Add SELinux support for ssh pre-auth net process in F17

author Miroslav Grepl <mgrepl@redhat.com>

Fri, 23 Sep 2011 12:26:23 +0000 (12:26 +0000)

committer Miroslav Grepl <mgrepl@redhat.com>

Fri, 23 Sep 2011 12:26:23 +0000 (12:26 +0000)
author Miroslav Grepl <mgrepl@redhat.com>
Fri, 23 Sep 2011 12:26:23 +0000 (12:26 +0000)
committer Miroslav Grepl <mgrepl@redhat.com>
Fri, 23 Sep 2011 12:26:23 +0000 (12:26 +0000)
diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te

index bb587b10a4240d6c09381163d7bc2f0296373ef9..eea179c04923b0400ce2c361df0e3ecf585d2def 100644 (file)
--- a/policy/modules/admin/permissivedomains.te
+++ b/policy/modules/admin/permissivedomains.te
@@ -96,6 +96,14 @@ optional_policy(`
        permissive rhsmcertd_t;
  ')
  
+optional_policy(
+       gen_require(`
+               type sshd_sandbox_t;
+       ')
+
+       permissive sshd_sandbox_t;
+')
+
  optional_policy(`
        gen_require(`
               type fail2ban_client_t;
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if

index 0d987fdc726f42ee404b6abec9b671cc41680a44..04f36d7105d536faa797c98b6f684b42df0afe5e 100644 (file)
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -146,6 +146,29 @@ template(`ssh_basic_client_template',`
         ')
  ')
  
+######################################
+## <summary>
+##  The template to define a domain to which sshd dyntransition.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  The prefix of the dyntransition domain
+##  </summary>
+## </param>
+#
+template(`ssh_dyntransition_domain_template',`
+       gen_require(`
+               attribute ssh_dyntransition_domain;
+       ')
+
+       type $1, dyntransition_domain;
+       domain_type($1)
+       role system_r types $1;
+       
+       optional_policy(`
+               ssh_dyntransition_to($1)
+       ')
+')
  #######################################
  ## <summary>
  ##     The template to define a ssh server.
@@ -843,13 +866,13 @@ interface(`ssh_signull',`
  ##  </summary>
  ## </param>
  #
-interface(`ssh_dyntransition_chroot_user',`
+interface(`ssh_dyntransition_to',`
      gen_require(`
-        type chroot_user_t;
+        type sshd_t;
      ')
  
-    allow $1 chroot_user_t:process dyntransition;
-    allow chroot_user_t $1:process sigchld;
+    allow sshd_t $1:process dyntransition;
+    allow $1 sshd_t:process sigchld;
  ')
  
  ########################################
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te

index 28ef6ae0f54d8ea232222fc004cf6cf49636b598..49309147424d4c2802b8f651f49a5e7398d76af9 100644 (file)
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -34,9 +34,13 @@ gen_tunable(sshd_forward_ports, false)
  ## </desc>
  gen_tunable(ssh_chroot_rw_homedirs, false)
  
+attribute ssh_dyntrasition_domain;
  attribute ssh_server;
  attribute ssh_agent_type;
  
+ssh_dyntransition_domain_template(chroot_user_t)
+ssh_dyntransition_domain_template(sshd_sandbox_t)
+
  type chroot_user_t;
  domain_type(chroot_user_t)
  role system_r types chroot_user_t;
@@ -336,10 +340,6 @@ optional_policy(`
         rssh_read_ro_content(sshd_t)
  ')
  
-optional_policy(`
-    ssh_dyntransition_chroot_user(sshd_t)
-')
-
  optional_policy(`
         systemd_exec_systemctl(sshd_t)
  ')
@@ -434,14 +434,36 @@ optional_policy(`
         udev_read_db(ssh_keygen_t)
  ')
  
+####################################
+#
+# ssh_dyntransition domain local policy
+#
+
+allow ssh_dyntransition_domain self:capability { setuid sys_chroot setgid };
+
+allow ssh_dyntransition_domain self:fifo_file rw_fifo_file_perms;
+
+optional_policy(`
+    ssh_rw_stream_sockets(ssh_dyntransition_domain)
+    ssh_rw_tcp_sockets(ssh_dyntransition_domain)
+')
+
+#####################################
+#
+# ssh_sandbox local policy
+#
+
+allow sshd_t sshd_sandbox_t:process signal;
+
+init_ioctl_stream_sockets(sshd_sandbox_t)
+
+logging_send_audit_msgs(sshd_sandbox_t)
+
  ######################################
  #
  # chroot_user_t local policy
  #
  
-allow chroot_user_t self:capability { setuid sys_chroot setgid };
-
-allow chroot_user_t self:fifo_file rw_fifo_file_perms;
  
  userdom_read_user_home_content_files(chroot_user_t)
  userdom_read_inherited_user_home_content_files(chroot_user_t)
@@ -480,7 +502,5 @@ tunable_policy(`use_nfs_home_dirs',`
  ')
  
  optional_policy(`
-    ssh_rw_stream_sockets(chroot_user_t)
-    ssh_rw_tcp_sockets(chroot_user_t)
      ssh_rw_dgram_sockets(chroot_user_t)
  ')
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if

index 09c931a915916102b64e5ecd713114fa551cb56a..b5e5c70d212393d45be02f80b5e2926ef730c0fc 100644 (file)
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -2175,6 +2175,25 @@ interface(`init_dontaudit_script_leaks',`
         init_dontaudit_use_script_fds($1)
  ')
  
+#######################################
+## <summary>
+##  Allow the specified domain to ioctl an
+##  init with a unix domain stream sockets.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`init_ioctl_stream_sockets',`
+    gen_require(`
+        type init_t;
+    ')
+
+    allow $1 init_t:unix_stream_socket ioctl;
+')
+
  ########################################
  ## <summary>
  ##     Allow the specified domain to read/write to
author	Miroslav Grepl <mgrepl@redhat.com>
	Fri, 23 Sep 2011 12:26:23 +0000 (12:26 +0000)
committer	Miroslav Grepl <mgrepl@redhat.com>
	Fri, 23 Sep 2011 12:26:23 +0000 (12:26 +0000)
policy/modules/admin/permissivedomains.te		patch \| blob \| blame \| history
policy/modules/services/ssh.if		patch \| blob \| blame \| history
policy/modules/services/ssh.te		patch \| blob \| blame \| history
policy/modules/system/init.if		patch \| blob \| blame \| history