All of lore.kernel.org
 help / color / mirror / Atom feed
* [refpolicy] [PATCH 08/20] ssh: sshd connects to avahi with a unix domain socket ssh: sshd gets and sets capabilities in debian
@ 2013-09-24 13:39 Dominick Grift
  2013-09-26 13:08 ` Christopher J. PeBenito
  0 siblings, 1 reply; 5+ messages in thread
From: Dominick Grift @ 2013-09-24 13:39 UTC (permalink / raw)
  To: refpolicy

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
 policy/modules/services/ssh.if | 2 +-
 policy/modules/services/ssh.te | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index fe0c682..78ce711 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -183,7 +183,7 @@ template(`ssh_server_template', `
 
 	allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
 	allow $1_t self:fifo_file rw_fifo_file_perms;
-	allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate };
+	allow $1_t self:process { signal getcap getsched setcap setsched setrlimit setexec setkeycreate };
 	allow $1_t self:tcp_socket create_stream_socket_perms;
 	allow $1_t self:udp_socket create_socket_perms;
 	# ssh agent connections:
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index eada65c..cbdfac7 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -253,6 +253,10 @@ tunable_policy(`ssh_sysadm_login',`
 ')
 
 optional_policy(`
+	avahi_stream_connect(sshd_t)
+')
+
+optional_policy(`
 	daemontools_service_domain(sshd_t, sshd_exec_t)
 ')
 
-- 
1.8.3.1

^ permalink raw reply related	[flat|nested] 5+ messages in thread
* [refpolicy] [PATCH 08/20] ssh: sshd connects to avahi with a unix domain socket ssh: sshd gets and sets capabilities in debian
  2013-09-24 13:39 [refpolicy] [PATCH 08/20] ssh: sshd connects to avahi with a unix domain socket ssh: sshd gets and sets capabilities in debian Dominick Grift
@ 2013-09-26 13:08 ` Christopher J. PeBenito
  2013-09-26 13:16   ` Dominick Grift
  0 siblings, 1 reply; 5+ messages in thread
From: Christopher J. PeBenito @ 2013-09-26 13:08 UTC (permalink / raw)
  To: refpolicy

On Tue 24 Sep 2013 09:39:35 AM EDT, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
>  policy/modules/services/ssh.if | 2 +-
>  policy/modules/services/ssh.te | 4 ++++
>  2 files changed, 5 insertions(+), 1 deletion(-)
[...]
> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> index eada65c..cbdfac7 100644
> --- a/policy/modules/services/ssh.te
> +++ b/policy/modules/services/ssh.te
> @@ -253,6 +253,10 @@ tunable_policy(`ssh_sysadm_login',`
>  ')
>
>  optional_policy(`
> +	avahi_stream_connect(sshd_t)
> +')

Shouldn't this already be allowed by being a nsswitch_domain?

--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 5+ messages in thread
* [refpolicy] [PATCH 08/20] ssh: sshd connects to avahi with a unix domain socket ssh: sshd gets and sets capabilities in debian
  2013-09-26 13:08 ` Christopher J. PeBenito
@ 2013-09-26 13:16   ` Dominick Grift
  2013-09-26 15:07     ` Laurent Bigonville
  0 siblings, 1 reply; 5+ messages in thread
From: Dominick Grift @ 2013-09-26 13:16 UTC (permalink / raw)
  To: refpolicy

On Thu, 2013-09-26 at 09:08 -0400, Christopher J. PeBenito wrote:
> On Tue 24 Sep 2013 09:39:35 AM EDT, Dominick Grift wrote:
> > Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> > ---
> >  policy/modules/services/ssh.if | 2 +-
> >  policy/modules/services/ssh.te | 4 ++++
> >  2 files changed, 5 insertions(+), 1 deletion(-)
> [...]
> > diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> > index eada65c..cbdfac7 100644
> > --- a/policy/modules/services/ssh.te
> > +++ b/policy/modules/services/ssh.te
> > @@ -253,6 +253,10 @@ tunable_policy(`ssh_sysadm_login',`
> >  ')
> >
> >  optional_policy(`
> > +	avahi_stream_connect(sshd_t)
> > +')
> 
> Shouldn't this already be allowed by being a nsswitch_domain?

Good point

However, i am not able to confirm that sshd needs nsswitch support
Also Fedora has not made sshd, or ssh server domains nsswitch domains.

Therefore i suggest we allow this for now, and then if we later
determine that sshd and ssh server domains need full nsswitch support
that we change that then instead.

> 
> --
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 5+ messages in thread
* [refpolicy] [PATCH 08/20] ssh: sshd connects to avahi with a unix domain socket ssh: sshd gets and sets capabilities in debian
  2013-09-26 13:16   ` Dominick Grift
@ 2013-09-26 15:07     ` Laurent Bigonville
  2013-09-26 15:19       ` Dominick Grift
  0 siblings, 1 reply; 5+ messages in thread
From: Laurent Bigonville @ 2013-09-26 15:07 UTC (permalink / raw)
  To: refpolicy

Le Thu, 26 Sep 2013 15:16:06 +0200,
Dominick Grift <dominick.grift@gmail.com> a ?crit :

> On Thu, 2013-09-26 at 09:08 -0400, Christopher J. PeBenito wrote:
[...]
> > Shouldn't this already be allowed by being a nsswitch_domain?
> 
> Good point
> 
> However, i am not able to confirm that sshd needs nsswitch support
> Also Fedora has not made sshd, or ssh server domains nsswitch domains.
> 
> Therefore i suggest we allow this for now, and then if we later
> determine that sshd and ssh server domains need full nsswitch support
> that we change that then instead.

I've the feeling that sshd is trying to connect to avahi due to the
following configuration in nsswitch.conf:

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4

this is not the default configuration, but this is automatically added
when the libnss-mdns package is installed (this package might be pulled
by the "desktop" task/metapackage).

my 2?

Laurent Bigonville

^ permalink raw reply	[flat|nested] 5+ messages in thread
* [refpolicy] [PATCH 08/20] ssh: sshd connects to avahi with a unix domain socket ssh: sshd gets and sets capabilities in debian
  2013-09-26 15:07     ` Laurent Bigonville
@ 2013-09-26 15:19       ` Dominick Grift
  0 siblings, 0 replies; 5+ messages in thread
From: Dominick Grift @ 2013-09-26 15:19 UTC (permalink / raw)
  To: refpolicy

On Thu, 2013-09-26 at 17:07 +0200, Laurent Bigonville wrote:
> Le Thu, 26 Sep 2013 15:16:06 +0200,
> Dominick Grift <dominick.grift@gmail.com> a ?crit :
> 
> > On Thu, 2013-09-26 at 09:08 -0400, Christopher J. PeBenito wrote:
> [...]
> > > Shouldn't this already be allowed by being a nsswitch_domain?
> > 
> > Good point
> > 
> > However, i am not able to confirm that sshd needs nsswitch support
> > Also Fedora has not made sshd, or ssh server domains nsswitch domains.
> > 
> > Therefore i suggest we allow this for now, and then if we later
> > determine that sshd and ssh server domains need full nsswitch support
> > that we change that then instead.
> 
> I've the feeling that sshd is trying to connect to avahi due to the
> following configuration in nsswitch.conf:
> 
> hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
> 
> this is not the default configuration, but this is automatically added
> when the libnss-mdns package is installed (this package might be pulled
> by the "desktop" task/metapackage).
> 
> my 2?
> 

Yes please ignore this for now. I need to dig a little deeper into this
first

Seems sshd_t is already nsswitch_domain by auth_use_pam and
auth_login_pgm_domain

> Laurent Bigonville
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2013-09-26 15:19 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-09-24 13:39 [refpolicy] [PATCH 08/20] ssh: sshd connects to avahi with a unix domain socket ssh: sshd gets and sets capabilities in debian Dominick Grift
2013-09-26 13:08 ` Christopher J. PeBenito
2013-09-26 13:16   ` Dominick Grift
2013-09-26 15:07     ` Laurent Bigonville
2013-09-26 15:19       ` Dominick Grift

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.