Hello,
I was configuring my architecture with CoreOS, SystemD services, and Quadlet, but SELinux stopped me. I want to generate keys directly on the Host via ssh-keygen from a SystemD service, but SELinux doesn’t allow it.
I found a workaround by generating the command in a temporary container, but I’d like to know if anyone has an idea why there are restrictions on the ssh-keygen command when all I’m trying to do is generate a key pair ?
> runcon system_u:system_r:initrc_t:s0 ssh-keygen
$ runcon: ‘ssh-keygen’: Permission denied
> stat /usr/bin/ssh-keygen
$ Context: system_u:object_r:ssh_keygen_exec_t:s0
> runcon system_u:system_r:unconfined_t:s0 ssh-keygen
$ Generating public/private ed25519 key pair.
I know I could modify SELinux to get it to work directly via SystemD, but without understanding the reason for the restriction, I preferred not to touch it.