[refpolicy] [ ssh patch 1/1] Some fixes in the ssh module with regard to userdom_user_home_content and ubac.

[refpolicy] [ ssh patch 1/1] Some fixes in the ssh module with regard to userdom_user_home_content and ubac.

[Dominick Grift]

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 ef3f32d... 1a59f6a... M	policy/modules/services/ssh.if
:100644 100644 512834a... afbe9ac... M	policy/modules/services/ssh.te
 policy/modules/services/ssh.if |    4 +++-
 policy/modules/services/ssh.te |    1 -
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index ef3f32d..1a59f6a 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -45,11 +45,13 @@ template(`ssh_basic_client_template',`
 
 	type $1_ssh_t;
 	application_domain($1_ssh_t, ssh_exec_t)
+	ubac_constrained($1_ssh_t)
+
 	role $3 types $1_ssh_t;
 
 	type $1_ssh_home_t;
-	files_type($1_ssh_home_t)
 	typealias $1_ssh_home_t alias $1_home_ssh_t;
+	userdom_user_home_content($1_ssh_home_t)
 
 	##############################
 	#
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 512834a..afbe9ac 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -74,7 +74,6 @@ ubac_constrained(ssh_tmpfs_t)
 type ssh_home_t;
 typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
 typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
-files_type(ssh_home_t)
 userdom_user_home_content(ssh_home_t)
 
 ##############################
-- 
1.7.1.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100709/daa0a627/attachment-0001.bin 

[refpolicy] [ ssh patch 1/1] Some fixes in the ssh module with regard to userdom_user_home_content and ubac.

[Christopher J. PeBenito]

On 07/09/10 10:41, Dominick Grift wrote:
> Signed-off-by: Dominick Grift<domg472@gmail.com>
> ---
> :100644 100644 ef3f32d... 1a59f6a... M	policy/modules/services/ssh.if
> :100644 100644 512834a... afbe9ac... M	policy/modules/services/ssh.te
>   policy/modules/services/ssh.if |    4 +++-
>   policy/modules/services/ssh.te |    1 -
>   2 files changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
> index ef3f32d..1a59f6a 100644
> --- a/policy/modules/services/ssh.if
> +++ b/policy/modules/services/ssh.if
> @@ -45,11 +45,13 @@ template(`ssh_basic_client_template',`
>
>   	type $1_ssh_t;
>   	application_domain($1_ssh_t, ssh_exec_t)
> +	ubac_constrained($1_ssh_t)
> +
>   	role $3 types $1_ssh_t;
>
>   	type $1_ssh_home_t;
> -	files_type($1_ssh_home_t)
>   	typealias $1_ssh_home_t alias $1_home_ssh_t;
> +	userdom_user_home_content($1_ssh_home_t)
>
>   	##############################
>   	#

I don't think we actually want this change.  The template isn't meant to 
be used by users; they use ssh_t.

> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> index 512834a..afbe9ac 100644
> --- a/policy/modules/services/ssh.te
> +++ b/policy/modules/services/ssh.te
> @@ -74,7 +74,6 @@ ubac_constrained(ssh_tmpfs_t)
>   type ssh_home_t;
>   typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
>   typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
> -files_type(ssh_home_t)
>   userdom_user_home_content(ssh_home_t)
>
>   ##############################

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [ ssh patch 1/1] Some fixes in the ssh module with regard to userdom_user_home_content and ubac.

[Dominick Grift]

On 07/12/2010 08:14 PM, Christopher J. PeBenito wrote:
> On 07/09/10 10:41, Dominick Grift wrote:
>> Signed-off-by: Dominick Grift<domg472@gmail.com>
>> ---
>> :100644 100644 ef3f32d... 1a59f6a... M    policy/modules/services/ssh.if
>> :100644 100644 512834a... afbe9ac... M    policy/modules/services/ssh.te
>>   policy/modules/services/ssh.if |    4 +++-
>>   policy/modules/services/ssh.te |    1 -
>>   2 files changed, 3 insertions(+), 2 deletions(-)
>>
>> diff --git a/policy/modules/services/ssh.if
>> b/policy/modules/services/ssh.if
>> index ef3f32d..1a59f6a 100644
>> --- a/policy/modules/services/ssh.if
>> +++ b/policy/modules/services/ssh.if
>> @@ -45,11 +45,13 @@ template(`ssh_basic_client_template',`
>>
>>       type $1_ssh_t;
>>       application_domain($1_ssh_t, ssh_exec_t)
>> +    ubac_constrained($1_ssh_t)
>> +
>>       role $3 types $1_ssh_t;
>>
>>       type $1_ssh_home_t;
>> -    files_type($1_ssh_home_t)
>>       typealias $1_ssh_home_t alias $1_home_ssh_t;
>> +    userdom_user_home_content($1_ssh_home_t)
>>
>>       ##############################
>>       #
> 
> I don't think we actually want this change.  The template isn't meant to
> be used by users; they use ssh_t.
> 

Is this not a template for ssh client application? Is that not an user
agent. Should user agents not be ubac_constrained?

Is $1_ssh_home_t not userdom_user_home_content. However you look at it?

>>   ##############################
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100712/3eb4d5df/attachment-0001.bin 

[refpolicy] [ ssh patch 1/1] Some fixes in the ssh module with regard to userdom_user_home_content and ubac.

[Christopher J. PeBenito]

On 07/12/10 15:32, Dominick Grift wrote:
> On 07/12/2010 08:14 PM, Christopher J. PeBenito wrote:
>> On 07/09/10 10:41, Dominick Grift wrote:
>>> Signed-off-by: Dominick Grift<domg472@gmail.com>
>>> ---
>>> :100644 100644 ef3f32d... 1a59f6a... M    policy/modules/services/ssh.if
>>> :100644 100644 512834a... afbe9ac... M    policy/modules/services/ssh.te
>>>    policy/modules/services/ssh.if |    4 +++-
>>>    policy/modules/services/ssh.te |    1 -
>>>    2 files changed, 3 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/policy/modules/services/ssh.if
>>> b/policy/modules/services/ssh.if
>>> index ef3f32d..1a59f6a 100644
>>> --- a/policy/modules/services/ssh.if
>>> +++ b/policy/modules/services/ssh.if
>>> @@ -45,11 +45,13 @@ template(`ssh_basic_client_template',`
>>>
>>>        type $1_ssh_t;
>>>        application_domain($1_ssh_t, ssh_exec_t)
>>> +    ubac_constrained($1_ssh_t)
>>> +
>>>        role $3 types $1_ssh_t;
>>>
>>>        type $1_ssh_home_t;
>>> -    files_type($1_ssh_home_t)
>>>        typealias $1_ssh_home_t alias $1_home_ssh_t;
>>> +    userdom_user_home_content($1_ssh_home_t)
>>>
>>>        ##############################
>>>        #
>>
>> I don't think we actually want this change.  The template isn't meant to
>> be used by users; they use ssh_t.
>>
>
> Is this not a template for ssh client application?

Yes, but not necessarily for users.  This could be used for an automated 
processes run out of cron to just scp a file from this machine over to 
another one (eg. a poor man's backup).

> Is that not an user
> agent. Should user agents not be ubac_constrained?

They should.

> Is $1_ssh_home_t not userdom_user_home_content. However you look at it?

No, it would only be if this is for users.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com