Hi all,

is there a way to keep SELinux enabled and ssh-login with keyfiles that
are located on NFS mounted directories?

AFAIS the problem is:

* for ssh-related files a dedicated security context 'ssh_home_t' is
defined in SELinux
* since NFS does not support extended file attributes, all nfs-mounted
files have the context 'nfs_t' - and, thus, cannot be changed

> chcon -t ssh_home_t $HOME/.ssh/authorized_keys
chcon: failed to change context of
`/NFS/PATH/TO/HOME/.ssh/authorized_keys' to
`system_u:object_r:ssh_home_t:s0': Operation not supported

('restorecon -R -v NFSSSHPATH' is not helpful, since it kept the default
NFS context - since it is NFS)


* so, I cannot login via ssh-keyfiles since the authorized_keys file is
stuck in the 'wrong' nfs context

* I already tried to generate a rule from the autiting output - however,
the audit information is not sufficient for anly rule, just generating
an empty module

> grep "sshd" /var/log/audit/audit.log | grep "res=failed" | grep
"pubkey" | audit2allow -m  sshkeylogin

module sshkeylogin 1.0;


example audit log line
type=USER_AUTH msg=audit(1417167421.435:491): user pid=1234 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey
acct="USERNAME" exe="/usr/sbin/sshd" hostname=? addr=141.52.72.77
terminal=ssh res=failed'

>>>

* so at the moment I have changed SELinux again to permissive
** but is there a way to set only specific rules in SELinux to
permissive? I.e., to keep the remaining framework in enforcing but only
be permissive in the ssh rule set?

Or is there another way to get SELinux and NFS mounted homes together?
I.e., disabling all file attribuite checks for NFS files  - which is
probably a 'suboptimal' usage of an active SELinux close to permissive...

Cheers and thanks for ideas,
  Thomas