* [refpolicy] [PATCH 1/2] Add fcontext for sshd pidfile and directory used for privsep
@ 2014-02-05 21:23 Laurent Bigonville
2014-02-05 21:23 ` [refpolicy] [PATCH 2/2] Move the ifdef at the end of the declaration block Laurent Bigonville
` (2 more replies)
0 siblings, 3 replies; 10+ messages in thread
From: Laurent Bigonville @ 2014-02-05 21:23 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
Also allow sshd_t domain to chroot(2) in this directory as explained in
the README.privsep file in the openssh tarball.
Thanks to Russell Coker for this patch
---
policy/modules/services/ssh.fc | 2 ++
policy/modules/services/ssh.if | 1 +
2 files changed, 3 insertions(+)
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 76d9f66..8168244 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -13,4 +13,6 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
+/var/run/sshd(/.*)? gen_context(system_u:object_r:sshd_var_run_t,s0)
/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
+/var/run/sshd\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index fe0c682..48eb1c8 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -196,6 +196,7 @@ template(`ssh_server_template', `
manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file)
+ allow $1_t $1_var_run_t:dir search_dir_perms;
allow $1_t $1_var_run_t:file manage_file_perms;
files_pid_filetrans($1_t, $1_var_run_t, file)
--
1.9.rc1
^ permalink raw reply related [flat|nested] 10+ messages in thread* [refpolicy] [PATCH 2/2] Move the ifdef at the end of the declaration block
2014-02-05 21:23 [refpolicy] [PATCH 1/2] Add fcontext for sshd pidfile and directory used for privsep Laurent Bigonville
@ 2014-02-05 21:23 ` Laurent Bigonville
2014-02-06 14:03 ` Christopher J. PeBenito
2014-02-06 11:57 ` [refpolicy] [PATCH 1/2] Add fcontext for sshd pidfile and directory used for privsep Laurent Bigonville
2014-02-06 14:03 ` Christopher J. PeBenito
2 siblings, 1 reply; 10+ messages in thread
From: Laurent Bigonville @ 2014-02-05 21:23 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
---
policy/modules/services/ssh.te | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 30726f2..70bad35 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -33,10 +33,6 @@ corecmd_executable_file(sshd_exec_t)
ssh_server_template(sshd)
init_daemon_domain(sshd_t, sshd_exec_t)
-ifdef(`distro_debian',`
- init_daemon_run_dir(sshd_var_run_t, "sshd")
-')
-
type sshd_key_t;
files_type(sshd_key_t)
@@ -81,6 +77,10 @@ userdom_user_home_content(ssh_home_t)
type sshd_keytab_t;
files_type(sshd_keytab_t)
+ifdef(`distro_debian',`
+ init_daemon_run_dir(sshd_var_run_t, "sshd")
+')
+
##############################
#
# SSH client local policy
--
1.9.rc1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH 2/2] Move the ifdef at the end of the declaration block
2014-02-05 21:23 ` [refpolicy] [PATCH 2/2] Move the ifdef at the end of the declaration block Laurent Bigonville
@ 2014-02-06 14:03 ` Christopher J. PeBenito
0 siblings, 0 replies; 10+ messages in thread
From: Christopher J. PeBenito @ 2014-02-06 14:03 UTC (permalink / raw)
To: refpolicy
On 02/05/14 16:23, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> ---
> policy/modules/services/ssh.te | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> index 30726f2..70bad35 100644
> --- a/policy/modules/services/ssh.te
> +++ b/policy/modules/services/ssh.te
> @@ -33,10 +33,6 @@ corecmd_executable_file(sshd_exec_t)
> ssh_server_template(sshd)
> init_daemon_domain(sshd_t, sshd_exec_t)
>
> -ifdef(`distro_debian',`
> - init_daemon_run_dir(sshd_var_run_t, "sshd")
> -')
> -
> type sshd_key_t;
> files_type(sshd_key_t)
>
> @@ -81,6 +77,10 @@ userdom_user_home_content(ssh_home_t)
> type sshd_keytab_t;
> files_type(sshd_keytab_t)
>
> +ifdef(`distro_debian',`
> + init_daemon_run_dir(sshd_var_run_t, "sshd")
> +')
> +
Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH 1/2] Add fcontext for sshd pidfile and directory used for privsep
2014-02-05 21:23 [refpolicy] [PATCH 1/2] Add fcontext for sshd pidfile and directory used for privsep Laurent Bigonville
2014-02-05 21:23 ` [refpolicy] [PATCH 2/2] Move the ifdef at the end of the declaration block Laurent Bigonville
@ 2014-02-06 11:57 ` Laurent Bigonville
2014-02-06 14:03 ` Christopher J. PeBenito
2014-02-06 14:03 ` Christopher J. PeBenito
2 siblings, 1 reply; 10+ messages in thread
From: Laurent Bigonville @ 2014-02-06 11:57 UTC (permalink / raw)
To: refpolicy
Le Wed, 5 Feb 2014 22:23:31 +0100,
Laurent Bigonville <bigon@debian.org> a ?crit :
[...]
diff --git
> a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
> index fe0c682..48eb1c8 100644 --- a/policy/modules/services/ssh.if
> +++ b/policy/modules/services/ssh.if @@ -196,6 +196,7 @@
> template(`ssh_server_template', ` manage_files_pattern($1_t,
> $1_tmpfs_t, $1_tmpfs_t) fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file)
>
> + allow $1_t $1_var_run_t:dir search_dir_perms;
> allow $1_t $1_var_run_t:file manage_file_perms;
> files_pid_filetrans($1_t, $1_var_run_t, file)
>
Or maybe this should be conditional for debian only?
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH 1/2] Add fcontext for sshd pidfile and directory used for privsep
2014-02-06 11:57 ` [refpolicy] [PATCH 1/2] Add fcontext for sshd pidfile and directory used for privsep Laurent Bigonville
@ 2014-02-06 14:03 ` Christopher J. PeBenito
0 siblings, 0 replies; 10+ messages in thread
From: Christopher J. PeBenito @ 2014-02-06 14:03 UTC (permalink / raw)
To: refpolicy
On 02/06/14 06:57, Laurent Bigonville wrote:
> Le Wed, 5 Feb 2014 22:23:31 +0100,
> Laurent Bigonville <bigon@debian.org> a ?crit :
>
> [...]
>
> diff --git
>> a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
>> index fe0c682..48eb1c8 100644 --- a/policy/modules/services/ssh.if
>> +++ b/policy/modules/services/ssh.if @@ -196,6 +196,7 @@
>> template(`ssh_server_template', ` manage_files_pattern($1_t,
>> $1_tmpfs_t, $1_tmpfs_t) fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file)
>>
>> + allow $1_t $1_var_run_t:dir search_dir_perms;
>> allow $1_t $1_var_run_t:file manage_file_perms;
>> files_pid_filetrans($1_t, $1_var_run_t, file)
>>
>
> Or maybe this should be conditional for debian only?
No, its fine. Actually I was thinking that perhaps the init_daemon_run_dir() should become unconditional instead, since we have the fc entries.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH 1/2] Add fcontext for sshd pidfile and directory used for privsep
2014-02-05 21:23 [refpolicy] [PATCH 1/2] Add fcontext for sshd pidfile and directory used for privsep Laurent Bigonville
2014-02-05 21:23 ` [refpolicy] [PATCH 2/2] Move the ifdef at the end of the declaration block Laurent Bigonville
2014-02-06 11:57 ` [refpolicy] [PATCH 1/2] Add fcontext for sshd pidfile and directory used for privsep Laurent Bigonville
@ 2014-02-06 14:03 ` Christopher J. PeBenito
2 siblings, 0 replies; 10+ messages in thread
From: Christopher J. PeBenito @ 2014-02-06 14:03 UTC (permalink / raw)
To: refpolicy
On 02/05/14 16:23, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> Also allow sshd_t domain to chroot(2) in this directory as explained in
> the README.privsep file in the openssh tarball.
>
> Thanks to Russell Coker for this patch
> ---
> policy/modules/services/ssh.fc | 2 ++
> policy/modules/services/ssh.if | 1 +
> 2 files changed, 3 insertions(+)
>
> diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
> index 76d9f66..8168244 100644
> --- a/policy/modules/services/ssh.fc
> +++ b/policy/modules/services/ssh.fc
> @@ -13,4 +13,6 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
>
> /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
>
> +/var/run/sshd(/.*)? gen_context(system_u:object_r:sshd_var_run_t,s0)
> /var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
> +/var/run/sshd\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
> diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
> index fe0c682..48eb1c8 100644
> --- a/policy/modules/services/ssh.if
> +++ b/policy/modules/services/ssh.if
> @@ -196,6 +196,7 @@ template(`ssh_server_template', `
> manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
> fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file)
>
> + allow $1_t $1_var_run_t:dir search_dir_perms;
> allow $1_t $1_var_run_t:file manage_file_perms;
> files_pid_filetrans($1_t, $1_var_run_t, file)
Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH 1/2] Add fcontext for sshd pidfile and directory used for privsep
@ 2014-01-25 10:43 Laurent Bigonville
2014-01-27 18:23 ` Christopher J. PeBenito
0 siblings, 1 reply; 10+ messages in thread
From: Laurent Bigonville @ 2014-01-25 10:43 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
Also allow sshd_t domain to chroot(2) in this directory as explained in
the README.privsep file in the openssh tarball.
Thanks to Russell Coker for this patch
---
policy/modules/services/ssh.fc | 2 ++
policy/modules/services/ssh.te | 1 +
2 files changed, 3 insertions(+)
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 76d9f66..8168244 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -13,4 +13,6 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
+/var/run/sshd(/.*)? gen_context(system_u:object_r:sshd_var_run_t,s0)
/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
+/var/run/sshd\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 30726f2..a19c9f9 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -34,6 +34,7 @@ ssh_server_template(sshd)
init_daemon_domain(sshd_t, sshd_exec_t)
ifdef(`distro_debian',`
+ allow sshd_t sshd_var_run_t:dir { getattr search };
init_daemon_run_dir(sshd_var_run_t, "sshd")
')
--
1.8.5.3
^ permalink raw reply related [flat|nested] 10+ messages in thread* [refpolicy] [PATCH 1/2] Add fcontext for sshd pidfile and directory used for privsep
2014-01-25 10:43 Laurent Bigonville
@ 2014-01-27 18:23 ` Christopher J. PeBenito
2014-01-27 22:18 ` Laurent Bigonville
0 siblings, 1 reply; 10+ messages in thread
From: Christopher J. PeBenito @ 2014-01-27 18:23 UTC (permalink / raw)
To: refpolicy
On 01/25/14 05:43, Laurent Bigonville wrote:
> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> index 30726f2..a19c9f9 100644
> --- a/policy/modules/services/ssh.te
> +++ b/policy/modules/services/ssh.te
> @@ -34,6 +34,7 @@ ssh_server_template(sshd)
> init_daemon_domain(sshd_t, sshd_exec_t)
>
> ifdef(`distro_debian',`
> + allow sshd_t sshd_var_run_t:dir { getattr search };
> init_daemon_run_dir(sshd_var_run_t, "sshd")
> ')
This looks like it should be in ssh_server_template(). Also please use search_dir_perms permission set.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 10+ messages in thread* [refpolicy] [PATCH 1/2] Add fcontext for sshd pidfile and directory used for privsep
2014-01-27 18:23 ` Christopher J. PeBenito
@ 2014-01-27 22:18 ` Laurent Bigonville
2014-02-01 3:02 ` Christopher J. PeBenito
0 siblings, 1 reply; 10+ messages in thread
From: Laurent Bigonville @ 2014-01-27 22:18 UTC (permalink / raw)
To: refpolicy
Le Mon, 27 Jan 2014 13:23:02 -0500,
"Christopher J. PeBenito" <cpebenito@tresys.com> a ?crit :
> On 01/25/14 05:43, Laurent Bigonville wrote:
> > diff --git a/policy/modules/services/ssh.te
> > b/policy/modules/services/ssh.te index 30726f2..a19c9f9 100644
> > --- a/policy/modules/services/ssh.te
> > +++ b/policy/modules/services/ssh.te
> > @@ -34,6 +34,7 @@ ssh_server_template(sshd)
> > init_daemon_domain(sshd_t, sshd_exec_t)
> >
> > ifdef(`distro_debian',`
> > + allow sshd_t sshd_var_run_t:dir { getattr search };
> > init_daemon_run_dir(sshd_var_run_t, "sshd")
> > ')
>
> This looks like it should be in ssh_server_template(). Also please
> use search_dir_perms permission set.
>
Shouldn't the complete ifdef moved to this then?
^ permalink raw reply [flat|nested] 10+ messages in thread* [refpolicy] [PATCH 1/2] Add fcontext for sshd pidfile and directory used for privsep
2014-01-27 22:18 ` Laurent Bigonville
@ 2014-02-01 3:02 ` Christopher J. PeBenito
0 siblings, 0 replies; 10+ messages in thread
From: Christopher J. PeBenito @ 2014-02-01 3:02 UTC (permalink / raw)
To: refpolicy
On 1/27/2014 5:18 PM, Laurent Bigonville wrote:
> Le Mon, 27 Jan 2014 13:23:02 -0500,
> "Christopher J. PeBenito" <cpebenito@tresys.com> a ?crit :
>
>> On 01/25/14 05:43, Laurent Bigonville wrote:
>>> diff --git a/policy/modules/services/ssh.te
>>> b/policy/modules/services/ssh.te index 30726f2..a19c9f9 100644
>>> --- a/policy/modules/services/ssh.te
>>> +++ b/policy/modules/services/ssh.te
>>> @@ -34,6 +34,7 @@ ssh_server_template(sshd)
>>> init_daemon_domain(sshd_t, sshd_exec_t)
>>>
>>> ifdef(`distro_debian',`
>>> + allow sshd_t sshd_var_run_t:dir { getattr search };
>>> init_daemon_run_dir(sshd_var_run_t, "sshd")
>>> ')
>>
>> This looks like it should be in ssh_server_template(). Also please
>> use search_dir_perms permission set.
>>
>
> Shouldn't the complete ifdef moved to this then?
The init_daemon_run_dir() pairs up with the sshd_var_run_t declaration inside the ssh_server_template(), so no. However, it should probably move to the end of the declarations block.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2014-02-06 14:03 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-02-05 21:23 [refpolicy] [PATCH 1/2] Add fcontext for sshd pidfile and directory used for privsep Laurent Bigonville
2014-02-05 21:23 ` [refpolicy] [PATCH 2/2] Move the ifdef at the end of the declaration block Laurent Bigonville
2014-02-06 14:03 ` Christopher J. PeBenito
2014-02-06 11:57 ` [refpolicy] [PATCH 1/2] Add fcontext for sshd pidfile and directory used for privsep Laurent Bigonville
2014-02-06 14:03 ` Christopher J. PeBenito
2014-02-06 14:03 ` Christopher J. PeBenito
-- strict thread matches above, loose matches on Subject: below --
2014-01-25 10:43 Laurent Bigonville
2014-01-27 18:23 ` Christopher J. PeBenito
2014-01-27 22:18 ` Laurent Bigonville
2014-02-01 3:02 ` Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.