http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_ssh.patch
Handle /root/.ssh directory
Lots of other fixes.
On Thu, 2009-11-12 at 17:02 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_ssh.patch
>
> Handle /root/.ssh directory
>
>
> Lots of other fixes.
Moved tmpfs to server template to go along with the sem usage.
Since the tunnel support apparently needs net_admin capability, it needs
to be put in a conditional. The capability definitely shouldn't be
allowed in general use.
Dropped home dir changes to the client template. It shouldn't be using
the user's ssh home dir.
Moved the "Required for FreeNX" /var/lib rules into the NX optional.
Otherwise merged.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
On 01/15/2010 03:28 PM, Christopher J. PeBenito wrote:
> On Thu, 2009-11-12 at 17:02 -0500, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_ssh.patch
>>
>> Handle /root/.ssh directory
>>
>>
>> Lots of other fixes.
>
> Moved tmpfs to server template to go along with the sem usage.
>
> Since the tunnel support apparently needs net_admin capability, it needs
> to be put in a conditional. The capability definitely shouldn't be
> allowed in general use.
>
> Dropped home dir changes to the client template. It shouldn't be using
> the user's ssh home dir.
>
> Moved the "Required for FreeNX" /var/lib rules into the NX optional.
>
> Otherwise merged.
>
You still have places in your ssh.te that use home_ssh_t as opposed to ssh_home_t.
Which should we use?
On Mon, 2010-01-18 at 15:29 -0500, Daniel J Walsh wrote:
> On 01/15/2010 03:28 PM, Christopher J. PeBenito wrote:
> > On Thu, 2009-11-12 at 17:02 -0500, Daniel J Walsh wrote:
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_ssh.patch
> >> Handle /root/.ssh directory
> >>
> >>
> >> Lots of other fixes.
> >
> > Moved tmpfs to server template to go along with the sem usage.
> >
> > Since the tunnel support apparently needs net_admin capability, it needs
> > to be put in a conditional. The capability definitely shouldn't be
> > allowed in general use.
> >
> > Dropped home dir changes to the client template. It shouldn't be using
> > the user's ssh home dir.
> >
> > Moved the "Required for FreeNX" /var/lib rules into the NX optional.
> >
> > Otherwise merged.
> >
> You still have places in your ssh.te that use home_ssh_t as opposed to ssh_home_t.
>
> Which should we use?
ssh_home_t. I've fixed the usage.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150