Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp2035870ybi; Thu, 20 Jun 2019 08:06:12 -0700 (PDT) X-Google-Smtp-Source: APXvYqyGMQnLU3TP5jU5Q/fJu1Ht/qblBoghNSi+RUGteDK0Vp1S4pzQTmvUdRaYKloxaoKISc7L X-Received: by 2002:a17:90a:af8e:: with SMTP id w14mr75456pjq.89.1561043172183; Thu, 20 Jun 2019 08:06:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561043172; cv=none; d=google.com; s=arc-20160816; b=06YPAvAiK/nPiAu3s/7cSY13cbH0U7mfIT5tisrVweKD+bJrbCuDLIW5k+YghJCzHc LA4LT86kvqALCpZ5MKSzjAifKPcg3uYS5/cywr15NpGRjXcWtb/sP/DMqpL5wqjoPIbT Y27L9+t9m6HFMEMCsQk/PFlYbXrMhzXSlCSbhU8ccPkZh+vpq6RroFHJCskZmDB8iHZd 98MSxSp1EmGybku/9j3Ie1eq8otyviIrTQHwJZKsvm/2FoG6bOEbyaXSri54xHuucSKz m9jnGPqiLTp0Tll9LlRjdBIl5p0ps/cc93OMfWPONbEGonjEy1hZ683nju8ZrsunTiAT Nt5g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:user-agent :references:in-reply-to:message-id:mime-version:date:subject:cc:to :from:dkim-signature; bh=v0zvhN08rTCoAND6Es1hC+CYR0CSZGS7LlyGKMqZDk0=; b=AUS8fVxc8BW4YfOantV7VWLHnxTQHHCqPVOHW0Fg5X79qQJ2G+dW5kxnijqb3zbrzn MLFpjbam/Km71FEp21fkR32dO6wvnxwOgUOoIRrRoROSSdMLr7x1ghAFE716C/B723mg SCua64IfT6/BgTfJ5xEyFFtS+7ObRVIrrUyKBlzRl9H+WD7kRkn9/eXRCLZOUgERZuzL rHXojYYr7czJmqXXZZEgtJ5TSLP6UA+FthlbYAfx5z63KhnEOcG7TDZl6h8i0cj9UpcD FvdccKv8sfATLtBmaqs4UITRijvoo9tEVgSeaOhZUxRi2GoPorduXWUor8QDh4R6PhZM Rxog== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@millerson.name header.s=mail header.b=Kdz64B+C; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=millerson.name Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t10si5995588pgg.221.2019.06.20.08.06.09; Thu, 20 Jun 2019 08:06:12 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@millerson.name header.s=mail header.b=Kdz64B+C; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=millerson.name Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726757AbfFTPGC (ORCPT + 11 others); Thu, 20 Jun 2019 11:06:02 -0400 Received: from host89-222-249-147.netorn.net ([89.222.249.147]:50528 "EHLO mail.millerson.name" rhost-flags-OK-FAIL-OK-OK) by vger.kernel.org with ESMTP id S1726551AbfFTPGB (ORCPT ); Thu, 20 Jun 2019 11:06:01 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=millerson.name; s=mail; h=User-Agent:In-Reply-To:Message-ID:MIME-Version: Date:Subject:To:From; bh=v0zvhN08rTCoAND6Es1hC+CYR0CSZGS7LlyGKMqZDk0=; b=Kdz6 4B+CRsFo6xXjoOZiGpO1emOxeZFSnszEAh3UZFNz6Q/7hBZu1foCNYcQ4OA9YUxCeHqFDQUKym61F v+K8g6czR/Ciqi3P7OAS1aH0sMwOya3XamASg++tiywLJfgBdCOVA93UGNTiUen6BduYtfLBNVjRT oLHsCVsPT5qNU=; Received: from localhost ([127.0.0.1] helo=mail.millerson.name) by mail.millerson.name with esmtpsa id 1hdydT-0006Lk-Ac (envelope-from ); Thu, 20 Jun 2019 18:05:59 +0300 Received: from localhost ([2a04:4a00:5:966:a55:5884:e3f8:8906]) by mail.millerson.name with ESMTPSA id jQx8NNagC11ZXwAAXPwaFA (envelope-from ); Thu, 20 Jun 2019 18:05:58 +0300 From: Alexander Miroshnichenko To: Dominick Grift Cc: Subject: Re: [PATCH v2 2/2] ssh: Add interface =?iso-8859-1?Q?ssh=5Fsearch=5Fdir?= Date: Thu, 20 Jun 2019 18:05:57 +0300 MIME-Version: 1.0 Message-ID: <642ea6d9-97c9-4ec4-a7ed-84995a953b48@millerson.name> In-Reply-To: <20190620145011.GC2647@brutus.lan> References: <20190620144138.15172-1-alex@millerson.name> <20190620144138.15172-3-alex@millerson.name> <20190620145011.GC2647@brutus.lan> User-Agent: Trojita/0.7; Qt/5.12.3; xcb; Linux; Gentoo Base System release 2.6 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable X-GIT-Signature: dcf8ce731544dbc3208cac54d534d0e6 X-Spam-Score: 1.1 (+) X-Spam-Status: No Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On =D1=87=D0=B5=D1=82=D0=B2=D0=B5=D1=80=D0=B3, 20 =D0=B8=D1=8E=D0=BD=D1=8F 20= 19 =D0=B3. 17:50:11 MSK, Dominick Grift wrote: > On Thu, Jun 20, 2019 at 05:41:38PM +0300, Alexander Miroshnichenko wrote: >> Create interface ssh_search_dir to allow ssh_server search for=20 >> keys in non-standard location. >>=20 >> Signed-off-by: Alexander Miroshnichenko >> --- >> policy/modules/services/ssh.if | 18 ++++++++++++++++++ >> 1 file changed, 18 insertions(+) >>=20 >> diff --git a/policy/modules/services/ssh.if=20 >> b/policy/modules/services/ssh.if >> index 0941f133711e..51c64ded00c4 100644 >> --- a/policy/modules/services/ssh.if >> +++ b/policy/modules/services/ssh.if >> @@ -680,6 +680,24 @@ interface(`ssh_agent_exec',` >> =09can_exec($1, ssh_agent_exec_t) >> ') >> =20 >> +######################################## >> +## >> +## Search for keys in non-standard location >> +## >> +## >> +## >> +## Domain allowed access. >> +## >> +## >> +# >> +interface(`ssh_search_dir',` >> + gen_require(` >> + type sshd_t; >> + ') >> + >> +=09allow sshd_t $1:dir search_dir_perms; > > This is generally not allowed. The caller should generally be the source. > Regardless of the above. Keys should be in user home=20 > directories. I wonder what specific scenario prompted you to=20 > propose this interface? GIT hosting software like gitolite/gitosis/gitea manage users ssh keys and=20= store them own location like /var/lib/gitolite/.ssh .=20 /var/lib/gitolite have gitosis_var_lib_t type,=20 /var/lib/gitolite/.ssh have gitosis_ssh_home_t type (in patched policy=20 which=20 I want to submit). If sshd does not have { search getattr } permissions to full path to ssh=20 key=20 user fail to login. Can you propose corret way to give such permissions to multiple policies? It is incorrect to label /var/lib/gitolite as user_home_dir_t type, IMHO. >> +') >> + >> ######################################## >> ## >> ##=09Read ssh home directory content ... >