gpg-agent also offers an ssh-compatible interface. This is useful e.g.
for smartcard authentication.
---
policy/modules/services/ssh.if | 7 +++++++
policy/modules/services/ssh.te | 13 +++++++++++++
2 files changed, 20 insertions(+)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index fe0c682..96c7596 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -425,6 +425,13 @@ template(`ssh_role_template',`
xserver_use_xdm_fds($1_ssh_agent_t)
xserver_rw_xdm_pipes($1_ssh_agent_t)
')
+
+ optional_policy(`
+ tunable_policy(`ssh_use_gpg_agent',`
+ # for ssh-add
+ stream_connect_pattern($3, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
+ ')
+ ')
')
########################################
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 30726f2..0cfdc7b 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -19,6 +19,13 @@ gen_tunable(allow_ssh_keysign, false)
## </desc>
gen_tunable(ssh_sysadm_login, false)
+## <desc>
+## <p>
+## Allow ssh to use gpg-agent
+## </p>
+## </desc>
+gen_tunable(ssh_use_gpg_agent, false)
+
attribute ssh_server;
attribute ssh_agent_type;
@@ -202,6 +209,12 @@ optional_policy(`
xserver_domtrans_xauth(ssh_t)
')
+optional_policy(`
+ tunable_policy(`ssh_use_gpg_agent',`
+ stream_connect_pattern(ssh_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
+ ')
+')
+
##############################
#
# ssh_keysign_t local policy
--
1.8.5.3
On Sun, 2 Feb 2014 01:19:05 +0100
Luis Ressel <[email protected]> wrote:
> + stream_connect_pattern(ssh_t, gpg_agent_tmp_t,
> gpg_agent_tmp_t, gpg_agent_t)
Sorry, I forgot again to add a proper interface for that.
--
Luis Ressel <[email protected]>
GPG fpr: F08D 2AF6 655E 25DE 52BC E53D 08F5 7F90 3029 B5BD
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 966 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140202/3fab5427/attachment.bin
---
gpg.if | 18 ++++++++++++++++++
gpg.te | 2 +-
2 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/gpg.if b/gpg.if
index 180f1b7..73d1e94 100644
--- a/gpg.if
+++ b/gpg.if
@@ -193,6 +193,24 @@ interface(`gpg_rw_agent_pipes',`
########################################
## <summary>
+## Connect to gpg agent socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_agent_connect',`
+ gen_require(`
+ type gpg_agent_t, gpg_agent_tmp_t;
+ ')
+
+ stream_connect_pattern($1, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
+')
+
+########################################
+## <summary>
## Send messages to and from gpg
## pinentry over DBUS.
## </summary>
diff --git a/gpg.te b/gpg.te
index 96f90e6..ed01527 100644
--- a/gpg.te
+++ b/gpg.te
@@ -93,7 +93,7 @@ manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
-stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
+gpg_agent_connect(gpg_t)
domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
--
1.8.5.3
gpg-agent also offers an ssh-compatible interface. This is useful e.g.
for smartcard authentication.
---
policy/modules/services/ssh.if | 7 +++++++
policy/modules/services/ssh.te | 13 +++++++++++++
2 files changed, 20 insertions(+)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index fe0c682..7e7b6f6 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -425,6 +425,13 @@ template(`ssh_role_template',`
xserver_use_xdm_fds($1_ssh_agent_t)
xserver_rw_xdm_pipes($1_ssh_agent_t)
')
+
+ optional_policy(`
+ tunable_policy(`ssh_use_gpg_agent',`
+ # for ssh-add
+ gpg_agent_connect($3)
+ ')
+ ')
')
########################################
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 30726f2..68e70e9 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -19,6 +19,13 @@ gen_tunable(allow_ssh_keysign, false)
## </desc>
gen_tunable(ssh_sysadm_login, false)
+## <desc>
+## <p>
+## Allow ssh to use gpg-agent
+## </p>
+## </desc>
+gen_tunable(ssh_use_gpg_agent, false)
+
attribute ssh_server;
attribute ssh_agent_type;
@@ -202,6 +209,12 @@ optional_policy(`
xserver_domtrans_xauth(ssh_t)
')
+optional_policy(`
+ tunable_policy(`ssh_use_gpg_agent',`
+ gpg_agent_connect(ssh_t)
+ ')
+')
+
##############################
#
# ssh_keysign_t local policy
--
1.8.5.3
On 2/2/2014 7:18 AM, Luis Ressel wrote:
> ---
> gpg.if | 18 ++++++++++++++++++
> gpg.te | 2 +-
> 2 files changed, 19 insertions(+), 1 deletion(-)
>
> diff --git a/gpg.if b/gpg.if
> index 180f1b7..73d1e94 100644
> --- a/gpg.if
> +++ b/gpg.if
> @@ -193,6 +193,24 @@ interface(`gpg_rw_agent_pipes',`
>
> ########################################
> ## <summary>
> +## Connect to gpg agent socket
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`gpg_agent_connect',`
> + gen_require(`
> + type gpg_agent_t, gpg_agent_tmp_t;
> + ')
> +
> + stream_connect_pattern($1, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
> +')
> +
> +########################################
> +## <summary>
> ## Send messages to and from gpg
> ## pinentry over DBUS.
> ## </summary>
> diff --git a/gpg.te b/gpg.te
> index 96f90e6..ed01527 100644
> --- a/gpg.te
> +++ b/gpg.te
> @@ -93,7 +93,7 @@ manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
> manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
> userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
>
> -stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
> +gpg_agent_connect(gpg_t)
>
> domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
> domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
Merged. I renamed the interface to gpg_stream_connect_agent().
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 2/2/2014 7:19 AM, Luis Ressel wrote:
> gpg-agent also offers an ssh-compatible interface. This is useful e.g.
> for smartcard authentication.
> ---
> policy/modules/services/ssh.if | 7 +++++++
> policy/modules/services/ssh.te | 13 +++++++++++++
> 2 files changed, 20 insertions(+)
>
> diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
> index fe0c682..7e7b6f6 100644
> --- a/policy/modules/services/ssh.if
> +++ b/policy/modules/services/ssh.if
> @@ -425,6 +425,13 @@ template(`ssh_role_template',`
> xserver_use_xdm_fds($1_ssh_agent_t)
> xserver_rw_xdm_pipes($1_ssh_agent_t)
> ')
> +
> + optional_policy(`
> + tunable_policy(`ssh_use_gpg_agent',`
> + # for ssh-add
> + gpg_agent_connect($3)
> + ')
> + ')
> ')
>
> ########################################
> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> index 30726f2..68e70e9 100644
> --- a/policy/modules/services/ssh.te
> +++ b/policy/modules/services/ssh.te
> @@ -19,6 +19,13 @@ gen_tunable(allow_ssh_keysign, false)
> ## </desc>
> gen_tunable(ssh_sysadm_login, false)
>
> +## <desc>
> +## <p>
> +## Allow ssh to use gpg-agent
> +## </p>
> +## </desc>
> +gen_tunable(ssh_use_gpg_agent, false)
> +
> attribute ssh_server;
> attribute ssh_agent_type;
>
> @@ -202,6 +209,12 @@ optional_policy(`
> xserver_domtrans_xauth(ssh_t)
> ')
>
> +optional_policy(`
> + tunable_policy(`ssh_use_gpg_agent',`
> + gpg_agent_connect(ssh_t)
> + ')
> +')
> +
> ##############################
> #
> # ssh_keysign_t local policy
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com