From d8e3a009330b5f1dbdd9e80ea8e70378c455b70b Mon Sep 17 00:00:00 2001
From: Stephen Fromm <stephenf@nero.net>
Date: Thu, 13 Dec 2012 16:29:40 -0800
Subject: [PATCH] Ensure files created by authorized_key have correct selinux
 context

Three changes:
* Add set_default_selinux_context() to module_common that sets
  a file's context according to the defaults in the policy
* In atomic_replace(), set the default context for the file if
  selinux is enabled and the destination file does not exist.
* In authorized_key, set the default context when creating
  $HOME/.ssh and $HOME/.ssh/authorized_keys.  If these already
  exist, this won't touch them.
---
 authorized_key | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/authorized_key b/authorized_key
index 7e1df6702db..0ef2cea82da 100644
--- a/authorized_key
+++ b/authorized_key
@@ -97,6 +97,8 @@ def keyfile(module, user, write=False):
 
     if not os.path.exists(sshdir):
         os.mkdir(sshdir, 0700)
+        if module.selinux_enabled():
+            module.set_default_selinux_context(sshdir, False)
     os.chown(sshdir, uid, gid)
     os.chmod(sshdir, 0700)
 
@@ -105,6 +107,8 @@ def keyfile(module, user, write=False):
             f = open(keysfile, "w") #touches file so we can set ownership and perms
         finally:
             f.close()
+        if module.selinux_enabled():
+            module.set_default_selinux_context(keysfile, False)
 
     os.chown(keysfile, uid, gid)
     os.chmod(keysfile, 0600)