Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp2011922ybi; Thu, 20 Jun 2019 07:43:26 -0700 (PDT) X-Google-Smtp-Source: APXvYqxmo3LI5JSXLy5L+SlswAgEwh+CQAX323nIDv7DBBT37wrwp+OdgshEjGgMgVR0+ydaap5B X-Received: by 2002:a63:8d4c:: with SMTP id z73mr7198632pgd.95.1561041806464; Thu, 20 Jun 2019 07:43:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561041806; cv=none; d=google.com; s=arc-20160816; b=eW0mGB+3YEoROk1Mi6wq4IQbw4VTVXxa+pwqh+OQ6Lif2ztTfb84ARQulEZGUy3p8H 0F6YLSPmO84AE0pdY0qe8POZy4XbDe8eXcH7C2E9qEve9/AdXuu1LN7ByQP3jSwllqKu ZQzJevvB+F3UbT7V47c/UY2hKXRe8yE0relP2c8sx9g8YDxHCJ3Hn7oIYINADmGK4c4U cpybjPpAmGt+attuPhRVMIDjD04yYowJ+lsNIJ7/csArpae0mZ6iCooQ6G7j5cVjtpxE lWyRT7Rzy5JF3k+jzQj1bnCBpBb4e1C/ISeNMRqu7P7S15ePARuJbQKv0k/FE58Zkwyx AsDQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=776Pl2rIgQQ8UwAlWeQ3J7FUWgXrSkmKwy8A72+80aI=; b=0FXWUVhVOioPD1eVDVGm/9aywNwehkM36zBWCcN7RpJaor879QEzofHu6Pk7f1R1Hv G+yQpWEp6S/c5HobRZUfNqepMtyq0yWzYDI5EbxlP+tL2NgY8t4mFrMMJZZvYlfsna3E iXQ7t+664s64E0Ttf0E/9RdBMAwnJ2G8a5CG/F17a9OnAQfCCDT2dozeiE5185eBskNR WMd6V/hc3D/KlWlnlVp6i3P624L1JoxodR0VB5paq2AagEsvJ7gQEjEMjmycUNpgyFQf c9ZgQFO5qtrtxAFm/Kg8u/HWwyJ5YZRMCIJ2BxcyF1/NE5m+NojU1szldbMXr9AffcNq 8Mtw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@millerson.name header.s=mail header.b=jskiM5UV; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=millerson.name Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c21si17660833plo.308.2019.06.20.07.43.24; Thu, 20 Jun 2019 07:43:26 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@millerson.name header.s=mail header.b=jskiM5UV; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=millerson.name Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731560AbfFTOnC (ORCPT + 11 others); Thu, 20 Jun 2019 10:43:02 -0400 Received: from host89-222-249-147.netorn.net ([89.222.249.147]:48118 "EHLO mail.millerson.name" rhost-flags-OK-FAIL-OK-OK) by vger.kernel.org with ESMTP id S1726428AbfFTOnC (ORCPT ); Thu, 20 Jun 2019 10:43:02 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=millerson.name; s=mail; h=MIME-Version:In-Reply-To:Message-Id:Date:Subject: To:From:user-agent; bh=776Pl2rIgQQ8UwAlWeQ3J7FUWgXrSkmKwy8A72+80aI=; b=jskiM5 UVB720WhkvYkexMcxK1er6vgzIr4qyrNviC8va4Vp9m00A7sOrudtNapuXn2EPhhKZEvtD4TgLxD+ AQPGTGDkn2BMJGlfDKqVrXyJWZrbIRfFpXs9RI0kGidwcGMhr5/7A8hvKjy//M5yzZCY7Ij++3Ln7 R1fI7ZXK7qs=; Received: from localhost ([127.0.0.1] helo=mail.millerson.name) by mail.millerson.name with esmtpsa id 1hdyHE-00067L-KH (envelope-from ); Thu, 20 Jun 2019 17:43:00 +0300 Received: from alex-office-laptop.msad.rbkmoney.com ([2a04:4a00:5:966:a55:5884:e3f8:8906]) by mail.millerson.name with ESMTPSA id COWFBXSbC13cWwAAXPwaFA (envelope-from ); Thu, 20 Jun 2019 17:43:00 +0300 From: Alexander Miroshnichenko To: selinux-refpolicy@vger.kernel.org Cc: Alexander Miroshnichenko Subject: [PATCH v2 2/2] ssh: Add interface ssh_search_dir Date: Thu, 20 Jun 2019 17:41:38 +0300 Message-Id: <20190620144138.15172-3-alex@millerson.name> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190620144138.15172-1-alex@millerson.name> References: <20190620144138.15172-1-alex@millerson.name> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit X-GIT-Signature: 79d865a1b3eb853a0dcbe8bc8fe5602b X-Spam-Score: -3.1 (---) X-Spam-Status: No Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Create interface ssh_search_dir to allow ssh_server search for keys in non-standard location. Signed-off-by: Alexander Miroshnichenko --- policy/modules/services/ssh.if | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index 0941f133711e..51c64ded00c4 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -680,6 +680,24 @@ interface(`ssh_agent_exec',` can_exec($1, ssh_agent_exec_t) ') +######################################## +## +## Search for keys in non-standard location +## +## +## +## Domain allowed access. +## +## +# +interface(`ssh_search_dir',` + gen_require(` + type sshd_t; + ') + + allow sshd_t $1:dir search_dir_perms; +') + ######################################## ## ## Read ssh home directory content -- 2.21.0