SSH patch from Dan Walsh.

diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 141ca93cc8a9433c7209fe13d765f83b22ddfd77..567592dbb14c11c72b4d069468c7558a2ecee715 100644 (file)
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -181,7 +181,7 @@ template(`ssh_server_template', `
        type $1_var_run_t;
        files_pid_file($1_var_run_t)
 
-       allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
+       allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
        allow $1_t self:fifo_file rw_fifo_file_perms;
        allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate };
        allow $1_t self:tcp_socket create_stream_socket_perms;
@@ -237,6 +237,7 @@ template(`ssh_server_template', `
 
        files_read_etc_files($1_t)
        files_read_etc_runtime_files($1_t)
+       files_read_usr_files($1_t)
 
        logging_search_logs($1_t)
 
@@ -265,7 +266,6 @@ template(`ssh_server_template', `
 
        optional_policy(`
                files_read_var_lib_symlinks($1_t)
-
                nx_spec_domtrans_server($1_t)
        ')
 ')
@@ -388,6 +388,7 @@ template(`ssh_role_template',`
        logging_send_syslog_msg($1_ssh_agent_t)
 
        miscfiles_read_localization($1_ssh_agent_t)
+       miscfiles_read_certs($1_ssh_agent_t)
 
        seutil_dontaudit_read_config($1_ssh_agent_t)
 
@@ -395,6 +396,7 @@ template(`ssh_role_template',`
        userdom_use_user_terminals($1_ssh_agent_t)
 
        # for the transition back to normal privs upon exec
+       userdom_search_user_home_content($1_ssh_agent_t)
        userdom_user_home_domtrans($1_ssh_agent_t, $3)
        allow $3 $1_ssh_agent_t:fd use;
        allow $3 $1_ssh_agent_t:fifo_file rw_file_perms;
@@ -696,6 +698,25 @@ interface(`ssh_dontaudit_read_server_keys',`
        dontaudit $1 sshd_key_t:file { getattr read };
 ')
 
+######################################
+## <summary>
+##     Manage ssh home directory content
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`ssh_manage_home_files',`
+       gen_require(`
+               type ssh_home_t;
+       ')
+
+       manage_files_pattern($1, ssh_home_t, ssh_home_t)
+       userdom_search_user_home_dirs($1)
+')
+
 #######################################
 ## <summary>
 ##     Delete from the ssh temp files.

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index d44327bd7ce48e1c7eecff0f0e7da2bb62afe82f..1a9f7c53b901e0d63e4cca822f981693e0aa4e26 100644 (file)
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -1,5 +1,5 @@
 
-policy_module(ssh, 2.1.2)
+policy_module(ssh, 2.1.3)
 
 ########################################
 #
@@ -311,15 +311,15 @@ tunable_policy(`ssh_sysadm_login',`
 ')
 
 optional_policy(`
-       kerberos_keytab_template(sshd, sshd_t)
+       daemontools_service_domain(sshd_t, sshd_exec_t)
 ')
 
 optional_policy(`
-       daemontools_service_domain(sshd_t, sshd_exec_t)
+       inetd_tcp_service_domain(sshd_t, sshd_exec_t)
 ')
 
 optional_policy(`
-       inetd_tcp_service_domain(sshd_t, sshd_exec_t)
+       kerberos_keytab_template(sshd, sshd_t)
 ')
 
 optional_policy(`
@@ -333,10 +333,13 @@ optional_policy(`
 ')
 
 optional_policy(`
-       unconfined_domain(sshd_t)
        unconfined_shell_domtrans(sshd_t)
 ')
 
+optional_policy(`
+       xserver_domtrans_xauth(sshd_t)
+')
+
 ifdef(`TODO',`
 tunable_policy(`ssh_sysadm_login',`
        # Relabel and access ptys created by sshd