Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/services/ssh.if | 2 +-
policy/modules/services/ssh.te | 4 ++++
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index fe0c682..78ce711 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -183,7 +183,7 @@ template(`ssh_server_template', `
allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
allow $1_t self:fifo_file rw_fifo_file_perms;
- allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate };
+ allow $1_t self:process { signal getcap getsched setcap setsched setrlimit setexec setkeycreate };
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
# ssh agent connections:
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index eada65c..cbdfac7 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -253,6 +253,10 @@ tunable_policy(`ssh_sysadm_login',`
')
optional_policy(`
+ avahi_stream_connect(sshd_t)
+')
+
+optional_policy(`
daemontools_service_domain(sshd_t, sshd_exec_t)
')
--
1.8.3.1
On Tue 24 Sep 2013 09:39:35 AM EDT, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/services/ssh.if | 2 +-
> policy/modules/services/ssh.te | 4 ++++
> 2 files changed, 5 insertions(+), 1 deletion(-)
[...]
> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> index eada65c..cbdfac7 100644
> --- a/policy/modules/services/ssh.te
> +++ b/policy/modules/services/ssh.te
> @@ -253,6 +253,10 @@ tunable_policy(`ssh_sysadm_login',`
> ')
>
> optional_policy(`
> + avahi_stream_connect(sshd_t)
> +')
Shouldn't this already be allowed by being a nsswitch_domain?
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Thu, 2013-09-26 at 09:08 -0400, Christopher J. PeBenito wrote:
> On Tue 24 Sep 2013 09:39:35 AM EDT, Dominick Grift wrote:
> > Signed-off-by: Dominick Grift <[email protected]>
> > ---
> > policy/modules/services/ssh.if | 2 +-
> > policy/modules/services/ssh.te | 4 ++++
> > 2 files changed, 5 insertions(+), 1 deletion(-)
> [...]
> > diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> > index eada65c..cbdfac7 100644
> > --- a/policy/modules/services/ssh.te
> > +++ b/policy/modules/services/ssh.te
> > @@ -253,6 +253,10 @@ tunable_policy(`ssh_sysadm_login',`
> > ')
> >
> > optional_policy(`
> > + avahi_stream_connect(sshd_t)
> > +')
>
> Shouldn't this already be allowed by being a nsswitch_domain?
Good point
However, i am not able to confirm that sshd needs nsswitch support
Also Fedora has not made sshd, or ssh server domains nsswitch domains.
Therefore i suggest we allow this for now, and then if we later
determine that sshd and ssh server domains need full nsswitch support
that we change that then instead.
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> http://www.tresys.com | oss.tresys.com
Le Thu, 26 Sep 2013 15:16:06 +0200,
Dominick Grift <[email protected]> a ?crit :
> On Thu, 2013-09-26 at 09:08 -0400, Christopher J. PeBenito wrote:
[...]
> > Shouldn't this already be allowed by being a nsswitch_domain?
>
> Good point
>
> However, i am not able to confirm that sshd needs nsswitch support
> Also Fedora has not made sshd, or ssh server domains nsswitch domains.
>
> Therefore i suggest we allow this for now, and then if we later
> determine that sshd and ssh server domains need full nsswitch support
> that we change that then instead.
I've the feeling that sshd is trying to connect to avahi due to the
following configuration in nsswitch.conf:
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
this is not the default configuration, but this is automatically added
when the libnss-mdns package is installed (this package might be pulled
by the "desktop" task/metapackage).
my 2?
Laurent Bigonville
On Thu, 2013-09-26 at 17:07 +0200, Laurent Bigonville wrote:
> Le Thu, 26 Sep 2013 15:16:06 +0200,
> Dominick Grift <[email protected]> a ?crit :
>
> > On Thu, 2013-09-26 at 09:08 -0400, Christopher J. PeBenito wrote:
> [...]
> > > Shouldn't this already be allowed by being a nsswitch_domain?
> >
> > Good point
> >
> > However, i am not able to confirm that sshd needs nsswitch support
> > Also Fedora has not made sshd, or ssh server domains nsswitch domains.
> >
> > Therefore i suggest we allow this for now, and then if we later
> > determine that sshd and ssh server domains need full nsswitch support
> > that we change that then instead.
>
> I've the feeling that sshd is trying to connect to avahi due to the
> following configuration in nsswitch.conf:
>
> hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
>
> this is not the default configuration, but this is automatically added
> when the libnss-mdns package is installed (this package might be pulled
> by the "desktop" task/metapackage).
>
> my 2?
>
Yes please ignore this for now. I need to dig a little deeper into this
first
Seems sshd_t is already nsswitch_domain by auth_use_pam and
auth_login_pgm_domain
> Laurent Bigonville
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy