True true. I was just trying to keep it simple. Most people I deal with, I don't have time to explain rules.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of James Hogarth Sent: Saturday, May 09, 2015 1:47 AM To: CentOS mailing list Subject: Re: [CentOS] Q: respecting .ssh/id_rsa
On 8 May 2015 20:41, "Conley, Matthew M CTR GXM" < matthew.m.conley1.ctr@navy.mil> wrote:
chmod 0700 .ssh chmod 0600 .ssh/*
Keys can fail if you don't have that setup correctly. Also do: grep sshd /var/log/audit/audit.log| audit2allow -m sshd # Will let you see what modules it will create. grep sshd /var/log/audit/audit.log| audit2allow -M sshd # Creates the modules
semodule -I sshd.pp
grep ssh /var/log/audit/audit.log| audit2allow -m ssh # Will let you see what modules it will create. grep ssh /var/log/audit/audit.log| audit2allow -M ssh # Creates the modules
semodule -I ssh.pp
sshd is the server; ssh is the client.
<cleveland>No no no no nooooo </Cleveland>
Blindly running audit2allow and creating modules weakens your security not enhances it.
If you have not messed up your labeling then SSH will have no problem reading keys - SSH keys are fully supported under the policy shipped with CentOS.
If you are mounting your home elsewhere do:
semanage fcontext -a -e /home /mynewspecialhome
restorecon -Rv /mynewspecialhome
That will fix any selinux labelling issues of your home directories properly. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos