[selinux-policy: 1389/3172] add rssh, bug 1544

Thu Oct 7 21:05:30 UTC 2010

commit 5540e76ac7daa5c6c0a57e2746ef8e4c1f06c517
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Apr 25 19:17:43 2006 +0000

    add rssh, bug 1544

 refpolicy/Changelog                      |    1 +
 refpolicy/policy/modules/apps/rssh.fc    |    1 +
 refpolicy/policy/modules/apps/rssh.if    |  143 ++++++++++++++++++++++++++++++
 refpolicy/policy/modules/apps/rssh.te    |   13 +++
 refpolicy/policy/modules/services/ssh.if |   36 ++++++++
 refpolicy/policy/modules/services/ssh.te |   10 ++-
 6 files changed, 202 insertions(+), 2 deletions(-)
---

diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 584bfc6..4c130fe 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -65,6 +65,7 @@
 	qmail (Petre Rodan)
 	resmgr
 	rhgb
+	rssh
 	snort
 	soundserver
 	speedtouch
diff --git a/refpolicy/policy/modules/apps/rssh.fc b/refpolicy/policy/modules/apps/rssh.fc
new file mode 100644
index 0000000..4c091ca
--- /dev/null
+++ b/refpolicy/policy/modules/apps/rssh.fc
@@ -0,0 +1 @@
+/usr/bin/rssh	--	gen_context(system_u:object_r:rssh_exec_t,s0)
diff --git a/refpolicy/policy/modules/apps/rssh.if b/refpolicy/policy/modules/apps/rssh.if
new file mode 100644
index 0000000..2a84766
--- /dev/null
+++ b/refpolicy/policy/modules/apps/rssh.if
@@ -0,0 +1,143 @@
+## <summary>Restricted (scp/sftp) only shell</summary>
+
+#######################################
+## <summary>
+##	The per user domain template for the rssh module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for rssh client sessions.  Derived types are also created
+##	for read-only and read-write file access.
+##	</p>
+##	<p>
+##	This template is invoked automatically for each user, and
+##	generally does not need to be invoked directly
+##	by policy writers.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+#
+template(`rssh_per_userdomain_template',`
+
+	##############################
+	#
+	# Declarations
+	#
+
+	type $1_rssh_t alias rssh_$1_t, rssh_domain_type;
+	domain_type($1_rssh_t)
+	domain_entry_file($1_rssh_t,rssh_exec_t)
+	domain_user_exemption_target($1_t)
+	domain_interactive_fd($1_rssh_t)
+	role system_r types $1_rssh_t;
+
+	type $1_rssh_devpts_t alias rssh_$1_devpts_t;
+	term_user_pty($1_rssh_t,$1_rssh_devpts_t)
+
+	type $1_rssh_ro_t alias rssh_$1_ro_t, rssh_ro_content_type;
+	userdom_user_home_content($1,$1_rssh_ro_t)
+
+	type $1_rssh_rw_t alias rssh_$1_rw_t;
+	userdom_user_home_content($1,$1_rssh_rw_t)
+
+	##############################
+	#
+	# Local policy
+	#
+
+	allow $1_rssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+	allow $1_rssh_t self:fd use;
+	allow $1_rssh_t self:fifo_file rw_file_perms;
+	allow $1_rssh_t self:unix_dgram_socket create_socket_perms;
+	allow $1_rssh_t self:unix_stream_socket create_stream_socket_perms;
+	allow $1_rssh_t self:unix_dgram_socket sendto;
+	allow $1_rssh_t self:unix_stream_socket connectto;
+	allow $1_rssh_t self:shm create_shm_perms;
+	allow $1_rssh_t self:sem create_sem_perms;
+	allow $1_rssh_t self:msgq create_msgq_perms;
+	allow $1_rssh_t self:msg { send receive };
+
+	allow $1_rssh_t $1_rssh_devpts_t:chr_file { rw_file_perms setattr };
+	term_create_pty($1_rssh_t,$1_rssh_devpts_t)
+
+	allow $1_rssh_t $1_rssh_ro_t:dir list_dir_perms;
+	allow $1_rssh_t $1_rssh_ro_t:file read_file_perms;
+
+	allow $1_rssh_t $1_rssh_rw_t:dir manage_dir_perms;
+	allow $1_rssh_t $1_rssh_rw_t:file manage_file_perms;
+
+	kernel_read_system_state($1_rssh_t)
+	kernel_read_kernel_sysctls($1_rssh_t)
+
+	files_read_etc_files($1_rssh_t)
+	files_read_etc_runtime_files($1_rssh_t)
+	files_list_home($1_rssh_t)
+	files_read_usr_files($1_rssh_t)
+	files_list_var($1_rssh_t)
+
+	fs_search_auto_mountpoints($1_rssh_t)
+
+	libs_use_ld_so($1_rssh_t)
+	libs_use_shared_libs($1_rssh_t)
+
+	logging_send_syslog_msg($1_rssh_t)
+
+	miscfiles_read_localization($1_rssh_t)
+
+	userdom_use_unpriv_users_fds($1_rssh_t)
+
+	ssh_rw_tcp_sockets($1_rssh_t)
+	ssh_rw_stream_sockets($1_rssh_t)
+
+	optional_policy(`
+		nis_use_ypbind($1_rssh_t)
+	')
+')
+
+########################################
+## <summary>
+##	Transition to all user rssh domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rssh_spec_domtrans_all_users',`
+	gen_require(`
+		attribute rssh_domain_type;
+		type rssh_exec_t;
+	')
+
+	domain_trans($1,rssh_exec_t,rssh_domain_type)
+	allow rssh_domain_type $1:fd use;
+	allow rssh_domain_type $1:fifo_file rw_file_perms;
+	allow rssh_domain_type $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Read all users rssh read-only content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rssh_read_all_users_ro_content',`
+	gen_require(`
+		attribute rssh_ro_content_type;
+	')
+
+	allow $1 rssh_ro_content_type:dir r_dir_perms;
+	allow $1 rssh_ro_content_type:file r_file_perms;
+	allow $1 rssh_ro_content_type:lnk_file { getattr read };
+')
diff --git a/refpolicy/policy/modules/apps/rssh.te b/refpolicy/policy/modules/apps/rssh.te
new file mode 100644
index 0000000..8419801
--- /dev/null
+++ b/refpolicy/policy/modules/apps/rssh.te
@@ -0,0 +1,13 @@
+
+policy_module(rssh,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute rssh_domain_type;
+attribute rssh_ro_content_type;
+
+type rssh_exec_t;
+corecmd_executable_file(rssh_exec_t)
diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index 8d7a188..de3e1b7 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -598,6 +598,42 @@ interface(`ssh_read_pipes',`
 
 ########################################
 ## <summary>
+##	Read and write ssh server unix domain stream sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_rw_stream_sockets',`
+	gen_require(`
+		type sshd_t;
+	')
+
+	allow $1 sshd_t:unix_stream_socket rw_stream_socket_perms;
+')
+
+########################################
+## <summary>
+##	Read and write ssh server TCP sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_rw_tcp_sockets',`
+	gen_require(`
+		type sshd_t;
+	')
+
+	allow $1 sshd_t:tcp_socket rw_stream_socket_perms;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to read and write
 ##	ssh server TCP sockets.
 ## </summary>
diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te
index 8254d66..fa32d34 100644
--- a/refpolicy/policy/modules/services/ssh.te
+++ b/refpolicy/policy/modules/services/ssh.te
@@ -70,7 +70,7 @@ ifdef(`targeted_policy',`
 # sshd_t is the domain for the sshd program.
 #
 
-ifdef(`targeted_policy',`',`
+ifdef(`strict_policy',`
 	# so a tunnel can point to another ssh tunnel
 	allow sshd_t self:tcp_socket { acceptfrom connectto recvfrom };
 
@@ -120,6 +120,12 @@ ifdef(`targeted_policy',`',`
 		rpm_use_script_fds(sshd_t)
 	')
 
+	optional_policy(`
+		rssh_spec_domtrans_all_users(sshd_t)
+		# For reading /home/user/.ssh
+		rssh_read_all_users_ro_content(sshd_t)
+	')
+
 	ifdef(`TODO',`
 	tunable_policy(`ssh_sysadm_login',`
 		# Relabel and access ptys created by sshd
@@ -151,7 +157,7 @@ ifdef(`targeted_policy',`',`
 # sshd_extern_t is the domain for ssh from outside our network
 #
 
-ifdef(`targeted_policy',`',`
+ifdef(`strict_policy',`
 	ifdef(`TODO',`
 	domain_trans(sshd_extern_t, shell_exec_t, user_mini_domain)
 	# Signal the user domains.
