From: Laurent Bigonville <[email protected]>
Also allow sshd_t domain to chroot(2) in this directory as explained in
the README.privsep file in the openssh tarball.
Thanks to Russell Coker for this patch
---
policy/modules/services/ssh.fc | 2 ++
policy/modules/services/ssh.te | 1 +
2 files changed, 3 insertions(+)
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 76d9f66..8168244 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -13,4 +13,6 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
+/var/run/sshd(/.*)? gen_context(system_u:object_r:sshd_var_run_t,s0)
/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
+/var/run/sshd\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 30726f2..a19c9f9 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -34,6 +34,7 @@ ssh_server_template(sshd)
init_daemon_domain(sshd_t, sshd_exec_t)
ifdef(`distro_debian',`
+ allow sshd_t sshd_var_run_t:dir { getattr search };
init_daemon_run_dir(sshd_var_run_t, "sshd")
')
--
1.8.5.3
From: Laurent Bigonville <[email protected]>
---
policy/modules/system/logging.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index b50c5fe..740897d 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -65,6 +65,7 @@ ifdef(`distro_redhat',`
/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
/var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
/var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
+/var/run/rsyslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
/var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
/var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
--
1.8.5.3
On 01/25/14 05:43, Laurent Bigonville wrote:
> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> index 30726f2..a19c9f9 100644
> --- a/policy/modules/services/ssh.te
> +++ b/policy/modules/services/ssh.te
> @@ -34,6 +34,7 @@ ssh_server_template(sshd)
> init_daemon_domain(sshd_t, sshd_exec_t)
>
> ifdef(`distro_debian',`
> + allow sshd_t sshd_var_run_t:dir { getattr search };
> init_daemon_run_dir(sshd_var_run_t, "sshd")
> ')
This looks like it should be in ssh_server_template(). Also please use search_dir_perms permission set.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 01/25/14 05:43, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> ---
> policy/modules/system/logging.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
> index b50c5fe..740897d 100644
> --- a/policy/modules/system/logging.fc
> +++ b/policy/modules/system/logging.fc
> @@ -65,6 +65,7 @@ ifdef(`distro_redhat',`
> /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
> /var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
> /var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
> +/var/run/rsyslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
>
> /var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
> /var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
This should be added between the metalog.pid and syslogd.pid lines.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
Le Mon, 27 Jan 2014 13:23:02 -0500,
"Christopher J. PeBenito" <[email protected]> a ?crit :
> On 01/25/14 05:43, Laurent Bigonville wrote:
> > diff --git a/policy/modules/services/ssh.te
> > b/policy/modules/services/ssh.te index 30726f2..a19c9f9 100644
> > --- a/policy/modules/services/ssh.te
> > +++ b/policy/modules/services/ssh.te
> > @@ -34,6 +34,7 @@ ssh_server_template(sshd)
> > init_daemon_domain(sshd_t, sshd_exec_t)
> >
> > ifdef(`distro_debian',`
> > + allow sshd_t sshd_var_run_t:dir { getattr search };
> > init_daemon_run_dir(sshd_var_run_t, "sshd")
> > ')
>
> This looks like it should be in ssh_server_template(). Also please
> use search_dir_perms permission set.
>
Shouldn't the complete ifdef moved to this then?
On 1/27/2014 5:18 PM, Laurent Bigonville wrote:
> Le Mon, 27 Jan 2014 13:23:02 -0500,
> "Christopher J. PeBenito" <[email protected]> a ?crit :
>
>> On 01/25/14 05:43, Laurent Bigonville wrote:
>>> diff --git a/policy/modules/services/ssh.te
>>> b/policy/modules/services/ssh.te index 30726f2..a19c9f9 100644
>>> --- a/policy/modules/services/ssh.te
>>> +++ b/policy/modules/services/ssh.te
>>> @@ -34,6 +34,7 @@ ssh_server_template(sshd)
>>> init_daemon_domain(sshd_t, sshd_exec_t)
>>>
>>> ifdef(`distro_debian',`
>>> + allow sshd_t sshd_var_run_t:dir { getattr search };
>>> init_daemon_run_dir(sshd_var_run_t, "sshd")
>>> ')
>>
>> This looks like it should be in ssh_server_template(). Also please
>> use search_dir_perms permission set.
>>
>
> Shouldn't the complete ifdef moved to this then?
The init_daemon_run_dir() pairs up with the sshd_var_run_t declaration inside the ssh_server_template(), so no. However, it should probably move to the end of the declarations block.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com