backport chroot_user_t policy from RHEL6 which is for chroot openssh mode

diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index ba5d941deda9c62558cb8b9000b93a108bd00bcb..f48143796b2b335e15b36170d81aa7b07c15879b 100644 (file)
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -815,6 +815,25 @@ interface(`ssh_signull',`
        allow $1 sshd_t:process signull;
 ')
 
+#####################################
+## <summary>
+##  Allow domain dyntransition to chroot_user_t domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`ssh_dyntransition_chroot_user',`
+    gen_require(`
+        type chroot_user_t;
+    ')
+
+    allow $1 chroot_user_t:process dyntransition;
+    allow chroot_user_t $1:process sigchld;
+')
+
 ########################################
 ## <summary>
 ##     Create .ssh directory in the /root directory

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 24f8d902c6ad112d9c1575b39b00c7e881059b9b..28ef6ae0f54d8ea232222fc004cf6cf49636b598 100644 (file)
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -26,9 +26,21 @@ gen_tunable(ssh_sysadm_login, false)
 ## </desc>
 gen_tunable(sshd_forward_ports, false)
 
+## <desc>
+## <p>
+## Allow ssh with chroot env to read and write files 
+## in the user home directories
+## </p>
+## </desc>
+gen_tunable(ssh_chroot_rw_homedirs, false)
+
 attribute ssh_server;
 attribute ssh_agent_type;
 
+type chroot_user_t;
+domain_type(chroot_user_t)
+role system_r types chroot_user_t;
+
 type ssh_keygen_t;
 type ssh_keygen_exec_t;
 init_system_domain(ssh_keygen_t, ssh_keygen_exec_t)
@@ -269,6 +281,7 @@ userdom_read_user_home_content_symlinks(sshd_t)
 userdom_manage_tmp_role(system_r, sshd_t)
 userdom_spec_domtrans_unpriv_users(sshd_t)
 userdom_signal_unpriv_users(sshd_t)
+userdom_dyntransition_unpriv_users(sshd_t)
 
 tunable_policy(`sshd_forward_ports',`
        corenet_tcp_bind_all_unreserved_ports(sshd_t)
@@ -323,6 +336,10 @@ optional_policy(`
        rssh_read_ro_content(sshd_t)
 ')
 
+optional_policy(`
+    ssh_dyntransition_chroot_user(sshd_t)
+')
+
 optional_policy(`
        systemd_exec_systemctl(sshd_t)
 ')
@@ -416,3 +433,54 @@ optional_policy(`
 optional_policy(`
        udev_read_db(ssh_keygen_t)
 ')
+
+######################################
+#
+# chroot_user_t local policy
+#
+
+allow chroot_user_t self:capability { setuid sys_chroot setgid };
+
+allow chroot_user_t self:fifo_file rw_fifo_file_perms;
+
+userdom_read_user_home_content_files(chroot_user_t)
+userdom_read_inherited_user_home_content_files(chroot_user_t)
+userdom_read_user_home_content_symlinks(chroot_user_t)
+userdom_exec_user_home_content_files(chroot_user_t)
+
+tunable_policy(`ssh_chroot_rw_homedirs',`
+        files_list_home(chroot_user_t)
+        userdom_read_user_home_content_files(chroot_user_t)
+        userdom_manage_user_home_content(chroot_user_t)
+', `
+
+        userdom_user_home_dir_filetrans_pattern(chroot_user_t, { dir file lnk_file })
+')
+
+tunable_policy(`ssh_chroot_rw_homedirs && use_nfs_home_dirs',`
+    fs_manage_nfs_dirs(chroot_user_t)
+    fs_manage_nfs_files(chroot_user_t)
+    fs_manage_nfs_symlinks(chroot_user_t)
+')
+
+tunable_policy(`ssh_chroot_rw_homedirs && use_samba_home_dirs',`
+    fs_manage_cifs_dirs(chroot_user_t)
+    fs_manage_cifs_files(chroot_user_t)
+    fs_manage_cifs_symlinks(chroot_user_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+    fs_read_cifs_files(chroot_user_t)
+    fs_read_cifs_symlinks(chroot_user_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+    fs_read_nfs_files(chroot_user_t)
+    fs_read_nfs_symlinks(chroot_user_t)
+')
+
+optional_policy(`
+    ssh_rw_stream_sockets(chroot_user_t)
+    ssh_rw_tcp_sockets(chroot_user_t)
+    ssh_rw_dgram_sockets(chroot_user_t)
+')