From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Mon, 19 Jul 2010 13:40:34 -0400 Subject: [refpolicy] [ ssh patch 1/1] Some fixes in the ssh module with regard to userdom_user_home_content and ubac. In-Reply-To: <4C3B6DC6.4070605@gmail.com> References: <20100709144150.GA10383@localhost.localdomain> <4C3B5BA0.2040904@tresys.com> <4C3B6DC6.4070605@gmail.com> Message-ID: <4C448E12.6060000@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 07/12/10 15:32, Dominick Grift wrote: > On 07/12/2010 08:14 PM, Christopher J. PeBenito wrote: >> On 07/09/10 10:41, Dominick Grift wrote: >>> Signed-off-by: Dominick Grift >>> --- >>> :100644 100644 ef3f32d... 1a59f6a... M policy/modules/services/ssh.if >>> :100644 100644 512834a... afbe9ac... M policy/modules/services/ssh.te >>> policy/modules/services/ssh.if | 4 +++- >>> policy/modules/services/ssh.te | 1 - >>> 2 files changed, 3 insertions(+), 2 deletions(-) >>> >>> diff --git a/policy/modules/services/ssh.if >>> b/policy/modules/services/ssh.if >>> index ef3f32d..1a59f6a 100644 >>> --- a/policy/modules/services/ssh.if >>> +++ b/policy/modules/services/ssh.if >>> @@ -45,11 +45,13 @@ template(`ssh_basic_client_template',` >>> >>> type $1_ssh_t; >>> application_domain($1_ssh_t, ssh_exec_t) >>> + ubac_constrained($1_ssh_t) >>> + >>> role $3 types $1_ssh_t; >>> >>> type $1_ssh_home_t; >>> - files_type($1_ssh_home_t) >>> typealias $1_ssh_home_t alias $1_home_ssh_t; >>> + userdom_user_home_content($1_ssh_home_t) >>> >>> ############################## >>> # >> >> I don't think we actually want this change. The template isn't meant to >> be used by users; they use ssh_t. >> > > Is this not a template for ssh client application? Yes, but not necessarily for users. This could be used for an automated processes run out of cron to just scp a file from this machine over to another one (eg. a poor man's backup). > Is that not an user > agent. Should user agents not be ubac_constrained? They should. > Is $1_ssh_home_t not userdom_user_home_content. However you look at it? No, it would only be if this is for users. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com