commit: 2a0d52aa43e15264642fcfacc8996adfd02a0724
Author: Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Wed Aug 24 02:22:41 2022 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep 3 19:07:49 2022 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2a0d52aa
ssh: allow ssh_keygen to read /usr/share/crypto-policies/
With RHEL9 /etc/crypto-policies/back-ends are symlinks to
/usr/share/crypto-policies/*/*
node=localhost type=AVC msg=audit(1661303919.946:335): avc: denied { getattr }
for pid=1025 comm="ssh-keygen"
path="/usr/share/crypto-policies/FIPS/opensslcnf.txt" dev="dm-0" ino=396589
scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file permissive=1
node=localhost type=AVC msg=audit(1661303919.946:336): avc: denied { read }
for pid=1025 comm="ssh-keygen" name="opensslcnf.txt" dev="dm-0" ino=396589
scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file permissive=1
node=localhost type=AVC msg=audit(1661303919.946:336): avc: denied { open }
for pid=1025 comm="ssh-keygen"
path="/usr/share/crypto-policies/FIPS/opensslcnf.txt" dev="dm-0" ino=396589
scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/services/ssh.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index ce320c6a..aa0766bb 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -354,6 +354,7 @@ term_dontaudit_use_console(ssh_keygen_t)
domain_use_interactive_fds(ssh_keygen_t)
files_read_etc_files(ssh_keygen_t)
+files_read_usr_files(ssh_keygen_t)
init_use_fds(ssh_keygen_t)
init_use_script_ptys(ssh_keygen_t)
