Ver Fonte

ssh: update policy to the one from selinux-policy-src in Debian stretch

Helmut Pozimski há 7 anos atrás
pai
commit
3431ba1bfd
3 ficheiros alterados com 20 adições e 6 exclusões
  1. 6 1
      policy/modules/ssh.fc
  2. 1 1
      policy/modules/ssh.if
  3. 13 4
      policy/modules/ssh.te

+ 6 - 1
policy/modules/ssh.fc

@@ -7,7 +7,12 @@ HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 /usr/bin/ssh-agent		--	gen_context(system_u:object_r:ssh_agent_exec_t,s0)
 /usr/bin/ssh-keygen		--	gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
 
-/usr/lib/openssh/ssh-keysign	 --	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+/usr/lib/openssh/ssh-keysign	--	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+/usr/lib/ssh/ssh-keysign	--	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+
+/usr/lib/systemd/system/ssh.*		--	gen_context(system_u:object_r:sshd_unit_t,s0)
+/usr/lib/systemd/system/sshdgenkeys.*	--	gen_context(system_u:object_r:sshd_keygen_unit_t,s0)
+/usr/lib/systemd/system/sshd-keygen.*	--	gen_context(system_u:object_r:sshd_keygen_unit_t,s0)
 
 /usr/libexec/openssh/ssh-keysign --	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
 

+ 1 - 1
policy/modules/ssh.if

@@ -346,7 +346,7 @@ template(`ssh_role_template',`
 	# SSH agent local policy
 	#
 
-	allow $1_ssh_agent_t self:process setrlimit;
+	allow $1_ssh_agent_t self:process { setrlimit signal };
 	allow $1_ssh_agent_t self:capability setgid;
 
 	allow $1_ssh_agent_t self:fifo_file rw_file_perms;

+ 13 - 4
policy/modules/ssh.te

@@ -1,4 +1,4 @@
-policy_module(ssh, 2.5.1)
+policy_module(ssh, 2.8.0)
 
 ########################################
 #
@@ -47,6 +47,12 @@ type sshd_tmp_t;
 files_tmp_file(sshd_tmp_t)
 files_poly_parent(sshd_tmp_t)
 
+type sshd_keygen_unit_t;
+init_unit_file(sshd_keygen_unit_t)
+
+type sshd_unit_t;
+init_unit_file(sshd_unit_t)
+
 ifdef(`enable_mcs',`
 	init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
 ')
@@ -85,7 +91,7 @@ type sshd_keytab_t;
 files_type(sshd_keytab_t)
 
 ifdef(`distro_debian',`
-	init_daemon_run_dir(sshd_var_run_t, "sshd")
+	init_daemon_pid_file(sshd_var_run_t, dir, "sshd")
 ')
 
 ##############################
@@ -264,12 +270,15 @@ term_relabelto_all_ptys(sshd_t)
 corenet_tcp_bind_xserver_port(sshd_t)
 corenet_sendrecv_xserver_server_packets(sshd_t)
 
-connect_udev_udp_socket(sshd_t)
-
 ifdef(`distro_debian',`
 	allow sshd_t self:process { getcap setcap };
 ')
 
+ifdef(`init_systemd',`
+	systemd_dbus_chat_logind(sshd_t)
+	init_rw_stream_sockets(sshd_t)
+')
+
 tunable_policy(`ssh_sysadm_login',`
 	# Relabel and access ptys created by sshd
 	# ioctl is necessary for logout() processing for utmp entry and for w to