> On Feb 9, 2015, at 12:27 PM, Robert Nichols <rnicholsNOSPAM at comcast.net> wrote: > > On 02/09/2015 11:14 AM, James B. Byrne wrote: >> So, I decided to run restorecon -v to >> ... >> restorecon reset /etc/ssh/ssh_host_rsa_key_4096 context >> unconfined_u:object_r:sshd_key_t:s0->unconfined_u:object_r:etc_t:s0 >> ... >> There is no REQUIREMENT that a host key have a particular file name is >> there? The sshd_config provides for setting one explicitly and doing >> so seems to cause no problems with ssh connections that I have yet >> encountered. > > The "system_u" vs. "unconfined_u" is inconsequential. That just comes > from process that set the label. > > Looking at the file labeling rules, only the 7 specific file names > get a type of "sshd_key_t", and, strangely, not the /etc/ssh directory > itself, so /restorecon/ will just make any other file there inherit > the type of the directory, which is "etc_t". At first glance that looks > like a bug, but perhaps there is come reason for that. If you want to use a non-default filename for something, so that the pre-defined regexes which restorecon uses won’t match on it, you can either add a new regex to the policy which will be persistent or just use chcon to set the type manually. — Mark Tinberg mark.tinberg at wisc.edu