diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if index 3a0a884..0369e9d 100644 --- a/refpolicy/policy/modules/services/ssh.if +++ b/refpolicy/policy/modules/services/ssh.if @@ -211,7 +211,7 @@ template(`ssh_per_userdomain_template',` #allow ssh to access keys stored on removable media # Should we have a boolean around this? - allow $1_ssh_t mnt_t:dir search; + files_search_mnt($1_ssh_t) r_dir_file($1_ssh_t, removable_t) ifdef(`xdm.te', ` @@ -404,6 +404,10 @@ template(`sshd_program_domain', ` auth_rw_login_records($1_t) auth_rw_lastlog($1_t) + corecmd_read_bin_symlink($1_t) + # for sshd subsystems, such as sftp-server. + corecmd_getattr_bin_file($1_t) + domain_wide_inherit_fd($1_t) domain_subj_id_change_exempt($1_t) domain_role_change_exempt($1_t) @@ -436,43 +440,36 @@ template(`sshd_program_domain', ` fs_read_cifs_files($1_t) ') + optional_policy(`inetd.te',` + tunable_policy(`run_ssh_inetd',` + allow $1_t self:process signal; + files_list_pids($1_t) + ',` + corenet_tcp_bind_ssh_port($1_t) + init_use_fd($1_t) + init_use_script_pty($1_t) + ') + ',` + # These rules should match the else block + # of the run_ssh_inetd tunable directly above + corenet_tcp_bind_ssh_port($1_t) + init_use_fd($1_t) + init_use_script_pty($1_t) + ') + optional_policy(`mount.te', ` mount_send_nfs_client_request($1_t) ') ifdef(`TODO',` - allow $1_t bin_t:dir search; - allow $1_t bin_t:lnk_file read; - - # for sshd subsystems, such as sftp-server. - allow $1_t bin_t:file getattr; - # Read /var. allow $1_t var_t:dir getattr; - allow $1_t { home_root_t home_dir_type }:dir getattr; + allow $1_t home_dir_type:dir getattr; dontaudit sshd_t userpty_type:chr_file relabelfrom; - optional_policy(`inetd.te',` - if (run_ssh_inetd) { - allow $1_t self:process signal; - allow $1_t inetd_t:tcp_socket rw_socket_perms; - allow $1_t var_run_t:dir getattr; - files_search_pids($1_t) - } else { - corenet_tcp_bind_ssh_port($1_t) - init_use_fd($1_t) - init_use_script_pty($1_t) - } - ',` - # These rules should match the else block - # of the run_ssh_inetd conditional directly above - corenet_tcp_bind_ssh_port($1_t) - init_use_fd($1_t) - init_use_script_pty($1_t) - ') ') dnl end TODO ') diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te index 8e3a1e6..9b25e36 100644 --- a/refpolicy/policy/modules/services/ssh.te +++ b/refpolicy/policy/modules/services/ssh.te @@ -23,6 +23,19 @@ role system_r types ssh_keygen_t; sshd_program_domain(sshd) +optional_policy(`inetd.te',` +# CJP: commenting this out until typeattribute works in a conditional +# tunable_policy(`run_ssh_inetd',` + inetd_tcp_service_domain(sshd_t,sshd_exec_t) +# ',` +# init_daemon_domain(sshd_t,sshd_exec_t) +# ') +',` + # These rules should match the else block + # of the run_ssh_inetd tunable directly above + init_daemon_domain(sshd_t,sshd_exec_t) +') + type sshd_exec_t; files_file_type(sshd_exec_t) @@ -59,18 +72,6 @@ seutil_read_config(sshd_t) # Allow checking users mail at login mta_getattr_spool(sshd_t) -optional_policy(`inetd.te',` - tunable_policy(`run_ssh_inetd',` - inetd_service_domain(sshd_t,sshd_exec_t) - ',` - init_daemon_domain(sshd_t,sshd_exec_t) - ') -',` - # These rules should match the else block - # of the run_ssh_inetd tunable directly above - init_daemon_domain(sshd_t,sshd_exec_t) -') - ifdef(`TODO',` tunable_policy(`ssh_sysadm_login',` userdom_spec_domtrans_all_users(sshd_t) @@ -104,11 +105,6 @@ tunable_policy(`ssh_sysadm_login',` allow userdomain sshd_t:unix_stream_socket rw_stream_socket_perms; ') -# this goes to inetd -tunable_policy(`run_ssh_inetd',` - corenet_tcp_bind_ssh_port(inetd_t) -') - # for when the network connection breaks after running newrole -r sysadm_r dontaudit sshd_t sysadm_devpts_t:chr_file setattr; @@ -161,10 +157,6 @@ domain_auto_trans(sysadm_t, sshd_exec_t, sshd_t) role_transition sysadm_r sshd_exec_t system_r; ') -# so a tunnel can point to another ssh tunnel... -allow sshd_t kernel_t:tcp_socket recvfrom; -allow sshd_t kernel_t:tcp_socket recvfrom; - # for port forwarding allow userdomain sshd_t:tcp_socket { connectto recvfrom }; allow sshd_t userdomain:tcp_socket { acceptfrom recvfrom }; diff --git a/refpolicy/policy/modules/system/corecommands.if b/refpolicy/policy/modules/system/corecommands.if index f5ddc8f..35da2dd 100644 --- a/refpolicy/policy/modules/system/corecommands.if +++ b/refpolicy/policy/modules/system/corecommands.if @@ -3,10 +3,12 @@ ## in /bin, /sbin, /usr/bin, and /usr/sbin. ## -####################################### -# -# corecmd_shell_entry_type(domain) -# +## +## Make the shell an entrypoint for the specified domain. +## +## +## The domain for which the shell is an entrypoint. +## interface(`corecmd_shell_entry_type',` gen_require(` type shell_exec_t; @@ -41,6 +43,38 @@ interface(`corecmd_list_bin',` allow $1 bin_t:dir r_dir_perms; ') +## +## Get the attributes of files in bin directories. +## +## +## The type of the process performing this action. +## +interface(`corecmd_getattr_bin_file',` + gen_require(` + type bin_t; + class file getattr; + ') + + allow $1 bin_t:file getattr; +') + +## +## Read symbolic links in bin directories. +## +## +## The type of the process performing this action. +## +interface(`corecmd_read_bin_symlink',` + gen_require(` + type bin_t; + class dir search; + class lnk_file read; + ') + + allow $1 bin_t:dir search; + allow $1 bin_t:lnk_file read; +') + ######################################## # # corecmd_exec_bin(domain) @@ -86,6 +120,19 @@ interface(`corecmd_list_sbin',` ######################################## # +# corecmd_getattr_sbin_file(domain) +# +interface(`corecmd_getattr_sbin_file',` + gen_require(` + type sbin_t; + class file getattr; + ') + + allow $1 sbin_t:file getattr; +') + +######################################## +# # corecmd_dontaudit_getattr_sbin_file(domain) # interface(`corecmd_dontaudit_getattr_sbin_file',` @@ -94,7 +141,7 @@ interface(`corecmd_dontaudit_getattr_sbin_file',` class file getattr; ') - allow $1 sbin_t:file getattr; + dontaudit $1 sbin_t:file getattr; ') ######################################## diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 1bddf1d..d50918a 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -649,6 +649,19 @@ interface(`files_list_home',` ######################################## # +# files_search_mnt(domain) +# +interface(`files_search_mnt',` + gen_require(` + type mnt_t; + class dir search; + ') + + allow $1 mnt_t:dir search; +') + +######################################## +# # files_list_mnt(domain) # interface(`files_list_mnt',`