[selinux-policy: 1552/3172] clean up most of the remaining ssh TODO
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:19:22 UTC 2010
commit 528811e040d2394761e584434039dba8d57ce8c3
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Jul 26 20:34:09 2006 +0000
clean up most of the remaining ssh TODO
policy/modules/services/ssh.if | 92 +++++++++++++++++++---------------------
policy/modules/services/ssh.te | 2 +-
2 files changed, 45 insertions(+), 49 deletions(-)
---
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 7c7f58b..1e0480a 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -234,6 +234,9 @@ template(`ssh_per_userdomain_template',`
domain_entry_file($1_ssh_agent_t,ssh_agent_exec_t)
role $3 types $1_ssh_agent_t;
+ type $1_ssh_agent_tmp_t;
+ files_tmp_file($1_ssh_agent_tmp_t)
+
type $1_ssh_keysign_t;
domain_type($1_ssh_keysign_t)
domain_entry_file($1_ssh_keysign_t,ssh_keysign_exec_t)
@@ -258,12 +261,22 @@ template(`ssh_per_userdomain_template',`
allow $1_ssh_t $1_home_ssh_t:sock_file manage_file_perms;
userdom_user_home_dir_filetrans($1,$1_ssh_t,$1_home_ssh_t,{ dir sock_file })
+ # Allow the ssh program to communicate with ssh-agent.
+ allow $1_ssh_t sshd_t:unix_stream_socket connectto;
+
userdom_use_unpriv_users_fds($1_ssh_t)
userdom_dontaudit_list_user_home_dirs($1,$1_ssh_t)
userdom_search_user_home_dirs($1,$1_ssh_t)
# Write to the user domain tty.
userdom_use_user_terminals($1,$1_ssh_t)
+ tunable_policy(`allow_ssh_keysign',`
+ domain_auto_trans($1_ssh_t, ssh_keysign_exec_t, $1_ssh_keysign_t)
+ allow $1_ssh_keysign_t $1_ssh_t:fd use;
+ allow $1_ssh_keysign_t $1_ssh_t:process sigchld;
+ allow $1_ssh_keysign_t $1_ssh_t:fifo_file rw_file_perms;
+ ')
+
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_ssh_t)
fs_manage_nfs_files($1_ssh_t)
@@ -295,22 +308,6 @@ template(`ssh_per_userdomain_template',`
files_search_mnt($1_ssh_t)
r_dir_file($1_ssh_t, removable_t)
- if (allow_ssh_keysign) {
- domain_auto_trans($1_ssh_t, ssh_keysign_exec_t, $1_ssh_keysign_t)
- allow $1_ssh_keysign_t sshd_key_t:file { getattr read };
- allow $1_ssh_keysign_t self:capability { setgid setuid };
- allow $1_ssh_keysign_t urandom_device_t:chr_file r_file_perms;
- uses_shlib($1_ssh_keysign_t)
- dontaudit $1_ssh_keysign_t selinux_config_t:dir search;
- dontaudit $1_ssh_keysign_t proc_t:dir search;
- dontaudit $1_ssh_keysign_t proc_t:{ lnk_file file } { getattr read };
- allow $1_ssh_keysign_t usr_t:dir search;
- allow $1_ssh_keysign_t etc_t:file { getattr read };
- allow $1_ssh_keysign_t self:dir search;
- allow $1_ssh_keysign_t self:file { getattr read };
- allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms;
- }
-
') dnl endif TODO
##############################
@@ -327,20 +324,20 @@ template(`ssh_per_userdomain_template',`
allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto;
+ allow $1_ssh_agent_t $1_ssh_agent_tmp_t:dir manage_dir_perms;
+ allow $1_ssh_agent_t $1_ssh_agent_tmp_t:sock_file manage_file_perms;
+ files_tmp_filetrans($1_ssh_agent_t,$1_ssh_agent_tmp_t,{ dir sock_file })
+
# for ssh-add
allow $2 $1_ssh_agent_t:unix_stream_socket connectto;
# Allow the user shell to signal the ssh program.
allow $2 $1_ssh_agent_t:process signal;
- # for the transition back to normal privs upon exec
- allow $1_ssh_agent_t $2:fd use;
- allow $2 $1_ssh_agent_t:fd use;
- allow $2 $1_ssh_agent_t:fifo_file rw_file_perms;
- allow $2 $1_ssh_agent_t:process sigchld;
-
- # Allow the ssh program to communicate with ssh-agent.
- allow $1_ssh_t sshd_t:unix_stream_socket connectto;
+ # allow ps to show ssh
+ allow $2 $1_ssh_agent_t:dir { search getattr read };
+ allow $2 $1_ssh_agent_t:{ file lnk_file } { read getattr };
+ allow $2 $1_ssh_agent_t:process getattr;
domain_auto_trans($2, ssh_agent_exec_t, $1_ssh_agent_t)
allow $2 $1_ssh_agent_t:fd use;
@@ -378,6 +375,12 @@ template(`ssh_per_userdomain_template',`
# Write to the user domain tty.
userdom_use_user_terminals($1,$1_ssh_agent_t)
+ # for the transition back to normal privs upon exec
+ userdom_user_home_domtrans($1,$1_ssh_agent_t,$2)
+ allow $2 $1_ssh_agent_t:fd use;
+ allow $2 $1_ssh_agent_t:fifo_file rw_file_perms;
+ allow $2 $1_ssh_agent_t:process sigchld;
+
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_ssh_agent_t)
@@ -396,38 +399,15 @@ template(`ssh_per_userdomain_template',`
nis_use_ypbind($1_ssh_agent_t)
')
-# optional_policy(`
-# # KDM:
-# xdm_sigchld($1_ssh_agent_t)
-# ')
-
ifdef(`TODO',`
ifdef(`xdm.te',`
can_pipe_xdm($1_ssh_agent_t)
')
- # allow ps to show ssh
- can_ps($1_t, $1_ssh_agent_t)
-
dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read };
- # Access the ssh temporary files. Should we have an own type here
- # to which only ssh, ssh-agent and ssh-add have access?
- allow $1_ssh_agent_t $1_tmp_t:dir r_dir_perms;
- file_type_auto_trans($1_ssh_agent_t, tmp_t, $1_tmp_t)
-
- # transition back to normal privs upon exec
- domain_auto_trans($1_ssh_agent_t, $1_home_t, $1_t)
- allow $1_ssh_agent_t $1_home_dir_t:dir search;
-
allow $1_ssh_t $1_tmp_t:sock_file write;
- #
- # Allow command to ssh-agent > ~/.ssh_agent
- #
- allow $1_ssh_agent_t $1_home_t:file rw_file_perms;
- allow $1_ssh_agent_t $1_tmp_t:file rw_file_perms;
-
# Allow the ssh program to communicate with ssh-agent.
allow $1_ssh_t $1_tmp_t:sock_file write;
allow $1_ssh_t $2:unix_stream_socket connectto;
@@ -438,8 +418,24 @@ template(`ssh_per_userdomain_template',`
# $1_ssh_keysign_t local policy
#
+ tunable_policy(`allow_ssh_keysign',`
+ allow $1_ssh_keysign_t self:capability { setgid setuid };
+ allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms;
+
+ allow $1_ssh_keysign_t sshd_key_t:file { getattr read };
+
+ dev_read_urand($1_ssh_keysign_t)
+
+ files_read_etc_files($1_ssh_keysign_t)
+
+ libs_use_ld_so($1_ssh_keysign_t)
+ libs_use_shared_libs($1_ssh_keysign_t)
+ ')
+
optional_policy(`
- nscd_socket_use($1_ssh_keysign_t)
+ tunable_policy(`allow_ssh_keysign',`
+ nscd_socket_use($1_ssh_keysign_t)
+ ')
')
')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 6296c6b..c8113fb 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -1,5 +1,5 @@
-policy_module(ssh,1.3.5)
+policy_module(ssh,1.3.6)
########################################
#
More information about the scm-commits
mailing list