LinuxLists.cc - [refpolicy] [PATCH 0/2] Have mkhomedir

2011-12-28 19:34:37

Subject: [refpolicy] [PATCH 0/2] Have mkhomedir_helper working for sshd

The next two patches allow SSHd (through PAM) to create home dirs when new
users log on to the system (as is used on larger environments with
centralized authentication services).

The necessary services (interfaces) for this are already available in the
reference policy through the oddjob module. All we need to do is have sshd
be able to domtrans to the proper oddjob domain and mark the
mkhomedir_helper as a proper entry point.

Wkr,
Sven Vermeulen

2011-12-28 19:35:28

by sven.vermeulen

[permalink] [raw]

Subject: [refpolicy] [PATCH 1/2] Mark mkhomedir_helper as oddjob_mkhomedir_exec_t

The mkhomedir_helper application (part of the PAM distribution) is here marked as an oddjob_mkhomedir_exec_t type so that
calls from applications that have oddjob_mkhomedir_domtrans() rights (or _run()) succeed in the correct domain.

Signed-off-by: Sven Vermeulen <[email protected]>
---
oddjob.fc | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/oddjob.fc b/oddjob.fc
index bdf8c89..734253e 100644
--- a/oddjob.fc
+++ b/oddjob.fc
@@ -2,4 +2,6 @@

/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)

+/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+
/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0)
--
1.7.3.4

2011-12-28 19:36:03

by sven.vermeulen

[permalink] [raw]

Subject: [refpolicy] [PATCH 2/2] sshd can call mkhomedir when a new user logs on

These services are offered through the oddjob module.

Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/services/ssh.te | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 3f1dc47..83d44e2 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -269,6 +269,10 @@ optional_policy(`
')

optional_policy(`
+ oddjob_domtrans_mkhomedir(sshd_t)
+')
+
+optional_policy(`
rpm_use_script_fds(sshd_t)
')

--
1.7.3.4

2012-01-04 13:14:49

by cpebenito

[permalink] [raw]

Subject: [refpolicy] [PATCH 0/2] Have mkhomedir_helper working for sshd

On 12/28/11 14:34, Sven Vermeulen wrote:
> The next two patches allow SSHd (through PAM) to create home dirs when new
> users log on to the system (as is used on larger environments with
> centralized authentication services).
>
> The necessary services (interfaces) for this are already available in the
> reference policy through the oddjob module. All we need to do is have sshd
> be able to domtrans to the proper oddjob domain and mark the
> mkhomedir_helper as a proper entry point.

Merged.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com