From: aranea@aixah.de (Luis Ressel)
Date: Sun,  2 Feb 2014 13:19:31 +0100
Subject: [refpolicy] [PATCH v2] Conditionally allow ssh to use gpg-agent
In-Reply-To: <20140202130500.2160f475@gentp.lnet>
References: <20140202130500.2160f475@gentp.lnet>
Message-ID: <1391343571-18264-1-git-send-email-aranea@aixah.de>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

gpg-agent also offers an ssh-compatible interface. This is useful e.g.
for smartcard authentication.
---
 policy/modules/services/ssh.if |  7 +++++++
 policy/modules/services/ssh.te | 13 +++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index fe0c682..7e7b6f6 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -425,6 +425,13 @@ template(`ssh_role_template',`
 		xserver_use_xdm_fds($1_ssh_agent_t)
 		xserver_rw_xdm_pipes($1_ssh_agent_t)
 	')
+
+	optional_policy(`
+		tunable_policy(`ssh_use_gpg_agent',`
+			# for ssh-add
+			gpg_agent_connect($3)
+		')
+	')
 ')
 
 ########################################
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 30726f2..68e70e9 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -19,6 +19,13 @@ gen_tunable(allow_ssh_keysign, false)
 ## </desc>
 gen_tunable(ssh_sysadm_login, false)
 
+## <desc>
+## <p>
+## Allow ssh to use gpg-agent
+## </p>
+## </desc>
+gen_tunable(ssh_use_gpg_agent, false)
+
 attribute ssh_server;
 attribute ssh_agent_type;
 
@@ -202,6 +209,12 @@ optional_policy(`
 	xserver_domtrans_xauth(ssh_t)
 ')
 
+optional_policy(`
+	tunable_policy(`ssh_use_gpg_agent',`
+		gpg_agent_connect(ssh_t)
+	')
+')
+
 ##############################
 #
 # ssh_keysign_t local policy
-- 
1.8.5.3