[selinux-policy: 525/3172] work on user transition

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 19:49:58 UTC 2010 

commit e5590ea5ec0c13043d2b71110c2eba49384a0de2
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu Jul 28 20:52:55 2005 +0000

    work on user transition

 refpolicy/policy/modules/kernel/terminal.if |   38 +++++++++++++++++++++++++++
 refpolicy/policy/modules/services/ssh.if    |    6 ++++
 refpolicy/policy/modules/services/ssh.te    |   38 ++++++++++++---------------
 3 files changed, 61 insertions(+), 21 deletions(-)
---
diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
index b3a4540..07b1892 100644
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@@ -367,6 +367,44 @@ interface(`term_dontaudit_getattr_all_user_ptys',`
 ')
 
 ########################################
+## <summary>
+##	Set the attributes of all user
+##	pty device nodes.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`term_setattr_all_user_ptys',`
+	gen_require(`
+		attribute ptynode;
+		class dir r_dir_perms;
+		class chr_file setattr;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 devpts_t:dir r_dir_perms;
+	allow $1 ptynode:chr_file setattr;
+')
+
+########################################
+## <summary>
+##	Relabel to all user ptys.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`term_relabelto_all_user_ptys',`
+	gen_require(`
+		attribute ptynode;
+		class chr_file relabelto;
+	')
+
+	allow $1 ptynode:chr_file relabelto;
+')
+
+########################################
 ## <desc>
 ##	Read and write all user ptys.
 ## </desc>
diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index 24770b8..ff92d99 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -77,6 +77,12 @@ template(`ssh_per_userdomain_template',`
 	allow $1_t $1_home_ssh_t:lnk_file create_lnk_perms;
 	allow $1_t $1_home_ssh_t:sock_file create_file_perms;
 
+	# inheriting stream sockets is needed for "ssh host command" as no pty
+	# is allocated
+	# cjp: should probably fix target to be an attribute for ssh servers
+	# or "regular" (not special like sshd_extern_t) servers
+	allow $1_t sshd_t:unix_stream_socket rw_stream_socket_perms;
+
 	# ssh client can manage the keys and config
 	allow $1_ssh_t $1_home_ssh_t:file create_file_perms;
 	allow $1_ssh_t $1_home_ssh_t:lnk_file { getattr read };
diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te
index 3e2fffc..a04588d 100644
--- a/refpolicy/policy/modules/services/ssh.te
+++ b/refpolicy/policy/modules/services/ssh.te
@@ -72,30 +72,33 @@ seutil_read_config(sshd_t)
 # Allow checking users mail at login
 mta_getattr_spool(sshd_t)
 
+tunable_policy(`ssh_sysadm_login',`
+	# Relabel and access ptys created by sshd
+	# ioctl is necessary for logout() processing for utmp entry and for w to
+	# display the tty.
+	# some versions of sshd on the new SE Linux require setattr
+	allow sshd_t ptyfile:chr_file relabelto;
+	term_use_all_user_ptys(sshd_t)
+	term_setattr_all_user_ptys(sshd_t)
+	term_relabelto_all_user_ptys(sshd_t)
+
+	userdom_spec_domtrans_all_users(sshd_t)
+	userdom_signal_all_users(sshd_t)
+',`
+	userdom_spec_domtrans_unpriv_users(sshd_t)
+	userdom_signal_unpriv_users(sshd_t)
+')
+
 optional_policy(`rpm.te',`
 	rpm_use_script_fd(sshd_t)
 ')
 
 ifdef(`TODO',`
 tunable_policy(`ssh_sysadm_login',`
-	userdom_spec_domtrans_all_users(sshd_t)
-	userdom_signal_all_users(sshd_t)
-
 	optional_policy(`xauth.te',`
 		domain_trans(sshd_t, xauth_exec_t, userdomain)
 	')
-	# Relabel and access ptys created by sshd
-	# ioctl is necessary for logout() processing for utmp entry and for w to
-	# display the tty.
-	# some versions of sshd on the new SE Linux require setattr
-	allow sshd_t ptyfile:chr_file { relabelto read write getattr ioctl setattr };
-	# inheriting stream sockets is needed for "ssh host command" as no pty
-	# is allocated
-	allow userdomain sshd_t:unix_stream_socket rw_stream_socket_perms;
 ',`
-	userdom_spec_domtrans_unpriv_users(sshd_t)
-	userdom_signal_unpriv_users(sshd_t)
-
 	optional_policy(`xauth.te',`
 		domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
 	')
@@ -104,14 +107,7 @@ tunable_policy(`ssh_sysadm_login',`
 	# display the tty.
 	# some versions of sshd on the new SE Linux require setattr
 	allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr };
-	# inheriting stream sockets is needed for "ssh host command" as no pty
-	# is allocated
-	allow userdomain sshd_t:unix_stream_socket rw_stream_socket_perms;
 ')
-
-# for when the network connection breaks after running newrole -r sysadm_r
-dontaudit sshd_t sysadm_devpts_t:chr_file setattr;
-
 ') dnl endif TODO
 
 #################################

More information about the scm-commits mailing list