diff --git a/policy/modules/services/nx.fc b/policy/modules/services/nx.fc index 21c47c6..ce8d0b3 100644 --- a/policy/modules/services/nx.fc +++ b/policy/modules/services/nx.fc @@ -1,6 +1,6 @@ /opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) -/opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0) +/opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_ssh_home_t,s0) /opt/NX/var(/.*)? gen_context(system_u:object_r:nx_server_var_run_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index 2232c8c..7c79b4a 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -47,8 +47,9 @@ template(`ssh_basic_client_template',` application_domain($1_ssh_t, ssh_exec_t) role $3 types $1_ssh_t; - type $1_home_ssh_t; - files_type($1_home_ssh_t) + type $1_ssh_home_t; + files_type($1_ssh_home_t) + typealias $1_ssh_home_t alias $1_home_ssh_t; ############################## # @@ -92,18 +93,18 @@ template(`ssh_basic_client_template',` ps_process_pattern($2, $1_ssh_t) # user can manage the keys and config - manage_files_pattern($2, $1_home_ssh_t, $1_home_ssh_t) - manage_lnk_files_pattern($2, $1_home_ssh_t, $1_home_ssh_t) - manage_sock_files_pattern($2, $1_home_ssh_t, $1_home_ssh_t) + manage_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t) + manage_lnk_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t) + manage_sock_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t) # ssh client can manage the keys and config - manage_files_pattern($1_ssh_t, $1_home_ssh_t, $1_home_ssh_t) - read_lnk_files_pattern($1_ssh_t, $1_home_ssh_t, $1_home_ssh_t) + manage_files_pattern($1_ssh_t, $1_ssh_home_t, $1_ssh_home_t) + read_lnk_files_pattern($1_ssh_t, $1_ssh_home_t, $1_ssh_home_t) # ssh servers can read the user keys and config - allow ssh_server $1_home_ssh_t:dir list_dir_perms; - read_files_pattern(ssh_server, $1_home_ssh_t, $1_home_ssh_t) - read_lnk_files_pattern(ssh_server, $1_home_ssh_t, $1_home_ssh_t) + allow ssh_server $1_ssh_home_t:dir list_dir_perms; + read_files_pattern(ssh_server, $1_ssh_home_t, $1_ssh_home_t) + read_lnk_files_pattern(ssh_server, $1_ssh_home_t, $1_ssh_home_t) kernel_read_kernel_sysctls($1_ssh_t) kernel_read_system_state($1_ssh_t) diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 439f117..a3f779a 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -111,9 +111,9 @@ manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_sock_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }) -manage_dirs_pattern(ssh_t, home_ssh_t, home_ssh_t) -manage_sock_files_pattern(ssh_t, home_ssh_t, home_ssh_t) -userdom_user_home_dir_filetrans(ssh_t, home_ssh_t, { dir sock_file }) +manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) +manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) +userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file }) # Allow the ssh program to communicate with ssh-agent. stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type) @@ -121,8 +121,8 @@ stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type) allow ssh_t sshd_t:unix_stream_socket connectto; # ssh client can manage the keys and config -manage_files_pattern(ssh_t, home_ssh_t, home_ssh_t) -read_lnk_files_pattern(ssh_t, home_ssh_t, home_ssh_t) +manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t) +read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t) # ssh servers can read the user keys and config allow ssh_server ssh_home_t:dir list_dir_perms;