[selinux-policy: 2985/3172] Allow users to ptrace and send any kind of signal to their ssh agent instead of only a generic signa
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:25:42 UTC 2010
commit 50e85752ad9c3af904a81b7d1af7f6bc27c98630
Author: Dominick Grift <domg472 at gmail.com>
Date: Thu Sep 16 09:59:06 2010 +0200
Allow users to ptrace and send any kind of signal to their ssh agent instead of only a generic signal.
Signed-off-by: Dominick Grift <domg472 at gmail.com>
policy/modules/services/ssh.if | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
---
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 7b02f86..68a7db8 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -339,7 +339,7 @@ template(`ssh_role_template',`
# allow ps to show ssh
ps_process_pattern($3, ssh_t)
- allow $3 ssh_t:process signal;
+ allow $3 ssh_t:process { ptrace signal_perms };
# for rsync
allow ssh_t $3:unix_stream_socket rw_socket_perms;
@@ -372,7 +372,7 @@ template(`ssh_role_template',`
stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
# Allow the user shell to signal the ssh program.
- allow $3 $1_ssh_agent_t:process signal;
+ allow $3 $1_ssh_agent_t:process { ptrace signal_perms };
# allow ps to show ssh
ps_process_pattern($3, $1_ssh_agent_t)
More information about the scm-commits
mailing list