From: Laurent Bigonville <[email protected]>
Also allow sshd_t domain to chroot(2) in this directory as explained in
the README.privsep file in the openssh tarball.
Thanks to Russell Coker for this patch
---
policy/modules/services/ssh.fc | 2 ++
policy/modules/services/ssh.if | 1 +
2 files changed, 3 insertions(+)
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 76d9f66..8168244 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -13,4 +13,6 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
+/var/run/sshd(/.*)? gen_context(system_u:object_r:sshd_var_run_t,s0)
/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
+/var/run/sshd\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index fe0c682..48eb1c8 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -196,6 +196,7 @@ template(`ssh_server_template', `
manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file)
+ allow $1_t $1_var_run_t:dir search_dir_perms;
allow $1_t $1_var_run_t:file manage_file_perms;
files_pid_filetrans($1_t, $1_var_run_t, file)
--
1.9.rc1
From: Laurent Bigonville <[email protected]>
---
policy/modules/services/ssh.te | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 30726f2..70bad35 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -33,10 +33,6 @@ corecmd_executable_file(sshd_exec_t)
ssh_server_template(sshd)
init_daemon_domain(sshd_t, sshd_exec_t)
-ifdef(`distro_debian',`
- init_daemon_run_dir(sshd_var_run_t, "sshd")
-')
-
type sshd_key_t;
files_type(sshd_key_t)
@@ -81,6 +77,10 @@ userdom_user_home_content(ssh_home_t)
type sshd_keytab_t;
files_type(sshd_keytab_t)
+ifdef(`distro_debian',`
+ init_daemon_run_dir(sshd_var_run_t, "sshd")
+')
+
##############################
#
# SSH client local policy
--
1.9.rc1
Le Wed, 5 Feb 2014 22:23:31 +0100,
Laurent Bigonville <[email protected]> a ?crit :
[...]
diff --git
> a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
> index fe0c682..48eb1c8 100644 --- a/policy/modules/services/ssh.if
> +++ b/policy/modules/services/ssh.if @@ -196,6 +196,7 @@
> template(`ssh_server_template', ` manage_files_pattern($1_t,
> $1_tmpfs_t, $1_tmpfs_t) fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file)
>
> + allow $1_t $1_var_run_t:dir search_dir_perms;
> allow $1_t $1_var_run_t:file manage_file_perms;
> files_pid_filetrans($1_t, $1_var_run_t, file)
>
Or maybe this should be conditional for debian only?
On 02/05/14 16:23, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> Also allow sshd_t domain to chroot(2) in this directory as explained in
> the README.privsep file in the openssh tarball.
>
> Thanks to Russell Coker for this patch
> ---
> policy/modules/services/ssh.fc | 2 ++
> policy/modules/services/ssh.if | 1 +
> 2 files changed, 3 insertions(+)
>
> diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
> index 76d9f66..8168244 100644
> --- a/policy/modules/services/ssh.fc
> +++ b/policy/modules/services/ssh.fc
> @@ -13,4 +13,6 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
>
> /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
>
> +/var/run/sshd(/.*)? gen_context(system_u:object_r:sshd_var_run_t,s0)
> /var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
> +/var/run/sshd\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
> diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
> index fe0c682..48eb1c8 100644
> --- a/policy/modules/services/ssh.if
> +++ b/policy/modules/services/ssh.if
> @@ -196,6 +196,7 @@ template(`ssh_server_template', `
> manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
> fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file)
>
> + allow $1_t $1_var_run_t:dir search_dir_perms;
> allow $1_t $1_var_run_t:file manage_file_perms;
> files_pid_filetrans($1_t, $1_var_run_t, file)
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 02/05/14 16:23, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> ---
> policy/modules/services/ssh.te | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> index 30726f2..70bad35 100644
> --- a/policy/modules/services/ssh.te
> +++ b/policy/modules/services/ssh.te
> @@ -33,10 +33,6 @@ corecmd_executable_file(sshd_exec_t)
> ssh_server_template(sshd)
> init_daemon_domain(sshd_t, sshd_exec_t)
>
> -ifdef(`distro_debian',`
> - init_daemon_run_dir(sshd_var_run_t, "sshd")
> -')
> -
> type sshd_key_t;
> files_type(sshd_key_t)
>
> @@ -81,6 +77,10 @@ userdom_user_home_content(ssh_home_t)
> type sshd_keytab_t;
> files_type(sshd_keytab_t)
>
> +ifdef(`distro_debian',`
> + init_daemon_run_dir(sshd_var_run_t, "sshd")
> +')
> +
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 02/06/14 06:57, Laurent Bigonville wrote:
> Le Wed, 5 Feb 2014 22:23:31 +0100,
> Laurent Bigonville <[email protected]> a ?crit :
>
> [...]
>
> diff --git
>> a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
>> index fe0c682..48eb1c8 100644 --- a/policy/modules/services/ssh.if
>> +++ b/policy/modules/services/ssh.if @@ -196,6 +196,7 @@
>> template(`ssh_server_template', ` manage_files_pattern($1_t,
>> $1_tmpfs_t, $1_tmpfs_t) fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file)
>>
>> + allow $1_t $1_var_run_t:dir search_dir_perms;
>> allow $1_t $1_var_run_t:file manage_file_perms;
>> files_pid_filetrans($1_t, $1_var_run_t, file)
>>
>
> Or maybe this should be conditional for debian only?
No, its fine. Actually I was thinking that perhaps the init_daemon_run_dir() should become unconditional instead, since we have the fc entries.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com