* [refpolicy] services_ssh.patch
@ 2009-06-09 1:10 Daniel J Walsh
0 siblings, 0 replies; 8+ messages in thread
From: Daniel J Walsh @ 2009-06-09 1:10 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_ssh.patch
Add label for /root/.ssh
Lots of fixes to remove specify home labeling
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] services_ssh.patch
@ 2009-11-12 22:02 Daniel J Walsh
2010-01-15 20:28 ` Christopher J. PeBenito
0 siblings, 1 reply; 8+ messages in thread
From: Daniel J Walsh @ 2009-11-12 22:02 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_ssh.patch
Handle /root/.ssh directory
Lots of other fixes.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] services_ssh.patch
2009-11-12 22:02 Daniel J Walsh
@ 2010-01-15 20:28 ` Christopher J. PeBenito
2010-01-18 20:29 ` Daniel J Walsh
0 siblings, 1 reply; 8+ messages in thread
From: Christopher J. PeBenito @ 2010-01-15 20:28 UTC (permalink / raw)
To: refpolicy
On Thu, 2009-11-12 at 17:02 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_ssh.patch
>
> Handle /root/.ssh directory
>
>
> Lots of other fixes.
Moved tmpfs to server template to go along with the sem usage.
Since the tunnel support apparently needs net_admin capability, it needs
to be put in a conditional. The capability definitely shouldn't be
allowed in general use.
Dropped home dir changes to the client template. It shouldn't be using
the user's ssh home dir.
Moved the "Required for FreeNX" /var/lib rules into the NX optional.
Otherwise merged.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] services_ssh.patch
2010-01-15 20:28 ` Christopher J. PeBenito
@ 2010-01-18 20:29 ` Daniel J Walsh
2010-01-25 13:34 ` Christopher J. PeBenito
0 siblings, 1 reply; 8+ messages in thread
From: Daniel J Walsh @ 2010-01-18 20:29 UTC (permalink / raw)
To: refpolicy
On 01/15/2010 03:28 PM, Christopher J. PeBenito wrote:
> On Thu, 2009-11-12 at 17:02 -0500, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_ssh.patch
>>
>> Handle /root/.ssh directory
>>
>>
>> Lots of other fixes.
>
> Moved tmpfs to server template to go along with the sem usage.
>
> Since the tunnel support apparently needs net_admin capability, it needs
> to be put in a conditional. The capability definitely shouldn't be
> allowed in general use.
>
> Dropped home dir changes to the client template. It shouldn't be using
> the user's ssh home dir.
>
> Moved the "Required for FreeNX" /var/lib rules into the NX optional.
>
> Otherwise merged.
>
You still have places in your ssh.te that use home_ssh_t as opposed to ssh_home_t.
Which should we use?
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] services_ssh.patch
2010-01-18 20:29 ` Daniel J Walsh
@ 2010-01-25 13:34 ` Christopher J. PeBenito
0 siblings, 0 replies; 8+ messages in thread
From: Christopher J. PeBenito @ 2010-01-25 13:34 UTC (permalink / raw)
To: refpolicy
On Mon, 2010-01-18 at 15:29 -0500, Daniel J Walsh wrote:
> On 01/15/2010 03:28 PM, Christopher J. PeBenito wrote:
> > On Thu, 2009-11-12 at 17:02 -0500, Daniel J Walsh wrote:
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_ssh.patch
> >> Handle /root/.ssh directory
> >>
> >>
> >> Lots of other fixes.
> >
> > Moved tmpfs to server template to go along with the sem usage.
> >
> > Since the tunnel support apparently needs net_admin capability, it needs
> > to be put in a conditional. The capability definitely shouldn't be
> > allowed in general use.
> >
> > Dropped home dir changes to the client template. It shouldn't be using
> > the user's ssh home dir.
> >
> > Moved the "Required for FreeNX" /var/lib rules into the NX optional.
> >
> > Otherwise merged.
> >
> You still have places in your ssh.te that use home_ssh_t as opposed to ssh_home_t.
>
> Which should we use?
ssh_home_t. I've fixed the usage.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] services_ssh.patch
@ 2010-02-23 22:14 Daniel J Walsh
2010-03-22 14:52 ` Christopher J. PeBenito
0 siblings, 1 reply; 8+ messages in thread
From: Daniel J Walsh @ 2010-02-23 22:14 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_ssh.patch
Handle ssh-copy-id
ssh_home_t should not be per domain.
ssh needs to ask kernel to load modules
Handle tunnels
Allow sshd_t to transition to sftpd_t
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] services_ssh.patch
@ 2010-08-26 22:22 Daniel J Walsh
0 siblings, 0 replies; 8+ messages in thread
From: Daniel J Walsh @ 2010-08-26 22:22 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F14/services_ssh.patch
ssh_home_t should not be per user.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkx26UMACgkQrlYvE4MpobOPNACgi3DNR2M7p50eAT/uOZGAxo5D
VhIAn0yOaNZULftrjuxMwAIqSYQzI4Te
=AQZ/
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2010-08-26 22:22 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-06-09 1:10 [refpolicy] services_ssh.patch Daniel J Walsh
-- strict thread matches above, loose matches on Subject: below --
2009-11-12 22:02 Daniel J Walsh
2010-01-15 20:28 ` Christopher J. PeBenito
2010-01-18 20:29 ` Daniel J Walsh
2010-01-25 13:34 ` Christopher J. PeBenito
2010-02-23 22:14 Daniel J Walsh
2010-03-22 14:52 ` Christopher J. PeBenito
2010-08-26 22:22 Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.