* [refpolicy] [PATCH 1/2] Add fcontext for sshd pidfile and directory used for privsep
@ 2014-01-25 10:43 Laurent Bigonville
2014-01-25 10:43 ` [refpolicy] [PATCH 2/2] Add fcontext for rsyslog pidfile Laurent Bigonville
2014-01-27 18:23 ` [refpolicy] [PATCH 1/2] Add fcontext for sshd pidfile and directory used for privsep Christopher J. PeBenito
0 siblings, 2 replies; 10+ messages in thread
From: Laurent Bigonville @ 2014-01-25 10:43 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
Also allow sshd_t domain to chroot(2) in this directory as explained in
the README.privsep file in the openssh tarball.
Thanks to Russell Coker for this patch
---
policy/modules/services/ssh.fc | 2 ++
policy/modules/services/ssh.te | 1 +
2 files changed, 3 insertions(+)
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 76d9f66..8168244 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -13,4 +13,6 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
+/var/run/sshd(/.*)? gen_context(system_u:object_r:sshd_var_run_t,s0)
/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
+/var/run/sshd\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 30726f2..a19c9f9 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -34,6 +34,7 @@ ssh_server_template(sshd)
init_daemon_domain(sshd_t, sshd_exec_t)
ifdef(`distro_debian',`
+ allow sshd_t sshd_var_run_t:dir { getattr search };
init_daemon_run_dir(sshd_var_run_t, "sshd")
')
--
1.8.5.3
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH 2/2] Add fcontext for rsyslog pidfile
2014-01-25 10:43 [refpolicy] [PATCH 1/2] Add fcontext for sshd pidfile and directory used for privsep Laurent Bigonville
@ 2014-01-25 10:43 ` Laurent Bigonville
2014-01-27 18:24 ` Christopher J. PeBenito
2014-01-27 18:23 ` [refpolicy] [PATCH 1/2] Add fcontext for sshd pidfile and directory used for privsep Christopher J. PeBenito
1 sibling, 1 reply; 10+ messages in thread
From: Laurent Bigonville @ 2014-01-25 10:43 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
---
policy/modules/system/logging.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index b50c5fe..740897d 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -65,6 +65,7 @@ ifdef(`distro_redhat',`
/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
/var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
/var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
+/var/run/rsyslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
/var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
/var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
--
1.8.5.3
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH 1/2] Add fcontext for sshd pidfile and directory used for privsep
2014-01-25 10:43 [refpolicy] [PATCH 1/2] Add fcontext for sshd pidfile and directory used for privsep Laurent Bigonville
2014-01-25 10:43 ` [refpolicy] [PATCH 2/2] Add fcontext for rsyslog pidfile Laurent Bigonville
@ 2014-01-27 18:23 ` Christopher J. PeBenito
2014-01-27 22:18 ` Laurent Bigonville
1 sibling, 1 reply; 10+ messages in thread
From: Christopher J. PeBenito @ 2014-01-27 18:23 UTC (permalink / raw)
To: refpolicy
On 01/25/14 05:43, Laurent Bigonville wrote:
> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> index 30726f2..a19c9f9 100644
> --- a/policy/modules/services/ssh.te
> +++ b/policy/modules/services/ssh.te
> @@ -34,6 +34,7 @@ ssh_server_template(sshd)
> init_daemon_domain(sshd_t, sshd_exec_t)
>
> ifdef(`distro_debian',`
> + allow sshd_t sshd_var_run_t:dir { getattr search };
> init_daemon_run_dir(sshd_var_run_t, "sshd")
> ')
This looks like it should be in ssh_server_template(). Also please use search_dir_perms permission set.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH 2/2] Add fcontext for rsyslog pidfile
2014-01-25 10:43 ` [refpolicy] [PATCH 2/2] Add fcontext for rsyslog pidfile Laurent Bigonville
@ 2014-01-27 18:24 ` Christopher J. PeBenito
0 siblings, 0 replies; 10+ messages in thread
From: Christopher J. PeBenito @ 2014-01-27 18:24 UTC (permalink / raw)
To: refpolicy
On 01/25/14 05:43, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> ---
> policy/modules/system/logging.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
> index b50c5fe..740897d 100644
> --- a/policy/modules/system/logging.fc
> +++ b/policy/modules/system/logging.fc
> @@ -65,6 +65,7 @@ ifdef(`distro_redhat',`
> /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
> /var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
> /var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
> +/var/run/rsyslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
>
> /var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
> /var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
This should be added between the metalog.pid and syslogd.pid lines.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH 1/2] Add fcontext for sshd pidfile and directory used for privsep
2014-01-27 18:23 ` [refpolicy] [PATCH 1/2] Add fcontext for sshd pidfile and directory used for privsep Christopher J. PeBenito
@ 2014-01-27 22:18 ` Laurent Bigonville
2014-02-01 3:02 ` Christopher J. PeBenito
0 siblings, 1 reply; 10+ messages in thread
From: Laurent Bigonville @ 2014-01-27 22:18 UTC (permalink / raw)
To: refpolicy
Le Mon, 27 Jan 2014 13:23:02 -0500,
"Christopher J. PeBenito" <cpebenito@tresys.com> a ?crit :
> On 01/25/14 05:43, Laurent Bigonville wrote:
> > diff --git a/policy/modules/services/ssh.te
> > b/policy/modules/services/ssh.te index 30726f2..a19c9f9 100644
> > --- a/policy/modules/services/ssh.te
> > +++ b/policy/modules/services/ssh.te
> > @@ -34,6 +34,7 @@ ssh_server_template(sshd)
> > init_daemon_domain(sshd_t, sshd_exec_t)
> >
> > ifdef(`distro_debian',`
> > + allow sshd_t sshd_var_run_t:dir { getattr search };
> > init_daemon_run_dir(sshd_var_run_t, "sshd")
> > ')
>
> This looks like it should be in ssh_server_template(). Also please
> use search_dir_perms permission set.
>
Shouldn't the complete ifdef moved to this then?
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH 1/2] Add fcontext for sshd pidfile and directory used for privsep
2014-01-27 22:18 ` Laurent Bigonville
@ 2014-02-01 3:02 ` Christopher J. PeBenito
0 siblings, 0 replies; 10+ messages in thread
From: Christopher J. PeBenito @ 2014-02-01 3:02 UTC (permalink / raw)
To: refpolicy
On 1/27/2014 5:18 PM, Laurent Bigonville wrote:
> Le Mon, 27 Jan 2014 13:23:02 -0500,
> "Christopher J. PeBenito" <cpebenito@tresys.com> a ?crit :
>
>> On 01/25/14 05:43, Laurent Bigonville wrote:
>>> diff --git a/policy/modules/services/ssh.te
>>> b/policy/modules/services/ssh.te index 30726f2..a19c9f9 100644
>>> --- a/policy/modules/services/ssh.te
>>> +++ b/policy/modules/services/ssh.te
>>> @@ -34,6 +34,7 @@ ssh_server_template(sshd)
>>> init_daemon_domain(sshd_t, sshd_exec_t)
>>>
>>> ifdef(`distro_debian',`
>>> + allow sshd_t sshd_var_run_t:dir { getattr search };
>>> init_daemon_run_dir(sshd_var_run_t, "sshd")
>>> ')
>>
>> This looks like it should be in ssh_server_template(). Also please
>> use search_dir_perms permission set.
>>
>
> Shouldn't the complete ifdef moved to this then?
The init_daemon_run_dir() pairs up with the sshd_var_run_t declaration inside the ssh_server_template(), so no. However, it should probably move to the end of the declarations block.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH 1/2] Add fcontext for sshd pidfile and directory used for privsep
@ 2014-02-05 21:23 Laurent Bigonville
2014-02-06 11:57 ` Laurent Bigonville
2014-02-06 14:03 ` Christopher J. PeBenito
0 siblings, 2 replies; 10+ messages in thread
From: Laurent Bigonville @ 2014-02-05 21:23 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
Also allow sshd_t domain to chroot(2) in this directory as explained in
the README.privsep file in the openssh tarball.
Thanks to Russell Coker for this patch
---
policy/modules/services/ssh.fc | 2 ++
policy/modules/services/ssh.if | 1 +
2 files changed, 3 insertions(+)
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 76d9f66..8168244 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -13,4 +13,6 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
+/var/run/sshd(/.*)? gen_context(system_u:object_r:sshd_var_run_t,s0)
/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
+/var/run/sshd\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index fe0c682..48eb1c8 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -196,6 +196,7 @@ template(`ssh_server_template', `
manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file)
+ allow $1_t $1_var_run_t:dir search_dir_perms;
allow $1_t $1_var_run_t:file manage_file_perms;
files_pid_filetrans($1_t, $1_var_run_t, file)
--
1.9.rc1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH 1/2] Add fcontext for sshd pidfile and directory used for privsep
2014-02-05 21:23 Laurent Bigonville
@ 2014-02-06 11:57 ` Laurent Bigonville
2014-02-06 14:03 ` Christopher J. PeBenito
2014-02-06 14:03 ` Christopher J. PeBenito
1 sibling, 1 reply; 10+ messages in thread
From: Laurent Bigonville @ 2014-02-06 11:57 UTC (permalink / raw)
To: refpolicy
Le Wed, 5 Feb 2014 22:23:31 +0100,
Laurent Bigonville <bigon@debian.org> a ?crit :
[...]
diff --git
> a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
> index fe0c682..48eb1c8 100644 --- a/policy/modules/services/ssh.if
> +++ b/policy/modules/services/ssh.if @@ -196,6 +196,7 @@
> template(`ssh_server_template', ` manage_files_pattern($1_t,
> $1_tmpfs_t, $1_tmpfs_t) fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file)
>
> + allow $1_t $1_var_run_t:dir search_dir_perms;
> allow $1_t $1_var_run_t:file manage_file_perms;
> files_pid_filetrans($1_t, $1_var_run_t, file)
>
Or maybe this should be conditional for debian only?
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH 1/2] Add fcontext for sshd pidfile and directory used for privsep
2014-02-05 21:23 Laurent Bigonville
2014-02-06 11:57 ` Laurent Bigonville
@ 2014-02-06 14:03 ` Christopher J. PeBenito
1 sibling, 0 replies; 10+ messages in thread
From: Christopher J. PeBenito @ 2014-02-06 14:03 UTC (permalink / raw)
To: refpolicy
On 02/05/14 16:23, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> Also allow sshd_t domain to chroot(2) in this directory as explained in
> the README.privsep file in the openssh tarball.
>
> Thanks to Russell Coker for this patch
> ---
> policy/modules/services/ssh.fc | 2 ++
> policy/modules/services/ssh.if | 1 +
> 2 files changed, 3 insertions(+)
>
> diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
> index 76d9f66..8168244 100644
> --- a/policy/modules/services/ssh.fc
> +++ b/policy/modules/services/ssh.fc
> @@ -13,4 +13,6 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
>
> /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
>
> +/var/run/sshd(/.*)? gen_context(system_u:object_r:sshd_var_run_t,s0)
> /var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
> +/var/run/sshd\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
> diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
> index fe0c682..48eb1c8 100644
> --- a/policy/modules/services/ssh.if
> +++ b/policy/modules/services/ssh.if
> @@ -196,6 +196,7 @@ template(`ssh_server_template', `
> manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
> fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file)
>
> + allow $1_t $1_var_run_t:dir search_dir_perms;
> allow $1_t $1_var_run_t:file manage_file_perms;
> files_pid_filetrans($1_t, $1_var_run_t, file)
Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH 1/2] Add fcontext for sshd pidfile and directory used for privsep
2014-02-06 11:57 ` Laurent Bigonville
@ 2014-02-06 14:03 ` Christopher J. PeBenito
0 siblings, 0 replies; 10+ messages in thread
From: Christopher J. PeBenito @ 2014-02-06 14:03 UTC (permalink / raw)
To: refpolicy
On 02/06/14 06:57, Laurent Bigonville wrote:
> Le Wed, 5 Feb 2014 22:23:31 +0100,
> Laurent Bigonville <bigon@debian.org> a ?crit :
>
> [...]
>
> diff --git
>> a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
>> index fe0c682..48eb1c8 100644 --- a/policy/modules/services/ssh.if
>> +++ b/policy/modules/services/ssh.if @@ -196,6 +196,7 @@
>> template(`ssh_server_template', ` manage_files_pattern($1_t,
>> $1_tmpfs_t, $1_tmpfs_t) fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file)
>>
>> + allow $1_t $1_var_run_t:dir search_dir_perms;
>> allow $1_t $1_var_run_t:file manage_file_perms;
>> files_pid_filetrans($1_t, $1_var_run_t, file)
>>
>
> Or maybe this should be conditional for debian only?
No, its fine. Actually I was thinking that perhaps the init_daemon_run_dir() should become unconditional instead, since we have the fc entries.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2014-02-06 14:03 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-01-25 10:43 [refpolicy] [PATCH 1/2] Add fcontext for sshd pidfile and directory used for privsep Laurent Bigonville
2014-01-25 10:43 ` [refpolicy] [PATCH 2/2] Add fcontext for rsyslog pidfile Laurent Bigonville
2014-01-27 18:24 ` Christopher J. PeBenito
2014-01-27 18:23 ` [refpolicy] [PATCH 1/2] Add fcontext for sshd pidfile and directory used for privsep Christopher J. PeBenito
2014-01-27 22:18 ` Laurent Bigonville
2014-02-01 3:02 ` Christopher J. PeBenito
-- strict thread matches above, loose matches on Subject: below --
2014-02-05 21:23 Laurent Bigonville
2014-02-06 11:57 ` Laurent Bigonville
2014-02-06 14:03 ` Christopher J. PeBenito
2014-02-06 14:03 ` Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.