Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp2229070ybl; Sat, 31 Aug 2019 10:27:30 -0700 (PDT) X-Google-Smtp-Source: APXvYqweOXj6RzY0bFMRzHWcms86Y4de19moeTcIIqm+BfNfUPmojAToR0f5xXWOSC0GVT6DCpal X-Received: by 2002:a62:a50d:: with SMTP id v13mr3834056pfm.191.1567272450346; Sat, 31 Aug 2019 10:27:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1567272450; cv=none; d=google.com; s=arc-20160816; b=0VCp9aJ9rRGz2oZ8c7PJFNpoIINe/nd09QXA9nBbVkWc6bbpItJzYuQDde7ZsbI/t3 p1PZ2wHITqwx1stOTLUv9OnAnQJLoAfPENdwIq8gNHxHRrVQIJhCySzsPI4TlkTL0UcM 6Mx/OOVEPDvOPshT33UUxVT/JL8YGPGoQt7isK69E9pz5j/Hca+6K5R1UYFK3e5vauKN 21lOf7r5zsEFsdZn8fTKrhIX7UkTWeYr318OqlaPZhK6Sm9VbgiRxfFhyBhDkvueX6l+ cqyqTP5iUIQ5DjK66G0a4FwfXMWZB0c/wr1CW5FbDTLXRyJq3OMP0gyvdWpjSJDFv0n4 soug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=S2t9JAXH6lnZ6CewO7O4auKfVZ68uczQJ+HVk1pjBi4=; b=zRiNs5n3HBh1Mm1OK2i4tsH2fBfSoSub0ptSGoxogXlFvoC5QOwnl3Zrpj+5tBIANf M/xIyYx6uGDPpLnfvSQY3+B1LGz8H2oxU16SK75FgfWq6CaDaQXEb4ItkJDK2DRiVWib zA6nJEWp76PeGW6T2JgNRdhUFexGF60bKMvhFuoarerTeRTMRceR4hpeJQGxRaP+YNVK IIVRetJtBgEHvEf0aicMb//ll1zgbWeqdhx9WCLM4XxjVQAnAraDUY8qE5+74SanTrr7 5VsKBUM0JxLCJnLnD5V7RBKCGmrp+lzm5FqyaoGmhOJcHVs9EeXwL/4FVTvnx5G9mDE1 yK6w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Z7QAS7Xm; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z19si8022104pju.92.2019.08.31.10.27.26; Sat, 31 Aug 2019 10:27:30 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Z7QAS7Xm; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728314AbfHaR1V (ORCPT + 11 others); Sat, 31 Aug 2019 13:27:21 -0400 Received: from mail-ed1-f49.google.com ([209.85.208.49]:39184 "EHLO mail-ed1-f49.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728274AbfHaR1U (ORCPT ); Sat, 31 Aug 2019 13:27:20 -0400 Received: by mail-ed1-f49.google.com with SMTP id u6so5758740edq.6 for ; Sat, 31 Aug 2019 10:27:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=S2t9JAXH6lnZ6CewO7O4auKfVZ68uczQJ+HVk1pjBi4=; b=Z7QAS7XmpMq420/zK4FsFv18X1Hfn3c5DZS0xny0ZhN8PtThWBFV9W/KkahbC+IdYq 6Vk8W7h/oLPWriGZ96mxzbU1ysYK7FaKwhf+9zhmneENjGmv83gIA5ApW3L1p40eCb1G 6lN2Ay2mYs+u+4EUNHDEZIueMkGgWfAAbrmt5Zxmk6H3riRgazCGBCHtR13Wtq1xIyiL YOycElrg7wfdQn/ABKL4xvzPgsMORmIgCWKwbavzPLB3lDa6Q+DwmomlHLMMdlI0+oVr wJ1QxWJbdQs6XeSylgoPoS/hZF/bz3d12HYnrHjRk517goevCUgdH1r/DGg/6B7r8PU2 u8ng== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=S2t9JAXH6lnZ6CewO7O4auKfVZ68uczQJ+HVk1pjBi4=; b=Bt0xxWNKni3Nc9lqD6Dw9yQ/xt6CWkeIe0t3zemRrYEWZcy7CRywOVTTWSwEoNGkWy K2DXQlS/77eTg61SyJB/bpjgBAlr5WC2ZjiNgUaxEnECNETnlzSfZKjR06+TjagGdht2 BN2rZJy/o70sOw7znY8hOrmRan3HoPcWtur33DYpWjIChyT1pqKyFofolEfW4W91Otkk kTHT+qBUr+EPIdcx7O4b4XxAe53CyVpFPoBAOPrRkTLCqfwdaQpJGjCIlp/1F3KbJq7O BRONqxx2KjXJRtJzY2fr9gkK707rciuoB5p+XnC8pCsXW/7/GEiT5BHyflYgbt76ZpGy m2gg== X-Gm-Message-State: APjAAAUmqvZVLuxgVA5P5icYxjQM84XR7R+fr3TSJXjGgJMrsOYNHGKD /9sFIujv8/Hj056LhaXTTsapv8mx X-Received: by 2002:a17:906:3e88:: with SMTP id a8mr18165931ejj.214.1567272438709; Sat, 31 Aug 2019 10:27:18 -0700 (PDT) Received: from brutus.lan (brutus.defensec.nl. [2001:985:d55d::438]) by smtp.gmail.com with ESMTPSA id o20sm800168ejg.44.2019.08.31.10.27.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 31 Aug 2019 10:27:18 -0700 (PDT) From: Dominick Grift To: selinux-refpolicy@vger.kernel.org Cc: Dominick Grift Subject: [RFC] ssh: remove unconfined_shell_domtrans(sshd_t) Date: Sat, 31 Aug 2019 19:27:13 +0200 Message-Id: <20190831172713.140005-1-dac.override@gmail.com> X-Mailer: git-send-email 2.23.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org This call allows sshd_t associated processes with run shell with an automatic domain transition to unconfined_t. I was unable to make sense of the commit that added this: https://github.com/SELinuxProject/refpolicy/commit/708aab13932bb8830a2d37850cc0a5c72a5d4df4 Debian's motd dynamic pam module makes sshd run a shell, we want this shell to run with sshd_t instead of unconfined_t This patch will make the ssh_sysadm_login boolean apply to unconfined ssh logins. To me this makes sense, as unconfined_t is targeted equivalent to the strict sysadm_t. The boolean could however be renamed to the more generic ssh_priv_login name. Signed-off-by: Dominick Grift --- policy/modules/services/ssh.te | 4 ---- 1 file changed, 4 deletions(-) diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 4e75b6e1..a99ad912 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -328,10 +328,6 @@ optional_policy(` systemd_dbus_chat_logind(sshd_t) ') -optional_policy(` - unconfined_shell_domtrans(sshd_t) -') - optional_policy(` xserver_domtrans_xauth(sshd_t) xserver_link_xdm_keys(sshd_t) -- 2.23.0