* [refpolicy] [PATCH 1/2] Properly label /etc/ssh/ssh_host_ecdsa_key private key
@ 2012-09-12 19:56 Laurent Bigonville
2012-09-12 19:56 ` [refpolicy] [PATCH 2/2] Add Debian location for ssh-keysign Laurent Bigonville
2012-09-13 15:40 ` [refpolicy] [PATCH 1/2] Properly label /etc/ssh/ssh_host_ecdsa_key private key Daniel J Walsh
0 siblings, 2 replies; 8+ messages in thread
From: Laurent Bigonville @ 2012-09-12 19:56 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
Since version 5.7, openssh supports ECDSA keys; properly label the
private key file.
---
policy/modules/services/ssh.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 078bcd7..64b3e11 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -3,6 +3,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
/etc/ssh/ssh_host_dsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
+/etc/ssh/ssh_host_ecdsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
/etc/ssh/ssh_host_rsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
/usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH 2/2] Add Debian location for ssh-keysign
2012-09-12 19:56 [refpolicy] [PATCH 1/2] Properly label /etc/ssh/ssh_host_ecdsa_key private key Laurent Bigonville
@ 2012-09-12 19:56 ` Laurent Bigonville
2012-11-04 1:23 ` [refpolicy] [PATCH 2/2 v2] " Laurent Bigonville
2012-09-13 15:40 ` [refpolicy] [PATCH 1/2] Properly label /etc/ssh/ssh_host_ecdsa_key private key Daniel J Walsh
1 sibling, 1 reply; 8+ messages in thread
From: Laurent Bigonville @ 2012-09-12 19:56 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
---
policy/modules/services/ssh.fc | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 64b3e11..ce0f22f 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -12,6 +12,10 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
/usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+ifdef(`distro_debian',`
+/usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+')
+
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH 2/2 v2] Add Debian location for ssh-keysign
2012-09-12 19:56 ` [refpolicy] [PATCH 2/2] Add Debian location for ssh-keysign Laurent Bigonville
@ 2012-11-04 1:23 ` Laurent Bigonville
2012-11-26 16:13 ` Christopher J. PeBenito
0 siblings, 1 reply; 8+ messages in thread
From: Laurent Bigonville @ 2012-11-04 1:23 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
---
policy/modules/services/ssh.fc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 078bcd7..7df96c5 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -9,6 +9,8 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
/usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
/usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
+/usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+
/usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH 2/2 v2] Add Debian location for ssh-keysign
2012-11-04 1:23 ` [refpolicy] [PATCH 2/2 v2] " Laurent Bigonville
@ 2012-11-26 16:13 ` Christopher J. PeBenito
0 siblings, 0 replies; 8+ messages in thread
From: Christopher J. PeBenito @ 2012-11-26 16:13 UTC (permalink / raw)
To: refpolicy
On 11/03/12 21:23, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> ---
> policy/modules/services/ssh.fc | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
> index 078bcd7..7df96c5 100644
> --- a/policy/modules/services/ssh.fc
> +++ b/policy/modules/services/ssh.fc
> @@ -9,6 +9,8 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
> /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
> /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
>
> +/usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
> +
> /usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
>
> /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
>
Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH 1/2] Properly label /etc/ssh/ssh_host_ecdsa_key private key
2012-09-12 19:56 [refpolicy] [PATCH 1/2] Properly label /etc/ssh/ssh_host_ecdsa_key private key Laurent Bigonville
2012-09-12 19:56 ` [refpolicy] [PATCH 2/2] Add Debian location for ssh-keysign Laurent Bigonville
@ 2012-09-13 15:40 ` Daniel J Walsh
2012-09-13 16:24 ` Laurent Bigonville
2012-11-27 19:21 ` [refpolicy] [PATCH 1/2 v2] Properly label all the ssh host keys Laurent Bigonville
1 sibling, 2 replies; 8+ messages in thread
From: Daniel J Walsh @ 2012-09-13 15:40 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/12/2012 03:56 PM, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> Since version 5.7, openssh supports ECDSA keys; properly label the private
> key file. --- policy/modules/services/ssh.fc | 1 + 1 file changed, 1
> insertion(+)
>
> diff --git a/policy/modules/services/ssh.fc
> b/policy/modules/services/ssh.fc index 078bcd7..64b3e11 100644 ---
> a/policy/modules/services/ssh.fc +++ b/policy/modules/services/ssh.fc @@
> -3,6 +3,7 @@ HOME_DIR/\.ssh(/.*)?
> gen_context(system_u:object_r:ssh_home_t,s0) /etc/ssh/primes --
> gen_context(system_u:object_r:sshd_key_t,s0) /etc/ssh/ssh_host_key --
> gen_context(system_u:object_r:sshd_key_t,s0) /etc/ssh/ssh_host_dsa_key --
> gen_context(system_u:object_r:sshd_key_t,s0) +/etc/ssh/ssh_host_ecdsa_key
> -- gen_context(system_u:object_r:sshd_key_t,s0) /etc/ssh/ssh_host_rsa_key
> -- gen_context(system_u:object_r:sshd_key_t,s0)
>
> /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
>
How about /etc/ssh/.*_key -- gen_context(system_u:object_r:sshd_key_t,s0)
Then we will not need to worry about this.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBR/lwACgkQrlYvE4MpobOvdgCeMKvMsbrUyPdHySoDNqBGgYsT
9McAoJJpYrWXiPVGAsLCsU5JXwhwkgnD
=LvlC
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH 1/2] Properly label /etc/ssh/ssh_host_ecdsa_key private key
2012-09-13 15:40 ` [refpolicy] [PATCH 1/2] Properly label /etc/ssh/ssh_host_ecdsa_key private key Daniel J Walsh
@ 2012-09-13 16:24 ` Laurent Bigonville
2012-09-13 20:33 ` Daniel J Walsh
2012-11-27 19:21 ` [refpolicy] [PATCH 1/2 v2] Properly label all the ssh host keys Laurent Bigonville
1 sibling, 1 reply; 8+ messages in thread
From: Laurent Bigonville @ 2012-09-13 16:24 UTC (permalink / raw)
To: refpolicy
Le Thu, 13 Sep 2012 11:40:12 -0400,
Daniel J Walsh <dwalsh@redhat.com> a ?crit :
> How about /etc/ssh/.*_key --
> gen_context(system_u:object_r:sshd_key_t,s0)
>
> Then we will not need to worry about this.
That could be indeed be a solution.
I've another question about the labels on these files.
On Debian, ssh-keygen is run by the post-installation script of the
package which could run in the unconfined_t domain, that means that the
files could not be labeled correctly at their creation.
Dominick was suggesting to use named file transitions so they would be
labeled correctly even in that case.
Does anybody have a opinion on this?
Cheers
Laurent Bigonville
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH 1/2] Properly label /etc/ssh/ssh_host_ecdsa_key private key
2012-09-13 16:24 ` Laurent Bigonville
@ 2012-09-13 20:33 ` Daniel J Walsh
0 siblings, 0 replies; 8+ messages in thread
From: Daniel J Walsh @ 2012-09-13 20:33 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/13/2012 12:24 PM, Laurent Bigonville wrote:
> Le Thu, 13 Sep 2012 11:40:12 -0400, Daniel J Walsh <dwalsh@redhat.com> a
> ?crit :
>
>> How about /etc/ssh/.*_key --
>> gen_context(system_u:object_r:sshd_key_t,s0)
>>
>> Then we will not need to worry about this.
>
> That could be indeed be a solution.
>
> I've another question about the labels on these files.
>
> On Debian, ssh-keygen is run by the post-installation script of the package
> which could run in the unconfined_t domain, that means that the files could
> not be labeled correctly at their creation.
>
> Dominick was suggesting to use named file transitions so they would be
> labeled correctly even in that case.
>
> Does anybody have a opinion on this?
>
> Cheers
>
> Laurent Bigonville
>
We are currently running ssh_keygen as ssh_keygen_t, but using named file
trans is a better solution.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBSQzUACgkQrlYvE4MpobNf9gCgjyWWnnkV0r72TPuYRk4m6Bpi
qDQAn3urAdRPqYrJDA2f/TwxvB1dJyz/
=AuVK
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH 1/2 v2] Properly label all the ssh host keys
2012-09-13 15:40 ` [refpolicy] [PATCH 1/2] Properly label /etc/ssh/ssh_host_ecdsa_key private key Daniel J Walsh
2012-09-13 16:24 ` Laurent Bigonville
@ 2012-11-27 19:21 ` Laurent Bigonville
1 sibling, 0 replies; 8+ messages in thread
From: Laurent Bigonville @ 2012-11-27 19:21 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
Be sure that we are labeling properly all ssh host keys even if new
algorithms are added in the future.
---
policy/modules/services/ssh.fc | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 7df96c5..76d9f66 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -1,9 +1,7 @@
HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
-/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
-/etc/ssh/ssh_host_dsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
-/etc/ssh/ssh_host_rsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
+/etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0)
/usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
/usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
end of thread, other threads:[~2012-11-27 19:21 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-09-12 19:56 [refpolicy] [PATCH 1/2] Properly label /etc/ssh/ssh_host_ecdsa_key private key Laurent Bigonville
2012-09-12 19:56 ` [refpolicy] [PATCH 2/2] Add Debian location for ssh-keysign Laurent Bigonville
2012-11-04 1:23 ` [refpolicy] [PATCH 2/2 v2] " Laurent Bigonville
2012-11-26 16:13 ` Christopher J. PeBenito
2012-09-13 15:40 ` [refpolicy] [PATCH 1/2] Properly label /etc/ssh/ssh_host_ecdsa_key private key Daniel J Walsh
2012-09-13 16:24 ` Laurent Bigonville
2012-09-13 20:33 ` Daniel J Walsh
2012-11-27 19:21 ` [refpolicy] [PATCH 1/2 v2] Properly label all the ssh host keys Laurent Bigonville
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.