Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp2071656ybi; Thu, 20 Jun 2019 08:39:59 -0700 (PDT) X-Google-Smtp-Source: APXvYqzkY8RMrm7QjdRpfzc+68jEVZC8lWWty2/zbn6MqRxaKWn4GjLVD2D9ykBSaFT0zjNiSJwY X-Received: by 2002:a17:902:e490:: with SMTP id cj16mr123353321plb.136.1561045198942; Thu, 20 Jun 2019 08:39:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561045198; cv=none; d=google.com; s=arc-20160816; b=mIZQwXHPnkRreUejOKPPfkdDORKhiVz/0h2BLpGpgO/Bo5JdcBB5P8AiHwr2ZTVEyD pbkcVTeZ8/xiNBGBAATfykjVWDriC26RON1pFCMyM0vp8V/eOCg8MLmFAmXsw27P1isq BHam2CeQxYp5aZKzuxekrhwuwDMzDD1pqtqGhwHL69FYsxv2gTrMWXzB9oLLuqYK9DrP Kfx5B1bSutCvz4BJ9klyIWlFZ+VPsyndajExeIa52O2jvYBBQ6Vza2hz1dGtDwqJW6ah vMJ0L9pVJ3xjVCCdonvFDi3FIELx5p2TZO3PLKX/MFSL9I9CMuZUooKG+Sm/OBs6b9iV e10g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:user-agent :references:in-reply-to:message-id:mime-version:date:subject:cc:to :from:dkim-signature; bh=5O6KiV8EsFXfibNjzvmzrOoMbo+FU9NboW7SyrE5ci0=; b=kx09N5u6/jO8b/+VUqs0oCev2wLOWr5rarS5q94I8GvHF5mJfLwJ0LVFHItJIXjSOQ v+nBY5oIxavEtdvFibcc3Tf0UHHY8km4Y2iu6s4uFvzQmFJ2z+B24UguFo7sA3Sd+Jk5 gDK51FFRiCHg/T0Y09ptNGkfUF+NWKqQ1nGCEgdYIuhXG8g4k6LlKoxATtzGioT178dU FcnDoNqKDEZNBmyjhN0ktNCrgn4NofHgRSE+/RYStDbdFu9nrMQuAAa19EXbujBnsGDx k/USPSXg0NbjYiw2bBiQ4eZn5NOyfI2el4yndfg9f8JxJjeTWqVoH/M9REJpyS33pRfj 949g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@millerson.name header.s=mail header.b=hqJ4hjkv; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=millerson.name Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j62si9479064pfb.272.2019.06.20.08.39.56; Thu, 20 Jun 2019 08:39:58 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@millerson.name header.s=mail header.b=hqJ4hjkv; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=millerson.name Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726649AbfFTPiO (ORCPT + 11 others); Thu, 20 Jun 2019 11:38:14 -0400 Received: from host89-222-249-147.netorn.net ([89.222.249.147]:53430 "EHLO mail.millerson.name" rhost-flags-OK-FAIL-OK-OK) by vger.kernel.org with ESMTP id S1726680AbfFTPiO (ORCPT ); Thu, 20 Jun 2019 11:38:14 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=millerson.name; s=mail; h=User-Agent:In-Reply-To:Message-ID:MIME-Version: Date:Subject:To:From; bh=5O6KiV8EsFXfibNjzvmzrOoMbo+FU9NboW7SyrE5ci0=; b=hqJ4 hjkvnPSYChSBdAPpyYH4UifhO77JKBLGZaP7zyBRLkGw8gEeAor7Ym339x8v3ohhDmrQX8NMUBt2c z9lzWNgeaBow0T0kiFkKCCJw7X+kdxS1v1X5E3CIOd3N9aoZD95O2PPvRG5XRcnI6DYrxiig/28HD xZGpRL78OIxaQ=; Received: from localhost ([127.0.0.1] helo=mail.millerson.name) by mail.millerson.name with esmtpsa id 1hdz8e-0006eZ-5M (envelope-from ); Thu, 20 Jun 2019 18:38:12 +0300 Received: from localhost ([2a04:4a00:5:966:a55:5884:e3f8:8906]) by mail.millerson.name with ESMTPSA id q6+XK2OoC13nYwAAXPwaFA (envelope-from ); Thu, 20 Jun 2019 18:38:11 +0300 From: Alexander Miroshnichenko To: Dominick Grift Cc: Subject: Re: [PATCH v2 2/2] ssh: Add interface =?iso-8859-1?Q?ssh=5Fsearch=5Fdir?= Date: Thu, 20 Jun 2019 18:38:10 +0300 MIME-Version: 1.0 Message-ID: In-Reply-To: <20190620152731.GD2647@brutus.lan> References: <20190620144138.15172-1-alex@millerson.name> <20190620144138.15172-3-alex@millerson.name> <20190620145011.GC2647@brutus.lan> <642ea6d9-97c9-4ec4-a7ed-84995a953b48@millerson.name> <20190620152731.GD2647@brutus.lan> User-Agent: Trojita/0.7; Qt/5.12.3; xcb; Linux; Gentoo Base System release 2.6 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable X-GIT-Signature: ddcdad78007ebbb97131745ddd06c3cf X-Spam-Score: 1.1 (+) X-Spam-Status: No Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On =D1=87=D0=B5=D1=82=D0=B2=D0=B5=D1=80=D0=B3, 20 =D0=B8=D1=8E=D0=BD=D1=8F 20= 19 =D0=B3. 18:27:31 MSK, Dominick Grift wrote: > On Thu, Jun 20, 2019 at 06:05:57PM +0300, Alexander Miroshnichenko wrote: >> On =D1=87=D0=B5=D1=82=D0=B2=D0=B5=D1=80=D0=B3, 20 =D0=B8=D1=8E=D0=BD=D1=8F= 2019 =D0=B3. 17:50:11 MSK, Dominick Grift wrote: ... > > Yes this sucks. I would probably do the following instead: > > 1. echo "ignoredirs=3D/var/lib/gitolite" >> /etc/selinux/semanage.conf > 2. semodule -B && restorecon -RvF /var/lib/gitolite > 3. gitosis_read_lib_files(sshd_t) I can't use sshd_t in another policy without require statement. Or I need to add gitosis_read_lib_files(sshd_t) to ssh.te policy file. All 3 steps are ugly comparing with new ssh_search_dir() interface. Why such restrictions where caller must be the source for interface? It is=20= not flexible. > > Dont bother with labeling /var/lib/gitolite/.ssh differently > >> ... >