From: Laurent Bigonville <[email protected]>
Since version 5.7, openssh supports ECDSA keys; properly label the
private key file.
---
policy/modules/services/ssh.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 078bcd7..64b3e11 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -3,6 +3,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
/etc/ssh/ssh_host_dsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
+/etc/ssh/ssh_host_ecdsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
/etc/ssh/ssh_host_rsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
/usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
--
1.7.10.4
From: Laurent Bigonville <[email protected]>
---
policy/modules/services/ssh.fc | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 64b3e11..ce0f22f 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -12,6 +12,10 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
/usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+ifdef(`distro_debian',`
+/usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+')
+
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
--
1.7.10.4
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/12/2012 03:56 PM, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> Since version 5.7, openssh supports ECDSA keys; properly label the private
> key file. --- policy/modules/services/ssh.fc | 1 + 1 file changed, 1
> insertion(+)
>
> diff --git a/policy/modules/services/ssh.fc
> b/policy/modules/services/ssh.fc index 078bcd7..64b3e11 100644 ---
> a/policy/modules/services/ssh.fc +++ b/policy/modules/services/ssh.fc @@
> -3,6 +3,7 @@ HOME_DIR/\.ssh(/.*)?
> gen_context(system_u:object_r:ssh_home_t,s0) /etc/ssh/primes --
> gen_context(system_u:object_r:sshd_key_t,s0) /etc/ssh/ssh_host_key --
> gen_context(system_u:object_r:sshd_key_t,s0) /etc/ssh/ssh_host_dsa_key --
> gen_context(system_u:object_r:sshd_key_t,s0) +/etc/ssh/ssh_host_ecdsa_key
> -- gen_context(system_u:object_r:sshd_key_t,s0) /etc/ssh/ssh_host_rsa_key
> -- gen_context(system_u:object_r:sshd_key_t,s0)
>
> /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
>
How about /etc/ssh/.*_key -- gen_context(system_u:object_r:sshd_key_t,s0)
Then we will not need to worry about this.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBR/lwACgkQrlYvE4MpobOvdgCeMKvMsbrUyPdHySoDNqBGgYsT
9McAoJJpYrWXiPVGAsLCsU5JXwhwkgnD
=LvlC
-----END PGP SIGNATURE-----
Le Thu, 13 Sep 2012 11:40:12 -0400,
Daniel J Walsh <[email protected]> a ?crit :
> How about /etc/ssh/.*_key --
> gen_context(system_u:object_r:sshd_key_t,s0)
>
> Then we will not need to worry about this.
That could be indeed be a solution.
I've another question about the labels on these files.
On Debian, ssh-keygen is run by the post-installation script of the
package which could run in the unconfined_t domain, that means that the
files could not be labeled correctly at their creation.
Dominick was suggesting to use named file transitions so they would be
labeled correctly even in that case.
Does anybody have a opinion on this?
Cheers
Laurent Bigonville
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/13/2012 12:24 PM, Laurent Bigonville wrote:
> Le Thu, 13 Sep 2012 11:40:12 -0400, Daniel J Walsh <[email protected]> a
> ?crit :
>
>> How about /etc/ssh/.*_key --
>> gen_context(system_u:object_r:sshd_key_t,s0)
>>
>> Then we will not need to worry about this.
>
> That could be indeed be a solution.
>
> I've another question about the labels on these files.
>
> On Debian, ssh-keygen is run by the post-installation script of the package
> which could run in the unconfined_t domain, that means that the files could
> not be labeled correctly at their creation.
>
> Dominick was suggesting to use named file transitions so they would be
> labeled correctly even in that case.
>
> Does anybody have a opinion on this?
>
> Cheers
>
> Laurent Bigonville
>
We are currently running ssh_keygen as ssh_keygen_t, but using named file
trans is a better solution.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBSQzUACgkQrlYvE4MpobNf9gCgjyWWnnkV0r72TPuYRk4m6Bpi
qDQAn3urAdRPqYrJDA2f/TwxvB1dJyz/
=AuVK
-----END PGP SIGNATURE-----
From: Laurent Bigonville <[email protected]>
---
policy/modules/services/ssh.fc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 078bcd7..7df96c5 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -9,6 +9,8 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
/usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
/usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
+/usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+
/usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
--
1.7.10.4
On 11/03/12 21:23, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> ---
> policy/modules/services/ssh.fc | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
> index 078bcd7..7df96c5 100644
> --- a/policy/modules/services/ssh.fc
> +++ b/policy/modules/services/ssh.fc
> @@ -9,6 +9,8 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
> /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
> /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
>
> +/usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
> +
> /usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
>
> /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
>
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
From: Laurent Bigonville <[email protected]>
Be sure that we are labeling properly all ssh host keys even if new
algorithms are added in the future.
---
policy/modules/services/ssh.fc | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 7df96c5..76d9f66 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -1,9 +1,7 @@
HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
-/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
-/etc/ssh/ssh_host_dsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
-/etc/ssh/ssh_host_rsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
+/etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0)
/usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
/usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
--
1.7.10.4