From: jason@perfinion.com (Jason Zaman) Date: Thu, 2 Nov 2017 22:24:11 +0800 Subject: [refpolicy] [PATCH 2/5] Add key interfaces and perms In-Reply-To: References: <20171031053707.6893-1-jason@perfinion.com> <20171031053707.6893-2-jason@perfinion.com> Message-ID: <20171102142411.GA18004@meriadoc.perfinion.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, Nov 01, 2017 at 06:50:12PM -0400, Chris PeBenito wrote: > On 10/31/2017 01:37 AM, Jason Zaman wrote: > > diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if > > index aa906680..26c90838 100644 > > --- a/policy/modules/services/ssh.if > > +++ b/policy/modules/services/ssh.if > > @@ -338,6 +338,8 @@ template(`ssh_role_template',` > > # for rsync > > allow ssh_t $3:unix_stream_socket rw_socket_perms; > > allow ssh_t $3:unix_stream_socket connectto; > > + allow ssh_t $3:key manage_key_perms; > > + allow $3 ssh_t:key { write search read view }; > > Is this second rule really needed? It doesn't seem like there should be > reverse access. I dug through fedora's repo git blame and got: commit e194215de82481660c25adb8715d007f3a59c05f Author: Dan Walsh Date: Sat Feb 15 02:10:34 2014 Allow domains that transition to ssh_t to manipulate its keyring --- policy/modules/services/ssh.if | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index c0413e804..e8dcfa7ff 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -364,7 +364,7 @@ template(`ssh_role_template',` allow ssh_t $3:unix_stream_socket rw_socket_perms; allow ssh_t $3:unix_stream_socket connectto; allow ssh_t $3:key manage_key_perms; - allow $3 ssh_t:key read; + allow $3 ssh_t:key { write search read view }; No more info so I guess I'll drop it for now and add it later if something comes up. > > diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te > > index 11a8ec1c..9b3f3520 100644 > > --- a/policy/modules/system/authlogin.te > > +++ b/policy/modules/system/authlogin.te > > @@ -419,6 +419,8 @@ optional_policy(` > > # nsswitch_domain local policy > > # > > > > +allow nsswitch_domain self:key manage_key_perms; > > + > > files_list_var_lib(nsswitch_domain) > > > > # read /etc/nsswitch.conf > > @@ -426,6 +428,8 @@ files_read_etc_files(nsswitch_domain) > > > > sysnet_dns_name_resolve(nsswitch_domain) > > > > +userdom_manage_all_users_keys(nsswitch_domain) > > This needs explanation. Going through their git logs it seems like something that was a stopgap fix and was supposed to be removed, I'll drop it too.