diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index 141ca93..567592d 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -181,7 +181,7 @@ template(`ssh_server_template', ` type $1_var_run_t; files_pid_file($1_var_run_t) - allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config }; + allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config }; allow $1_t self:fifo_file rw_fifo_file_perms; allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate }; allow $1_t self:tcp_socket create_stream_socket_perms; @@ -237,6 +237,7 @@ template(`ssh_server_template', ` files_read_etc_files($1_t) files_read_etc_runtime_files($1_t) + files_read_usr_files($1_t) logging_search_logs($1_t) @@ -265,7 +266,6 @@ template(`ssh_server_template', ` optional_policy(` files_read_var_lib_symlinks($1_t) - nx_spec_domtrans_server($1_t) ') ') @@ -388,6 +388,7 @@ template(`ssh_role_template',` logging_send_syslog_msg($1_ssh_agent_t) miscfiles_read_localization($1_ssh_agent_t) + miscfiles_read_certs($1_ssh_agent_t) seutil_dontaudit_read_config($1_ssh_agent_t) @@ -395,6 +396,7 @@ template(`ssh_role_template',` userdom_use_user_terminals($1_ssh_agent_t) # for the transition back to normal privs upon exec + userdom_search_user_home_content($1_ssh_agent_t) userdom_user_home_domtrans($1_ssh_agent_t, $3) allow $3 $1_ssh_agent_t:fd use; allow $3 $1_ssh_agent_t:fifo_file rw_file_perms; @@ -696,6 +698,25 @@ interface(`ssh_dontaudit_read_server_keys',` dontaudit $1 sshd_key_t:file { getattr read }; ') +###################################### +## +## Manage ssh home directory content +## +## +## +## Domain allowed access. +## +## +# +interface(`ssh_manage_home_files',` + gen_require(` + type ssh_home_t; + ') + + manage_files_pattern($1, ssh_home_t, ssh_home_t) + userdom_search_user_home_dirs($1) +') + ####################################### ## ## Delete from the ssh temp files. diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index d44327b..1a9f7c5 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -1,5 +1,5 @@ -policy_module(ssh, 2.1.2) +policy_module(ssh, 2.1.3) ######################################## # @@ -311,15 +311,15 @@ tunable_policy(`ssh_sysadm_login',` ') optional_policy(` - kerberos_keytab_template(sshd, sshd_t) + daemontools_service_domain(sshd_t, sshd_exec_t) ') optional_policy(` - daemontools_service_domain(sshd_t, sshd_exec_t) + inetd_tcp_service_domain(sshd_t, sshd_exec_t) ') optional_policy(` - inetd_tcp_service_domain(sshd_t, sshd_exec_t) + kerberos_keytab_template(sshd, sshd_t) ') optional_policy(` @@ -333,10 +333,13 @@ optional_policy(` ') optional_policy(` - unconfined_domain(sshd_t) unconfined_shell_domtrans(sshd_t) ') +optional_policy(` + xserver_domtrans_xauth(sshd_t) +') + ifdef(`TODO',` tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd