ssh updates for targeted

refpolicy/policy/global_tunables

@@ -4,6 +4,11 @@
 # file should be used.
 #
 
+########################################
+#
+# Common tunables
+#
+
 ## Allow making anonymous memory executable, e.g. 
 ## for runtime-code generation or executable stack.
 gen_tunable(allow_execmem,false)
@@ -107,10 +112,6 @@ gen_tunable(squid_connect_any,false)
 ## Allow ssh logins as sysadm_r:sysadm_t
 gen_tunable(ssh_sysadm_login,false)
 
-## Allow staff_r users to search the sysadm home 
-## dir and read files (such as ~/.bashrc)
-gen_tunable(staff_read_sysadm_file,false)
-
 ## Configure stunnel to be a standalone daemon or
 ## inetd service.
 gen_tunable(stunnel_is_daemon,false)
@@ -154,6 +155,10 @@ gen_tunable(read_untrusted_content,false)
 ## Allow user spamassassin clients to use the network.
 gen_tunable(spamassassin_can_network,false)
 
+## Allow staff_r users to search the sysadm home 
+## dir and read files (such as ~/.bashrc)
+gen_tunable(staff_read_sysadm_file,false)
+
 ## Allow regular users direct mouse access 
 gen_tunable(user_direct_mouse,false)
 
@@ -164,7 +169,8 @@ gen_tunable(user_dmesg,false)
 ## (also needs USERCTL=true)
 gen_tunable(user_net_control,false)
 
-## Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY)
+## Allow user to r/w files on filesystems
+## that do not have extended attributes (FAT, CDROM, FLOPPY)
 gen_tunable(user_rw_noexattrfile,false)
 
 ## Allow users to rw usb devices

refpolicy/policy/modules/services/ssh.te

@@ -8,18 +8,12 @@ policy_module(ssh,1.0)
 
 attribute ssh_server;
 
-# Type for the ssh-agent executable.
-type ssh_agent_exec_t;
-files_type(ssh_agent_exec_t)
-
 # ssh client executable.
 type ssh_exec_t;
 files_type(ssh_exec_t)
 
-type ssh_keygen_t;
 type ssh_keygen_exec_t;
-init_system_domain(ssh_keygen_t,ssh_keygen_exec_t)
+files_type(ssh_keygen_exec_t)
-role system_r types ssh_keygen_t;
 
 type ssh_keysign_exec_t;
 files_type(ssh_keysign_exec_t)
@@ -31,6 +25,21 @@ gen_require(`
 ')
 files_type(sshd_exec_t)
 
+type sshd_key_t;
+files_type(sshd_key_t)
+
+ifdef(`targeted_policy',`
+	unconfined_alias_domain(sshd_t)
+	init_system_domain(sshd_t,sshd_exec_t)
+',`
+	# Type for the ssh-agent executable.
+	type ssh_agent_exec_t;
+	files_type(ssh_agent_exec_t)
+
+	type ssh_keygen_t;
+	init_system_domain(ssh_keygen_t,ssh_keygen_exec_t)
+	role system_r types ssh_keygen_t;
+
 	ssh_server_template(sshd)
 	ssh_server_template(sshd_extern)
 
@@ -47,11 +56,9 @@ ssh_server_template(sshd_extern)
 		init_daemon_domain(sshd_t,sshd_exec_t)
 #	')
 
-type sshd_key_t;
-files_type(sshd_key_t)
-
 	type sshd_tmp_t;
 	files_tmp_file(sshd_tmp_t)
+')
 
 #################################
 #
@@ -60,6 +67,7 @@ files_tmp_file(sshd_tmp_t)
 # sshd_t is the domain for the sshd program.
 #
 
+ifdef(`targeted_policy',`',`
 	# so a tunnel can point to another ssh tunnel
 	allow sshd_t self:tcp_socket { acceptfrom connectto recvfrom };
 
@@ -121,6 +129,7 @@ tunable_policy(`ssh_sysadm_login',`
 		allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr };
 	')
 	') dnl endif TODO
+')
 
 #################################
 #
@@ -129,6 +138,7 @@ tunable_policy(`ssh_sysadm_login',`
 # sshd_extern_t is the domain for ssh from outside our network
 #
 
+ifdef(`targeted_policy',`',`
 	ifdef(`TODO',`
 	domain_trans(sshd_extern_t, shell_exec_t, user_mini_domain)
 	# Signal the user domains.
@@ -172,12 +182,14 @@ allow sshd_t userdomain:tcp_socket { acceptfrom recvfrom };
 	allow userdomain kernel_t:tcp_socket recvfrom;
 	allow sshd_t kernel_t:tcp_socket recvfrom;
 	') dnl endif TODO
+')
 
 ########################################
 #
 # ssh_keygen local policy
 #
 
+ifdef(`targeted_policy',`',`
 	# ssh_keygen_t is the type of the ssh-keygen program when run at install time
 	# and by sysadm_t
 
@@ -241,3 +253,4 @@ optional_policy(`rhgb.te', `
 		rhgb_domain(ssh_keygen_t)
 	')
 	')
+')

refpolicy/policy/modules/services/xdm.te

@@ -6,12 +6,11 @@ policy_module(xdm,1.0)
 # Declarations
 #
 
-# hack until all of strict is converted
+ifdef(`targeted_policy',`
-#type xdm_t;
+	unconfined_alias_domain(xdm_t)
-gen_require(`
+',`
-	type unconfined_t;
+	type xdm_t;
 ')
-typealias unconfined_t alias xdm_t;
 
 # real declaration moved to mls until
 # range_transition works in loadable modules

refpolicy/policy/modules/system/unconfined.if

@@ -261,3 +261,28 @@ interface(`unconfined_role',`
 
 	role $1 types unconfined_t;
 ')
+
+########################################
+## <summary>
+##	Add an alias type to the unconfined domain.
+## </summary>
+## <desc>
+##	<p>
+##	Add an alias type to the unconfined domain.
+##	</p>
+##	<p>
+##	This is added to support targeted policy.  Its
+##	use should be very limited.
+##	</p>
+## </desc>
+## <param name="domain">
+##	New alias of the unconfined domain.
+## </param>
+#
+interface(`unconfined_alias_domain',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	typealias unconfined_t alias $1;
+')