rssh.{te,fc}

rssh.{te,fc}

[Colin Walters]

[-- Attachment #1: Type: text/plain, Size: 426 bytes --]

I've written a quick rssh.te; this is for the rssh program:
http://pizzashack.org/rssh/

Basically rssh is a restricted shell that just allows people to execute
scp.

This is my first from-scratch .te file, so I'd appreciate if people
could give it a sanity check.  To set this all up, I added another user
(in this case named haskelluser), then added:

user haskelluser roles { rssh_r };

to /etc/selinux/users.  Make sense?

[-- Attachment #2: rssh.te --]
[-- Type: text/plain, Size: 909 bytes --]

#DESC Rssh - Restricted (scp/sftp) only shell
#
# Authors: Colin Walters <walters@verbum.org>
# X-Debian-Package: rssh
#

type rssh_t, domain, privlog, privfd;

role rssh_r types rssh_t;
allow system_r rssh_r;

type rssh_exec_t, file_type, sysadmfile, exec_type;
type rssh_archive_t, file_type, sysadmfile;
type rssh_home_t, file_type, sysadmfile;

general_domain_access(rssh_t);
uses_shlib(rssh_t);
base_file_read_access(rssh_t);
r_dir_file(rssh_t, etc_t);
r_dir_file(rssh_t, etc_runtime_t);
r_dir_file(rssh_t, locale_t);
can_exec(rssh_t, bin_t);

r_dir_file(rssh_t, rssh_home_t);
rw_dir_create_file(rssh_t, rssh_archive_t);

ifdef(`ssh.te',`
allow rssh_t sshd_t:fd use;
allow rssh_t sshd_t:tcp_socket rw_stream_socket_perms;
allow rssh_t sshd_t:unix_stream_socket rw_stream_socket_perms;
domain_auto_trans(sshd_t, rssh_exec_t, rssh_t);
r_dir_file(sshd_t, rssh_home_t);
')


[-- Attachment #3: rssh.fc --]
[-- Type: text/plain, Size: 55 bytes --]

# rssh
/usr/bin/rssh			system_u:object_r:rssh_exec_t

Re: rssh.{te,fc}

[Russell Coker]

On Mon, 7 Jul 2003 14:22, Colin Walters wrote:
> I've written a quick rssh.te; this is for the rssh program:
> http://pizzashack.org/rssh/
>
> Basically rssh is a restricted shell that just allows people to execute
> scp.
>
> This is my first from-scratch .te file, so I'd appreciate if people
> could give it a sanity check.  To set this all up, I added another user
> (in this case named haskelluser), then added:
>
> user haskelluser roles { rssh_r };
>
> to /etc/selinux/users.  Make sense?

The policy itself looks OK, but I'm not sure about the concept.

Maybe it would be better to have full_user_role(rssh) and then change the 
sshd.te to have something like the following:
dnl domain_trans($1, shell_exec_t, unpriv_userdomain)
domain_trans($1, shell_exec_t, { user_t staff_t })
domain_trans($1, rssh_exec_t, rssh_t)

Of course this relies on the rssh program to prevent the user from getting an 
interactive shell.

Another possibility is to implement the functionality of rssh in SE Linux 
policy alone.  We could have separate macros for the different areas of 
functionality provided by full_user_role() and make it easy to create a role 
with a sub-set of that functionality (user.te is a mess anyway and really 
needs to be sorted out).

Just some ideas to consider.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: rssh.{te,fc}

[Tom]

On Mon, Jul 07, 2003 at 08:14:38PM +1000, Russell Coker wrote:
> with a sub-set of that functionality (user.te is a mess anyway and really 
> needs to be sorted out).

I know I promised I would work on that. I'm in a
damn-why-has-a-day-only-24-hours period again, but I'll come around to
it eventually.



-- 
PGP/GPG key: http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: rssh.{te,fc}

[Colin Walters]

On Mon, 2003-07-07 at 06:14, Russell Coker wrote:

> The policy itself looks OK, but I'm not sure about the concept.
> 
> Maybe it would be better to have full_user_role(rssh) and then change the 
> sshd.te to have something like the following:
> dnl domain_trans($1, shell_exec_t, unpriv_userdomain)
> domain_trans($1, shell_exec_t, { user_t staff_t })
> domain_trans($1, rssh_exec_t, rssh_t)

That's exactly what I don't want!

> Of course this relies on the rssh program to prevent the user from getting an 
> interactive shell.

Yeah, and I just don't really trust rssh that much; similar programs
like rbash have had a fairly bad security history as I understand it,
although rssh tries to do less than rbash does.

With rssh.te, even if they manage to crack rssh, they can basically only
still manipulate files with type rssh_archive_t; they can't create
network sockets or do other things.

> Another possibility is to implement the functionality of rssh in SE Linux 
> policy alone.  We could have separate macros for the different areas of 
> functionality provided by full_user_role() and make it easy to create a role 
> with a sub-set of that functionality (user.te is a mess anyway and really 
> needs to be sorted out).

That would definitely be useful.  I have some things I want to do before
working on it though.  You know, I'm thinking we need some sort of TODO
list somewhere...


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.