Drop fixes for bug 1113723

The fixes for bug 1113723 gave sshd more potential access than required to access Nova's ssh files. As of the RHEL / CentOS 7.3 SELinux base policy, the following line is present in the SELinux file context set: /var/lib/[^/]+/\.ssh(/.*)? all files system_u:object_r:ssh_home_t:s0 This removes the need for the fix for bug 1113723 by correcting the context of /var/lib/nova/.ssh/* to ssh_home_t, which sshd can already access. Resolves: rhbz#1211734 Signed-off-by: Lon Hohberger <lhh@redhat.com>
redhat-openstack · Feb 16, 2017 · 1d8c3bb · 1d8c3bb
1 parent b63de70
commit 1d8c3bb
Show file tree

Hide file tree

Showing 3 changed files with 1 addition and 5 deletions.
diff --git a/local_settings.sh b/local_settings.sh
@@ -23,6 +23,7 @@ relabel_files()
 	do_echo "Relabeling files..."
 	$SBINDIR/restorecon -Rv $BINDIR/swift* \
 				$LOCALSTATEDIR/run/swift \
+				$SHAREDSTATEDIR/nova/.ssh \
 				/srv \
 				$BINDIR/neutron* \
 				$LOCALSTATEDIR/run/redis \

diff --git a/os-nova.te b/os-nova.te
@@ -7,7 +7,6 @@ gen_require(`
 	type nova_scheduler_t;
 	type nova_console_t;
 	type nova_cert_t;
-	type sshd_t;
 	type sssd_var_lib_t;
 	type cert_t;
 	type nova_log_t;
@@ -59,9 +58,6 @@ allow nova_network_t self:capability2 block_suspend;
 # Bugzilla 1083566
 allow nova_network_t initrc_var_run_t:file read;
 
-# Bugzilla 1113723
-allow sshd_t nova_var_lib_t:file { getattr read open };
-
 # Bugzilla 1135510
 allow nova_api_t sssd_var_lib_t:sock_file write;
 allow nova_scheduler_t cert_t:file { read getattr open };

diff --git a/tests/bz1113723 b/tests/bz1113723