diff --git a/cfe_internal/enterprise/federation/federation.cf b/cfe_internal/enterprise/federation/federation.cf index 6149b4e2cd..9e64f45e0b 100644 --- a/cfe_internal/enterprise/federation/federation.cf +++ b/cfe_internal/enterprise/federation/federation.cf @@ -300,29 +300,34 @@ bundle agent transport_user expression => not(returnszero("$(default:paths.semanage) fcontext -l | grep '$(home)/.ssh(/.*)?'", "useshell")), if => fileexists("$(home)"); enabled.selinux_enabled:: + # For all the files below it must be true that if they exist they need + # to have the right context. + # IOW, the following implication: if fileexists() then correct_context. + # IOW, the following OR: not(filexists()) or correct_context. + # not( and()) means that if for one of the files the implication is false, we get a true. "incorrect_ssh_context" - expression => and( and( - fileexists("$(home)"), - fileexists("$(ssh_auth_keys)"), - fileexists("$(ssh_priv_key)"), - fileexists("$(ssh_pub_key)"), - fileexists("$(ssh_config)")), - or( - regcmp(".*[\s:]ssh_home_t[\s:].*", - execresult("ls -Z $(home) | grep .ssh", - useshell)), - regcmp(".*[\s:]ssh_home_t[\s:].*", - execresult("ls -Z $(ssh_auth_keys)", - useshell)), - regcmp(".*[\s:]ssh_home_t[\s:].*", - execresult("ls -Z $(ssh_priv_key)", - useshell)), - regcmp(".*[\s:]ssh_home_t[\s:].*", - execresult("ls -Z $(ssh_pub_key)", - useshell)), - regcmp(".*[\s:]ssh_home_t[\s:].*", - execresult("ls -Z $(ssh_config)", - useshell)))); + expression => not( and( + or( + not(fileexists("$(home)/.ssh")), + regcmp(".*[\s:]ssh_home_t[\s:].*", + execresult("$(default:paths.ls) -dZ $(home)/.ssh", noshell))), + or( + not(fileexists("$(ssh_auth_keys)")), + regcmp(".*[\s:]ssh_home_t[\s:].*", + execresult("$(default:paths.ls) -Z $(ssh_auth_keys)", noshell))), + or( + not(fileexists("$(ssh_priv_key)")), + regcmp(".*[\s:]ssh_home_t[\s:].*", + execresult("$(default:paths.ls) -Z $(ssh_priv_key)", noshell))), + or( + not(fileexists("$(ssh_pub_key)")), + regcmp(".*[\s:]ssh_home_t[\s:].*", + execresult("$(default:paths.ls) -Z $(ssh_pub_key)", noshell))), + or( + not(fileexists("$(ssh_config)")), + regcmp(".*[\s:]ssh_home_t[\s:].*", + execresult("$(default:paths.ls) -Z $(ssh_config)", noshell))) + )); users: "$(user)" policy => "present", @@ -369,7 +374,7 @@ bundle agent transport_user # _stdlib_path_exists_ and paths. are defined is masterfiles/lib/paths.cf selinux_enabled.cftransport_fcontext_missing.default:_stdlib_path_exists_semanage:: "$(default:paths.semanage) fcontext -a -t ssh_home_t '$(home)/.ssh(/.*)?'"; - selinux_enabled.incorrect_ssh_context.default:_stdlib_exists_restorecon:: + selinux_enabled.incorrect_ssh_context.default:_stdlib_path_exists_restorecon:: "$(default:paths.restorecon) -R -F $(home)/.ssh/"; any::