From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 6 Feb 2014 09:03:29 -0500 Subject: [refpolicy] [PATCH 1/2] Add fcontext for sshd pidfile and directory used for privsep In-Reply-To: <1391635412-16253-1-git-send-email-bigon@debian.org> References: <1391635412-16253-1-git-send-email-bigon@debian.org> Message-ID: <52F39631.9080601@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 02/05/14 16:23, Laurent Bigonville wrote: > From: Laurent Bigonville > > Also allow sshd_t domain to chroot(2) in this directory as explained in > the README.privsep file in the openssh tarball. > > Thanks to Russell Coker for this patch > --- > policy/modules/services/ssh.fc | 2 ++ > policy/modules/services/ssh.if | 1 + > 2 files changed, 3 insertions(+) > > diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc > index 76d9f66..8168244 100644 > --- a/policy/modules/services/ssh.fc > +++ b/policy/modules/services/ssh.fc > @@ -13,4 +13,6 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) > > /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) > > +/var/run/sshd(/.*)? gen_context(system_u:object_r:sshd_var_run_t,s0) > /var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) > +/var/run/sshd\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) > diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if > index fe0c682..48eb1c8 100644 > --- a/policy/modules/services/ssh.if > +++ b/policy/modules/services/ssh.if > @@ -196,6 +196,7 @@ template(`ssh_server_template', ` > manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) > fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file) > > + allow $1_t $1_var_run_t:dir search_dir_perms; > allow $1_t $1_var_run_t:file manage_file_perms; > files_pid_filetrans($1_t, $1_var_run_t, file) Merged. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com