshd_key_t, and, strangely, not the /etc/ssh directory itself, so /restorecon/ will just make any other file there inherit the type of the directory, which is etc_t. At first glance that looks like a bug, but perhaps there is come reason for that. If you want to use a non-default filename for something, so that the pre-defined regexes which restorecon uses won’t match on it, you can either add a new regex to the policy which will be persistent or just use chcon to set the type manually. — Mark Tinberg mark.tinb...@wisc.edu ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux context for ssh host keys?
On 02/09/2015 11:14 AM, James B. Byrne wrote: So, I decided to run restorecon -v to presumably set the SELinux user correctly for the new keys: But that is not what happened: restorecon -v * restorecon reset /etc/ssh/ssh_host_rsa_key_4096 context unconfined_u:object_r:sshd_key_t:s0-unconfined_u:object_r:etc_t:s0 restorecon reset /etc/ssh/ssh_host_rsa_key_4096.pub context unconfined_u:object_r:sshd_key_t:s0-unconfined_u:object_r:etc_t:s0 As you can see, not only did the user not get set to system_u but the type was changed to etc_t. Why were the new key files changed from sshd_key_t types to the generic etc_t types? Why was the user not changed in either case from unconfined_u to system_u or vice versa? There is no REQUIREMENT that a host key have a particular file name is there? The sshd_config provides for setting one explicitly and doing so seems to cause no problems with ssh connections that I have yet encountered. The system_u vs. unconfined_u is inconsequential. That just comes from process that set the label. Looking at the file labeling rules, only the 7 specific file names get a type of sshd_key_t, and, strangely, not the /etc/ssh directory itself, so /restorecon/ will just make any other file there inherit the type of the directory, which is etc_t. At first glance that looks like a bug, but perhaps there is come reason for that. Ask about it on the selinux list at lists.fedoraproject.org. -- Bob Nichols NOSPAM is really part of my email address. Do NOT delete it. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos