Bug 1046025

Summary: /etc/ssh/ssh_host_ecdsa_key* have a worng etc_t type
Product: [Fedora] Fedora Reporter: Petr Lautrbach <plautrba>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: aschorr, cristian.ciupitu, dominick.grift, dwalsh, kenny, lvrabec, mattias.ellert, mgrepl, michal, plautrba, reklov, sergio.pasra, tmraz, tom
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1023945 Environment:
Last Closed: 2014-02-05 23:25:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1023945    
Bug Blocks:    

Description Petr Lautrbach 2013-12-23 09:16:26 UTC 
+++ This bug was initially created as a clone of Bug #1023945 +++

As of openssh-6.3p1-4.fc20.x86_64, we have EC activated and creating user keys works. But the host wide key /etc/ssh/ssh_host_ecdsa_key hasn't been created. 


--- Additional comment from Michal Jaegermann on 2013-12-22 00:48:09 CET ---

As an extra attraction I just updated a laptop which so far did not have ssh_host_ecdsa_key and ssh_host_ecdsa_key.pub files.  All *_key* files ended up with system_u:object_r:sshd_key_t:s0 selinux labels with a notable exception of ssh_host_ecdsa_key.pub.  The last one was created with system_u:object_r:etc_t:s0 for a lablel.  Is that really intended?


------


# rpm -q selinux-policy
selinux-policy-3.11.1-108.fc18.noarch


# matchpathcon /etc/ssh/ssh_host_ecdsa_key*
/etc/ssh/ssh_host_ecdsa_key     system_u:object_r:etc_t:s0
/etc/ssh/ssh_host_ecdsa_key.pub system_u:object_r:etc_t:s0
Comment 1 Tom Hughes 2013-12-23 09:27:30 UTC 
Well both things are true I think - it doesn't create it if the RSA and DSA keys already exist because of the conditions in the keygen unit and if the other reports are correct then when it does create it the label is wrong.
Comment 2 Lukas Vrabec 2013-12-23 13:57:47 UTC 
Hi, 

I made fix for this.

commit f456fe2a952a9208927cad5a306bc27d87ffd014
Author: Lukas Vrabec <lvrabec>
Date:   Mon Dec 23 14:54:24 2013 +0100

    Fixed labels for sshd keys


# matchpathcon /etc/ssh/ssh_host_ecdsa_key*
/etc/ssh/ssh_host_ecdsa_key     system_u:object_r:sshd_key_t:s0
/etc/ssh/ssh_host_ecdsa_key.pub system_u:object_r:sshd_key_t:s0
Comment 3 Fedora Update System 2014-01-09 19:08:11 UTC 
selinux-policy-3.11.1-109.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-109.fc18
Comment 4 Fedora Update System 2014-01-10 07:44:40 UTC 
Package selinux-policy-3.11.1-109.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-109.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-0515/selinux-policy-3.11.1-109.fc18
then log in and leave karma (feedback).
Comment 5 Fedora End Of Life 2014-02-05 23:25:24 UTC 
Fedora 18 changed to end-of-life (EOL) status on 2014-01-14. Fedora 18 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.