Allow users to ptrace and send any kind of signal to their ssh agent instead of only a generic signal.

Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-16 09:59:06 +02:00 · 2010-09-16 09:59:06 +02:00 · 50e85752ad
commit 50e85752ad
parent f416df73dd
1 changed files with 2 additions and 2 deletions
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@ -339,7 +339,7 @@ template(`ssh_role_template',`

 	# allow ps to show ssh
 	ps_process_pattern($3, ssh_t)
-	allow $3 ssh_t:process signal;
+	allow $3 ssh_t:process { ptrace signal_perms };

 	# for rsync
 	allow ssh_t $3:unix_stream_socket rw_socket_perms;
@ -372,7 +372,7 @@ template(`ssh_role_template',`
 	stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)

 	# Allow the user shell to signal the ssh program.
-	allow $3 $1_ssh_agent_t:process signal;
+	allow $3 $1_ssh_agent_t:process { ptrace signal_perms };

 	# allow ps to show ssh
 	ps_process_pattern($3, $1_ssh_agent_t)