Description of problem:
The Crypto policies in server requires some changes in the SSHD server structure and we went a way of simple script instead of modification of the SSHD server itself.

From there we need to create a temporary files under /run/openssh/, but the sshd server is not allowed to read the files with the labels under this path.

So far, there is a hack in the PreStart script, that changes the label to etc_t from var_run_t so we can start the daemon.

ls -Z $SSHD_CONFIG_RUNTIME | grep -q var_run_t && chcon -t etc_t $SSHD_CONFIG_RUNTIME

Better solution would be to create a special label for this file (and directory) so it is accessible only by the SSHD.

The AVC we are getting without this workaround:
type=AVC msg=audit(1501604780.224:775): avc:  denied  { read } for  pid=2789 comm="sshd" name="sshd_config" dev="tmpfs" ino=59058 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0

Alternatively we can also create some policy for helper script /usr/libexec/openssh/sshd-pre

Version-Release number of selected component (if applicable):
Fedora 27

How reproducible:
always

Steps to Reproduce:
1. Install openssh
2. Remove the above workaround from /usr/libexec/openssh/sshd-pre
3. Remove /run/openssh/sshd_config
4. Restart the sshd service

Actual results:
The service fails, the above AVC is visible in the audit log

Expected results:
The service starts, no AVCs

Additional info:

https://fedoraproject.org/wiki/Changes/OpenSSH_Server_Crypto_Policy