Allow cloud init to domtrans into ssh keygen (bsc#1249964) #2874
Conversation
policy/modules/contrib/cloudform.te
Outdated
| ') | ||
|
|
||
| optional_policy(` | ||
| ssh_domtrans_keygen(cloud_init_t) |
There was a problem hiding this comment.
This should be together with other ssh interfaces in one optional block. If you move it, you can notice ssh_exec_keygen() is now ineffective, so I need to ask for justification.
There was a problem hiding this comment.
thanks, I got bitten by assuming the interface calls were ordered and overlooked the other interface calls. Justification is that the key files created upon the first boot when using this mechanism will have etc_t as type instead of the dedicated type. Doesn't cause issues AFAICS
There was a problem hiding this comment.
@zpytela is that acceptable to you?
There was a problem hiding this comment.
LGTM, but I am kind-of reluctant pushing it to current releases as we only have basic test coverage, so cannot evaluate the impact.
There was a problem hiding this comment.
Understood. Works on SLE 16 cloud images, but unfortunately they're not public yet, so I can't make them available. There's no hurry, can be kept here until after the release
Ohterwise creating ssh keys via cloud init will result in type etc_t for the key files
2 participants
Ohterwise creating ssh keys via cloud init will result in type etc_t for the key files