LinuxLists.cc - [refpolicy] [ ssh patch 1/1] Some fixes in the ssh module with regard to userdom_user_home

2010-07-09 14:41:55

Subject: [refpolicy] [ ssh patch 1/1] Some fixes in the ssh module with regard to userdom_user_home_content and ubac.

Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 ef3f32d... 1a59f6a... M policy/modules/services/ssh.if
:100644 100644 512834a... afbe9ac... M policy/modules/services/ssh.te
policy/modules/services/ssh.if | 4 +++-
policy/modules/services/ssh.te | 1 -
2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index ef3f32d..1a59f6a 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -45,11 +45,13 @@ template(`ssh_basic_client_template',`

type $1_ssh_t;
application_domain($1_ssh_t, ssh_exec_t)
+ ubac_constrained($1_ssh_t)
+
role $3 types $1_ssh_t;

type $1_ssh_home_t;
- files_type($1_ssh_home_t)
typealias $1_ssh_home_t alias $1_home_ssh_t;
+ userdom_user_home_content($1_ssh_home_t)

##############################
#
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 512834a..afbe9ac 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -74,7 +74,6 @@ ubac_constrained(ssh_tmpfs_t)
type ssh_home_t;
typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
-files_type(ssh_home_t)
userdom_user_home_content(ssh_home_t)

##############################
--
1.7.1.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100709/daa0a627/attachment-0001.bin

2010-07-12 18:14:56

by cpebenito

[permalink] [raw]

Subject: [refpolicy] [ ssh patch 1/1] Some fixes in the ssh module with regard to userdom_user_home_content and ubac.

On 07/09/10 10:41, Dominick Grift wrote:
> Signed-off-by: Dominick Grift<[email protected]>
> ---
> :100644 100644 ef3f32d... 1a59f6a... M policy/modules/services/ssh.if
> :100644 100644 512834a... afbe9ac... M policy/modules/services/ssh.te
> policy/modules/services/ssh.if | 4 +++-
> policy/modules/services/ssh.te | 1 -
> 2 files changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
> index ef3f32d..1a59f6a 100644
> --- a/policy/modules/services/ssh.if
> +++ b/policy/modules/services/ssh.if
> @@ -45,11 +45,13 @@ template(`ssh_basic_client_template',`
>
> type $1_ssh_t;
> application_domain($1_ssh_t, ssh_exec_t)
> + ubac_constrained($1_ssh_t)
> +
> role $3 types $1_ssh_t;
>
> type $1_ssh_home_t;
> - files_type($1_ssh_home_t)
> typealias $1_ssh_home_t alias $1_home_ssh_t;
> + userdom_user_home_content($1_ssh_home_t)
>
> ##############################
> #

I don't think we actually want this change. The template isn't meant to
be used by users; they use ssh_t.

> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> index 512834a..afbe9ac 100644
> --- a/policy/modules/services/ssh.te
> +++ b/policy/modules/services/ssh.te
> @@ -74,7 +74,6 @@ ubac_constrained(ssh_tmpfs_t)
> type ssh_home_t;
> typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
> typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
> -files_type(ssh_home_t)
> userdom_user_home_content(ssh_home_t)
>
> ##############################

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-07-12 19:32:22

by domg472

[permalink] [raw]

Subject: [refpolicy] [ ssh patch 1/1] Some fixes in the ssh module with regard to userdom_user_home_content and ubac.

On 07/12/2010 08:14 PM, Christopher J. PeBenito wrote:
> On 07/09/10 10:41, Dominick Grift wrote:
>> Signed-off-by: Dominick Grift<[email protected]>
>> ---
>> :100644 100644 ef3f32d... 1a59f6a... M policy/modules/services/ssh.if
>> :100644 100644 512834a... afbe9ac... M policy/modules/services/ssh.te
>> policy/modules/services/ssh.if | 4 +++-
>> policy/modules/services/ssh.te | 1 -
>> 2 files changed, 3 insertions(+), 2 deletions(-)
>>
>> diff --git a/policy/modules/services/ssh.if
>> b/policy/modules/services/ssh.if
>> index ef3f32d..1a59f6a 100644
>> --- a/policy/modules/services/ssh.if
>> +++ b/policy/modules/services/ssh.if
>> @@ -45,11 +45,13 @@ template(`ssh_basic_client_template',`
>>
>> type $1_ssh_t;
>> application_domain($1_ssh_t, ssh_exec_t)
>> + ubac_constrained($1_ssh_t)
>> +
>> role $3 types $1_ssh_t;
>>
>> type $1_ssh_home_t;
>> - files_type($1_ssh_home_t)
>> typealias $1_ssh_home_t alias $1_home_ssh_t;
>> + userdom_user_home_content($1_ssh_home_t)
>>
>> ##############################
>> #
>
> I don't think we actually want this change. The template isn't meant to
> be used by users; they use ssh_t.
>

Is this not a template for ssh client application? Is that not an user
agent. Should user agents not be ubac_constrained?

Is $1_ssh_home_t not userdom_user_home_content. However you look at it?

>> ##############################
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100712/3eb4d5df/attachment-0001.bin

2010-07-19 17:40:34

by cpebenito

[permalink] [raw]

Subject: [refpolicy] [ ssh patch 1/1] Some fixes in the ssh module with regard to userdom_user_home_content and ubac.

On 07/12/10 15:32, Dominick Grift wrote:
> On 07/12/2010 08:14 PM, Christopher J. PeBenito wrote:
>> On 07/09/10 10:41, Dominick Grift wrote:
>>> Signed-off-by: Dominick Grift<[email protected]>
>>> ---
>>> :100644 100644 ef3f32d... 1a59f6a... M policy/modules/services/ssh.if
>>> :100644 100644 512834a... afbe9ac... M policy/modules/services/ssh.te
>>> policy/modules/services/ssh.if | 4 +++-
>>> policy/modules/services/ssh.te | 1 -
>>> 2 files changed, 3 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/policy/modules/services/ssh.if
>>> b/policy/modules/services/ssh.if
>>> index ef3f32d..1a59f6a 100644
>>> --- a/policy/modules/services/ssh.if
>>> +++ b/policy/modules/services/ssh.if
>>> @@ -45,11 +45,13 @@ template(`ssh_basic_client_template',`
>>>
>>> type $1_ssh_t;
>>> application_domain($1_ssh_t, ssh_exec_t)
>>> + ubac_constrained($1_ssh_t)
>>> +
>>> role $3 types $1_ssh_t;
>>>
>>> type $1_ssh_home_t;
>>> - files_type($1_ssh_home_t)
>>> typealias $1_ssh_home_t alias $1_home_ssh_t;
>>> + userdom_user_home_content($1_ssh_home_t)
>>>
>>> ##############################
>>> #
>>
>> I don't think we actually want this change. The template isn't meant to
>> be used by users; they use ssh_t.
>>
>
> Is this not a template for ssh client application?

Yes, but not necessarily for users. This could be used for an automated
processes run out of cron to just scp a file from this machine over to
another one (eg. a poor man's backup).

> Is that not an user
> agent. Should user agents not be ubac_constrained?

They should.

> Is $1_ssh_home_t not userdom_user_home_content. However you look at it?

No, it would only be if this is for users.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com