Allow ssh derived domain to execute ssh-keygen in the ssh_keygen_t domain

author Miroslav Grepl <mgrepl@redhat.com>

Thu, 8 Dec 2011 17:01:46 +0000 (17:01 +0000)

committer Miroslav Grepl <mgrepl@redhat.com>

Thu, 8 Dec 2011 17:01:46 +0000 (17:01 +0000)
author Miroslav Grepl <mgrepl@redhat.com>
Thu, 8 Dec 2011 17:01:46 +0000 (17:01 +0000)
committer Miroslav Grepl <mgrepl@redhat.com>
Thu, 8 Dec 2011 17:01:46 +0000 (17:01 +0000)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if

index c2efd25dddce7d2a8c4c15e402e59c884529804e..6ec295a021953d9ec23f8895e0264a93ddce2ff7 100644 (file)
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -35,6 +35,7 @@ template(`ssh_basic_client_template',`
         gen_require(`
                 attribute ssh_server;
                 type ssh_exec_t, sshd_key_t, sshd_tmp_t;
+               type ssh_keysign_exec_t, ssh_keysign_t;
                 type ssh_home_t;
         ')
  
@@ -85,6 +86,10 @@ template(`ssh_basic_client_template',`
         # or "regular" (not special like sshd_extern_t) servers
         allow $2 ssh_server:unix_stream_socket rw_stream_socket_perms;
  
+       # derived domain can execute ssh-keysign
+       domtrans_pattern($1_ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
+       role $3 types ssh_keysign_t;
+
         # allow ps to show ssh
         ps_process_pattern($2, $1_ssh_t)
author	Miroslav Grepl <mgrepl@redhat.com>
	Thu, 8 Dec 2011 17:01:46 +0000 (17:01 +0000)
committer	Miroslav Grepl <mgrepl@redhat.com>
	Thu, 8 Dec 2011 17:01:46 +0000 (17:01 +0000)