I generated a new host key for one of our systems using:
ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key_4096
I then ran 'ls -Z on the keys'
ll -Z *key* -rw-------. root root system_u:object_r:sshd_key_t:s0 ssh_host_dsa_key -rw-r--r--. root root system_u:object_r:sshd_key_t:s0 ssh_host_dsa_key.pub -rw-------. root root system_u:object_r:sshd_key_t:s0 ssh_host_key -rw-r--r--. root root system_u:object_r:sshd_key_t:s0 ssh_host_key.pub -rw-------. root root system_u:object_r:sshd_key_t:s0 ssh_host_rsa_key -rw-------. root root unconfined_u:object_r:sshd_key_t:s0 ssh_host_rsa_key_4096 -rw-r--r--. root root unconfined_u:object_r:sshd_key_t:s0 ssh_host_rsa_key_4096.pub -rw-r--r--. root root system_u:object_r:sshd_key_t:s0 ssh_host_rsa_key.pub
As it seems odd, to me, that all the other files had a system_u user while the new had unconfined_u. So, I decided to run restorecon -v to presumably set the SELinux user correctly for the new keys: But that is not what happened:
restorecon -v *
restorecon reset /etc/ssh/ssh_host_rsa_key_4096 context unconfined_u:object_r:sshd_key_t:s0->unconfined_u:object_r:etc_t:s0
restorecon reset /etc/ssh/ssh_host_rsa_key_4096.pub context unconfined_u:object_r:sshd_key_t:s0->unconfined_u:object_r:etc_t:s0
As you can see, not only did the user not get set to system_u but the type was changed to etc_t.
Why were the new key files changed from sshd_key_t types to the generic etc_t types? Why was the user not changed in either case from unconfined_u to system_u or vice versa?
There is no REQUIREMENT that a host key have a particular file name is there? The sshd_config provides for setting one explicitly and doing so seems to cause no problems with ssh connections that I have yet encountered.