• 1

Al Biheiri - abiheiri@gmail

Dan are you suggesting that we set .google_authenticator as ssh_home_t on a per user basis?

meaning :
semanage fcontext -a -t ssh_home_t "/home/user01/.google_authenticator(/.*)?"
semanage fcontext -a -t ssh_home_t "/home/user02/.google_authenticator(/.*)?"

and so on?

The output of audit2allow seems to suggest to allow sshd_t a larger set of access to user_home_dir_t..
I suppose your method is more fine grained in that sense

root@jh:/home/toor/policies# ausearch -m avc -ts today|audit2allow

#============= sshd_t ==============
allow sshd_t user_home_dir_t:dir { write remove_name add_name };
allow sshd_t user_home_dir_t:file { rename write getattr read create unlink open };
allow sshd_t user_home_t:file { read getattr unlink open };

Re: Al Biheiri - abiheiri@gmail

user_home_dir_t is the top level of the home directory, No directories/files within the homedir should ever be labeled user_home_dir_t. I guess the best label for now on .google_authenticator is ssh_home_t. Allow sshd_t to read/write any files within the homedir is what we are trying to avoid.

  • 1

Log in