Home Explore Help
Sign In
Hoshpak
/
debian-selinux-policies
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

ssh: update policy to the one from selinux-policy-src in Debian stretch

Helmut Pozimski 7 years ago
parent
2ca3e25aca
commit
3431ba1bfd
3 changed files with 20 additions and 6 deletions
Unified View Show Diff Stats
  1. 6 1
      policy/modules/ssh.fc
  2. 1 1
      policy/modules/ssh.if
  3. 13 4
      policy/modules/ssh.te

+ 6 - 1
policy/modules/ssh.fc
View File 

@@ -7,7 +7,12 @@ HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 
 /usr/bin/ssh-agent		--	gen_context(system_u:object_r:ssh_agent_exec_t,s0)
 
 /usr/bin/ssh-agent		--	gen_context(system_u:object_r:ssh_agent_exec_t,s0)
 
 /usr/bin/ssh-keygen		--	gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
 
 /usr/bin/ssh-keygen		--	gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
 
 
 
-/usr/lib/openssh/ssh-keysign	 --	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
 
+/usr/lib/openssh/ssh-keysign	--	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
 
+/usr/lib/ssh/ssh-keysign	--	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
 
+
 
+/usr/lib/systemd/system/ssh.*		--	gen_context(system_u:object_r:sshd_unit_t,s0)
 
+/usr/lib/systemd/system/sshdgenkeys.*	--	gen_context(system_u:object_r:sshd_keygen_unit_t,s0)
 
+/usr/lib/systemd/system/sshd-keygen.*	--	gen_context(system_u:object_r:sshd_keygen_unit_t,s0)
 
 
 
 /usr/libexec/openssh/ssh-keysign --	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
 
 /usr/libexec/openssh/ssh-keysign --	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)

+ 1 - 1
policy/modules/ssh.if
View File 

@@ -346,7 +346,7 @@ template(`ssh_role_template',`
 
 	# SSH agent local policy
 
 	# SSH agent local policy
 
 	#
 
 	#
 
 
 
-	allow $1_ssh_agent_t self:process setrlimit;
 
+	allow $1_ssh_agent_t self:process { setrlimit signal };
 
 	allow $1_ssh_agent_t self:capability setgid;
 
 	allow $1_ssh_agent_t self:capability setgid;
 
 
 
 	allow $1_ssh_agent_t self:fifo_file rw_file_perms;
 
 	allow $1_ssh_agent_t self:fifo_file rw_file_perms;

+ 13 - 4
policy/modules/ssh.te
View File 

@@ -1,4 +1,4 @@
 
-policy_module(ssh, 2.5.1)
 
+policy_module(ssh, 2.8.0)
 
 
 
 ########################################
 
 ########################################
 
 #
 
 #
 
@@ -47,6 +47,12 @@ type sshd_tmp_t;
 
 files_tmp_file(sshd_tmp_t)
 
 files_tmp_file(sshd_tmp_t)
 
 files_poly_parent(sshd_tmp_t)
 
 files_poly_parent(sshd_tmp_t)
 
 
 
+type sshd_keygen_unit_t;
 
+init_unit_file(sshd_keygen_unit_t)
 
+
 
+type sshd_unit_t;
 
+init_unit_file(sshd_unit_t)
 
+
 
 ifdef(`enable_mcs',`
 
 ifdef(`enable_mcs',`
 
 	init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
 
 	init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
 
 ')
 
 ')
 
@@ -85,7 +91,7 @@ type sshd_keytab_t;
 
 files_type(sshd_keytab_t)
 
 files_type(sshd_keytab_t)
 
 
 
 ifdef(`distro_debian',`
 
 ifdef(`distro_debian',`
 
-	init_daemon_run_dir(sshd_var_run_t, "sshd")
 
+	init_daemon_pid_file(sshd_var_run_t, dir, "sshd")
 
 ')
 
 ')
 
 
 
 ##############################
 
 ##############################
 
@@ -264,12 +270,15 @@ term_relabelto_all_ptys(sshd_t)
 
 corenet_tcp_bind_xserver_port(sshd_t)
 
 corenet_tcp_bind_xserver_port(sshd_t)
 
 corenet_sendrecv_xserver_server_packets(sshd_t)
 
 corenet_sendrecv_xserver_server_packets(sshd_t)
 
 
 
-connect_udev_udp_socket(sshd_t)
 
-
 
 ifdef(`distro_debian',`
 
 ifdef(`distro_debian',`
 
 	allow sshd_t self:process { getcap setcap };
 
 	allow sshd_t self:process { getcap setcap };
 
 ')
 
 ')
 
 
 
+ifdef(`init_systemd',`
 
+	systemd_dbus_chat_logind(sshd_t)
 
+	init_rw_stream_sockets(sshd_t)
 
+')
 
+
 
 tunable_policy(`ssh_sysadm_login',`
 
 tunable_policy(`ssh_sysadm_login',`
 
 	# Relabel and access ptys created by sshd
 
 	# Relabel and access ptys created by sshd
 
 	# ioctl is necessary for logout() processing for utmp entry and for w to
 
 	# ioctl is necessary for logout() processing for utmp entry and for w to