The SELinux policy introduced in 310fd156f0f0573265ab6c3cc0e04ac8941bd58a is allow sshd_t admin_home_t:file getattr;. This allows sshd to stat any file in /root. I'm not sure how it has any business doing it. I suspect it's a remnant of having the authorized keys script in /root in development.
When installed in /usr/local/bin, as is currently, the script has type bin_t:
# ls -lZ /usr/local/bin/conjur_authorized_keys
-rwxr-xr-x. root root unconfined_u:object_r:bin_t:s0 /usr/local/bin/conjur_authorized_keys
The SELinux policy introduced in 310fd156f0f0573265ab6c3cc0e04ac8941bd58a is
allow sshd_t admin_home_t:file getattr;
. This allows sshd to stat any file in/root
. I'm not sure how it has any business doing it. I suspect it's a remnant of having the authorized keys script in/root
in development.When installed in
/usr/local/bin
, as is currently, the script has typebin_t
: