add nx, bug 1535
This commit is contained in:
Chris PeBenito
parent
46bec43425
commit
6bd449484d
@ -69,6 +69,7 @@
|
||||
nessus
|
||||
nsd
|
||||
ntop
|
||||
nx
|
||||
oav
|
||||
openca
|
||||
openvpn (Petre Rodan)
|
||||
|
||||
5
refpolicy/policy/modules/services/nx.fc
Normal file
5
refpolicy/policy/modules/services/nx.fc
Normal file
@ -0,0 +1,5 @@
|
||||
/opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
|
||||
|
||||
/opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
|
||||
|
||||
/opt/NX/var(/.*)? gen_context(system_u:object_r:nx_server_var_run_t,s0)
|
||||
22
refpolicy/policy/modules/services/nx.if
Normal file
22
refpolicy/policy/modules/services/nx.if
Normal file
@ -0,0 +1,22 @@
|
||||
## <summary>NX remote desktop</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Transition to NX server.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`nx_spec_domtrans_server',`
|
||||
gen_require(`
|
||||
type nx_server_t, nx_server_exec_t;
|
||||
')
|
||||
|
||||
domain_trans($1,nx_server_exec_t,nx_server_t)
|
||||
allow nx_server_t $1:fd use;
|
||||
allow nx_server_t $1:fifo_file rw_file_perms;
|
||||
allow nx_server_t $1:process sigchld;
|
||||
')
|
||||
93
refpolicy/policy/modules/services/nx.te
Normal file
93
refpolicy/policy/modules/services/nx.te
Normal file
@ -0,0 +1,93 @@
|
||||
|
||||
policy_module(nx,1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type nx_server_t;
|
||||
type nx_server_exec_t;
|
||||
domain_type(nx_server_t)
|
||||
domain_entry_file(nx_server_t,nx_server_exec_t)
|
||||
domain_user_exemption_target(nx_server_t)
|
||||
# we need an extra role because nxserver is called from sshd
|
||||
# cjp: do we really need this?
|
||||
role nx_server_r types nx_server_t;
|
||||
allow system_r nx_server_r;
|
||||
|
||||
type nx_server_devpts_t;
|
||||
term_user_pty(nx_server_t,nx_server_devpts_t)
|
||||
|
||||
type nx_server_tmp_t;
|
||||
files_tmp_file(nx_server_tmp_t)
|
||||
|
||||
type nx_server_var_run_t;
|
||||
files_pid_file(nx_server_var_run_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# NX server local policy
|
||||
#
|
||||
|
||||
allow nx_server_t self:fifo_file { getattr ioctl read write };
|
||||
allow nx_server_t self:tcp_socket create_socket_perms;
|
||||
allow nx_server_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow nx_server_t nx_server_devpts_t:chr_file { rw_file_perms setattr };
|
||||
term_create_pty(nx_server_t,nx_server_devpts_t)
|
||||
|
||||
allow nx_server_t nx_server_tmp_t:dir manage_dir_perms;
|
||||
allow nx_server_t nx_server_tmp_t:file manage_file_perms;
|
||||
files_tmp_filetrans(nx_server_t, nx_server_tmp_t, { file dir })
|
||||
|
||||
allow nx_server_t nx_server_var_run_t:file manage_file_perms;
|
||||
allow nx_server_t nx_server_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(nx_server_t,nx_server_var_run_t,file)
|
||||
|
||||
kernel_read_system_state(nx_server_t)
|
||||
kernel_read_kernel_sysctls(nx_server_t)
|
||||
|
||||
# nxserver is a shell script --> call other programs
|
||||
corecmd_exec_shell(nx_server_t)
|
||||
corecmd_exec_bin(nx_server_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(nx_server_t)
|
||||
corenet_tcp_sendrecv_generic_if(nx_server_t)
|
||||
corenet_udp_sendrecv_generic_if(nx_server_t)
|
||||
corenet_tcp_sendrecv_all_nodes(nx_server_t)
|
||||
corenet_udp_sendrecv_all_nodes(nx_server_t)
|
||||
corenet_tcp_sendrecv_all_ports(nx_server_t)
|
||||
corenet_udp_sendrecv_all_ports(nx_server_t)
|
||||
corenet_tcp_connect_all_ports(nx_server_t)
|
||||
|
||||
dev_read_urand(nx_server_t)
|
||||
|
||||
files_read_etc_files(nx_server_t)
|
||||
files_read_etc_runtime_files(nx_server_t)
|
||||
# for reading the config files; maybe a separate type,
|
||||
# but users need to be able to also read the config
|
||||
files_read_usr_files(nx_server_t)
|
||||
|
||||
libs_use_ld_so(nx_server_t)
|
||||
libs_use_shared_libs(nx_server_t)
|
||||
|
||||
miscfiles_read_localization(nx_server_t)
|
||||
|
||||
seutil_dontaudit_search_config(nx_server_t)
|
||||
|
||||
sysnet_read_config(nx_server_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
# clients already have create permissions; the nxclient wants to also have unlink rights
|
||||
allow userdomain xdm_tmp_t:sock_file unlink;
|
||||
# for a lockfile created by the client process
|
||||
allow nx_server_t user_tmpfile:file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# SSH component local policy
|
||||
#
|
||||
|
||||
ssh_basic_client_template(nx_server,nx_server_t,nx_server_r)
|
||||
@ -1,5 +1,186 @@
|
||||
## <summary>Secure shell client and server policy.</summary>
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Basic SSH client template.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## This template creates a derived domains which are used
|
||||
## for ssh client sessions. A derived
|
||||
## type is also created to protect the user ssh keys.
|
||||
## </p>
|
||||
## <p>
|
||||
## This template was added for NX.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="userdomain_prefix">
|
||||
## <summary>
|
||||
## The prefix of the domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="user_domain">
|
||||
## <summary>
|
||||
## The type of the domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="user_role">
|
||||
## <summary>
|
||||
## The role associated with the user domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`ssh_basic_client_template',`
|
||||
|
||||
gen_require(`
|
||||
attribute ssh_server;
|
||||
type ssh_exec_t, sshd_key_t;
|
||||
|
||||
ifdef(`strict_policy',`
|
||||
type sshd_tmp_t;
|
||||
')
|
||||
')
|
||||
|
||||
##############################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type $1_ssh_t;
|
||||
domain_type($1_ssh_t)
|
||||
domain_entry_file($1_ssh_t,ssh_exec_t)
|
||||
role $3 types $1_ssh_t;
|
||||
|
||||
type $1_home_ssh_t;
|
||||
files_type($1_home_ssh_t)
|
||||
|
||||
##############################
|
||||
#
|
||||
# Client local policy
|
||||
#
|
||||
|
||||
allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };
|
||||
allow $1_ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow $1_ssh_t self:fd use;
|
||||
allow $1_ssh_t self:fifo_file rw_file_perms;
|
||||
allow $1_ssh_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
allow $1_ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow $1_ssh_t self:shm create_shm_perms;
|
||||
allow $1_ssh_t self:sem create_sem_perms;
|
||||
allow $1_ssh_t self:msgq create_msgq_perms;
|
||||
allow $1_ssh_t self:msg { send receive };
|
||||
allow $1_ssh_t self:tcp_socket create_socket_perms;
|
||||
|
||||
# for rsync
|
||||
allow $1_ssh_t $2:unix_stream_socket rw_socket_perms;
|
||||
allow $1_ssh_t $2:unix_stream_socket connectto;
|
||||
|
||||
# Read the ssh key file.
|
||||
allow $1_ssh_t sshd_key_t:file r_file_perms;
|
||||
|
||||
# Transition from the domain to the derived domain.
|
||||
domain_auto_trans($2, ssh_exec_t, $1_ssh_t)
|
||||
allow $2 $1_ssh_t:fd use;
|
||||
allow $1_ssh_t $2:fd use;
|
||||
allow $1_ssh_t $2:fifo_file rw_file_perms;
|
||||
allow $1_ssh_t $2:process sigchld;
|
||||
|
||||
# inheriting stream sockets is needed for "ssh host command" as no pty
|
||||
# is allocated
|
||||
# cjp: should probably fix target to be an attribute for ssh servers
|
||||
# or "regular" (not special like sshd_extern_t) servers
|
||||
allow $2 ssh_server:unix_stream_socket rw_stream_socket_perms;
|
||||
|
||||
# allow ps to show ssh
|
||||
allow $2 $1_ssh_t:dir { search getattr read };
|
||||
allow $2 $1_ssh_t:{ file lnk_file } { read getattr };
|
||||
allow $2 $1_ssh_t:process getattr;
|
||||
|
||||
# user can manage the keys and config
|
||||
allow $2 $1_home_ssh_t:dir rw_dir_perms;
|
||||
allow $2 $1_home_ssh_t:file create_file_perms;
|
||||
allow $2 $1_home_ssh_t:lnk_file create_lnk_perms;
|
||||
allow $2 $1_home_ssh_t:sock_file create_file_perms;
|
||||
|
||||
# ssh client can manage the keys and config
|
||||
allow $1_ssh_t $1_home_ssh_t:dir r_dir_perms;
|
||||
allow $1_ssh_t $1_home_ssh_t:file create_file_perms;
|
||||
allow $1_ssh_t $1_home_ssh_t:lnk_file { getattr read };
|
||||
|
||||
# ssh servers can read the user keys and config
|
||||
allow ssh_server $1_home_ssh_t:dir r_dir_perms;
|
||||
allow ssh_server $1_home_ssh_t:lnk_file r_file_perms;
|
||||
allow ssh_server $1_home_ssh_t:file r_file_perms;
|
||||
|
||||
kernel_read_kernel_sysctls($1_ssh_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv($1_ssh_t)
|
||||
corenet_tcp_sendrecv_all_if($1_ssh_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_ssh_t)
|
||||
corenet_tcp_sendrecv_all_ports($1_ssh_t)
|
||||
corenet_tcp_connect_ssh_port($1_ssh_t)
|
||||
|
||||
dev_read_urand($1_ssh_t)
|
||||
|
||||
fs_getattr_all_fs($1_ssh_t)
|
||||
fs_search_auto_mountpoints($1_ssh_t)
|
||||
|
||||
# run helper programs - needed eg for x11-ssh-askpass
|
||||
corecmd_exec_shell($1_ssh_t)
|
||||
corecmd_exec_bin($1_ssh_t)
|
||||
corecmd_list_sbin($1_ssh_t)
|
||||
corecmd_read_sbin_symlinks($1_ssh_t)
|
||||
|
||||
domain_use_interactive_fds($1_ssh_t)
|
||||
|
||||
files_list_home($1_ssh_t)
|
||||
files_read_usr_files($1_ssh_t)
|
||||
files_read_etc_runtime_files($1_ssh_t)
|
||||
files_read_etc_files($1_ssh_t)
|
||||
files_read_var_files($1_ssh_t)
|
||||
|
||||
libs_use_ld_so($1_ssh_t)
|
||||
libs_use_shared_libs($1_ssh_t)
|
||||
|
||||
logging_send_syslog_msg($1_ssh_t)
|
||||
logging_read_generic_logs($1_ssh_t)
|
||||
|
||||
miscfiles_read_localization($1_ssh_t)
|
||||
|
||||
seutil_read_config($1_ssh_t)
|
||||
|
||||
sysnet_read_config($1_ssh_t)
|
||||
sysnet_dns_name_resolve($1_ssh_t)
|
||||
|
||||
ifdef(`strict_policy',`
|
||||
# Access the ssh temporary files.
|
||||
allow $1_ssh_t sshd_tmp_t:dir create_dir_perms;
|
||||
allow $1_ssh_t sshd_tmp_t:file create_file_perms;
|
||||
files_tmp_filetrans($1_ssh_t, sshd_tmp_t, { file dir })
|
||||
')
|
||||
|
||||
tunable_policy(`read_default_t',`
|
||||
files_list_default($1_ssh_t)
|
||||
files_read_default_files($1_ssh_t)
|
||||
files_read_default_symlinks($1_ssh_t)
|
||||
files_read_default_sockets($1_ssh_t)
|
||||
files_read_default_pipes($1_ssh_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
kerberos_use($1_ssh_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind($1_ssh_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use($1_ssh_t)
|
||||
')
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## The per user domain template for the ssh module.
|
||||
@ -35,10 +216,7 @@
|
||||
#
|
||||
template(`ssh_per_userdomain_template',`
|
||||
gen_require(`
|
||||
attribute ssh_server;
|
||||
type ssh_exec_t, ssh_agent_exec_t;
|
||||
type sshd_key_t, ssh_keysign_exec_t;
|
||||
type sshd_tmp_t, sshd_t;
|
||||
type ssh_agent_exec_t, ssh_keysign_exec_t;
|
||||
')
|
||||
|
||||
##############################
|
||||
@ -46,13 +224,9 @@ template(`ssh_per_userdomain_template',`
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type $1_home_ssh_t;
|
||||
userdom_user_home_content($1,$1_home_ssh_t)
|
||||
role $3 types $1_ssh_t;
|
||||
ssh_basic_client_template($1,$2,$3)
|
||||
|
||||
type $1_ssh_t;
|
||||
domain_type($1_ssh_t)
|
||||
domain_entry_file($1_ssh_t,ssh_exec_t)
|
||||
userdom_user_home_content($1,$1_home_ssh_t)
|
||||
|
||||
type $1_ssh_agent_t;
|
||||
domain_type($1_ssh_agent_t)
|
||||
@ -69,21 +243,8 @@ template(`ssh_per_userdomain_template',`
|
||||
|
||||
##############################
|
||||
#
|
||||
# $1_ssh_t local policy
|
||||
# Client local policy
|
||||
#
|
||||
allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };
|
||||
allow $1_ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow $1_ssh_t self:fd use;
|
||||
allow $1_ssh_t self:fifo_file { read getattr lock ioctl write append };
|
||||
allow $1_ssh_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
||||
allow $1_ssh_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
|
||||
allow $1_ssh_t self:unix_dgram_socket sendto;
|
||||
allow $1_ssh_t self:unix_stream_socket connectto;
|
||||
allow $1_ssh_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
|
||||
allow $1_ssh_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
|
||||
allow $1_ssh_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
|
||||
allow $1_ssh_t self:msg { send receive };
|
||||
allow $1_ssh_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
|
||||
|
||||
allow $1_ssh_t $1_ssh_tmpfs_t:dir rw_dir_perms;
|
||||
allow $1_ssh_t $1_ssh_tmpfs_t:file manage_file_perms;
|
||||
@ -92,107 +253,16 @@ template(`ssh_per_userdomain_template',`
|
||||
allow $1_ssh_t $1_ssh_tmpfs_t:fifo_file manage_file_perms;
|
||||
fs_tmpfs_filetrans($1_ssh_t,$1_ssh_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
# Transition from the user domain to the derived domain.
|
||||
domain_auto_trans($2, ssh_exec_t, $1_ssh_t)
|
||||
allow $2 $1_ssh_t:fd use;
|
||||
allow $1_ssh_t $2:fd use;
|
||||
allow $1_ssh_t $2:fifo_file rw_file_perms;
|
||||
allow $1_ssh_t $2:process sigchld;
|
||||
|
||||
# Read the ssh key file.
|
||||
allow $1_ssh_t sshd_key_t:file r_file_perms;
|
||||
|
||||
# Access the ssh temporary files.
|
||||
allow $1_ssh_t sshd_tmp_t:dir create_dir_perms;
|
||||
allow $1_ssh_t sshd_tmp_t:file create_file_perms;
|
||||
files_tmp_filetrans($1_ssh_t, sshd_tmp_t, { file dir })
|
||||
|
||||
# for rsync
|
||||
allow $1_ssh_t $2:unix_stream_socket rw_socket_perms;
|
||||
allow $1_ssh_t $2:unix_stream_socket connectto;
|
||||
|
||||
# user can manage the keys and config
|
||||
allow $2 $1_home_ssh_t:dir rw_dir_perms;
|
||||
allow $2 $1_home_ssh_t:file create_file_perms;
|
||||
allow $2 $1_home_ssh_t:lnk_file create_lnk_perms;
|
||||
allow $2 $1_home_ssh_t:sock_file create_file_perms;
|
||||
|
||||
# inheriting stream sockets is needed for "ssh host command" as no pty
|
||||
# is allocated
|
||||
# cjp: should probably fix target to be an attribute for ssh servers
|
||||
# or "regular" (not special like sshd_extern_t) servers
|
||||
allow $2 sshd_t:unix_stream_socket rw_stream_socket_perms;
|
||||
|
||||
# ssh client can manage the keys and config
|
||||
userdom_search_user_home_dirs($1,$1_ssh_t)
|
||||
allow $1_ssh_t $1_home_ssh_t:dir r_dir_perms;
|
||||
allow $1_ssh_t $1_home_ssh_t:file create_file_perms;
|
||||
allow $1_ssh_t $1_home_ssh_t:lnk_file { getattr read };
|
||||
|
||||
# ssh servers can read the user keys and config
|
||||
allow ssh_server $1_home_ssh_t:dir r_dir_perms;
|
||||
allow ssh_server $1_home_ssh_t:lnk_file r_file_perms;
|
||||
allow ssh_server $1_home_ssh_t:file r_file_perms;
|
||||
|
||||
kernel_read_kernel_sysctls($1_ssh_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if($1_ssh_t)
|
||||
corenet_raw_sendrecv_all_if($1_ssh_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_ssh_t)
|
||||
corenet_raw_sendrecv_all_nodes($1_ssh_t)
|
||||
corenet_tcp_sendrecv_all_ports($1_ssh_t)
|
||||
corenet_non_ipsec_sendrecv($1_ssh_t)
|
||||
corenet_tcp_bind_all_nodes($1_ssh_t)
|
||||
corenet_tcp_connect_ssh_port($1_ssh_t)
|
||||
|
||||
dev_read_urand($1_ssh_t)
|
||||
|
||||
fs_getattr_all_fs($1_ssh_t)
|
||||
fs_search_auto_mountpoints($1_ssh_t)
|
||||
|
||||
# run helper programs - needed eg for x11-ssh-askpass
|
||||
corecmd_exec_shell($1_ssh_t)
|
||||
corecmd_exec_bin($1_ssh_t)
|
||||
corecmd_list_sbin($1_ssh_t)
|
||||
corecmd_read_sbin_symlinks($1_ssh_t)
|
||||
# cjp: these are probably not needed:
|
||||
corecmd_read_sbin_files($1_ssh_t)
|
||||
corecmd_read_sbin_pipes($1_ssh_t)
|
||||
corecmd_read_sbin_sockets($1_ssh_t)
|
||||
|
||||
domain_use_interactive_fds($1_ssh_t)
|
||||
|
||||
files_list_home($1_ssh_t)
|
||||
files_read_usr_files($1_ssh_t)
|
||||
files_read_etc_runtime_files($1_ssh_t)
|
||||
files_read_etc_files($1_ssh_t)
|
||||
files_read_var_files($1_ssh_t)
|
||||
|
||||
libs_use_ld_so($1_ssh_t)
|
||||
libs_use_shared_libs($1_ssh_t)
|
||||
|
||||
logging_send_syslog_msg($1_ssh_t)
|
||||
logging_read_generic_logs($1_ssh_t)
|
||||
|
||||
miscfiles_read_localization($1_ssh_t)
|
||||
|
||||
seutil_read_config($1_ssh_t)
|
||||
|
||||
sysnet_read_config($1_ssh_t)
|
||||
sysnet_dns_name_resolve($1_ssh_t)
|
||||
allow $1_ssh_t $1_home_ssh_t:dir manage_dir_perms;
|
||||
allow $1_ssh_t $1_home_ssh_t:sock_file manage_file_perms;
|
||||
userdom_user_home_dir_filetrans($1,$1_ssh_t,$1_home_ssh_t,{ dir sock_file })
|
||||
|
||||
userdom_use_unpriv_users_fds($1_ssh_t)
|
||||
userdom_dontaudit_list_user_home_dirs($1,$1_ssh_t)
|
||||
userdom_search_user_home_dirs($1,$1_ssh_t)
|
||||
# Write to the user domain tty.
|
||||
userdom_use_user_terminals($1,$1_ssh_t)
|
||||
|
||||
tunable_policy(`read_default_t',`
|
||||
files_list_default($1_ssh_t)
|
||||
files_read_default_files($1_ssh_t)
|
||||
files_read_default_symlinks($1_ssh_t)
|
||||
files_read_default_sockets($1_ssh_t)
|
||||
files_read_default_pipes($1_ssh_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs($1_ssh_t)
|
||||
fs_manage_nfs_files($1_ssh_t)
|
||||
@ -208,44 +278,17 @@ template(`ssh_per_userdomain_template',`
|
||||
corenet_tcp_bind_ssh_port($1_ssh_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
kerberos_use($1_ssh_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind($1_ssh_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use($1_ssh_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
xserver_user_client_template($1,$1_ssh_t,$1_ssh_tmpfs_t)
|
||||
xserver_domtrans_user_xauth($1,$1_ssh_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
# Read /var/run, /var/log.
|
||||
allow $1_ssh_t var_run_t:dir r_dir_perms;
|
||||
allow $1_ssh_t var_run_t:{ file lnk_file } r_file_perms;
|
||||
|
||||
allow $1_ssh_t $1_tmp_t:dir r_dir_perms;
|
||||
|
||||
# Access the users .ssh directory.
|
||||
file_type_auto_trans({ sysadm_ssh_t $1_ssh_t }, $1_home_dir_t, $1_home_ssh_t, dir)
|
||||
file_type_auto_trans($1_ssh_t, $1_home_dir_t, $1_home_ssh_t, sock_file)
|
||||
allow sysadm_ssh_t $1_home_ssh_t:file create_file_perms;
|
||||
allow sysadm_ssh_t $1_home_ssh_t:lnk_file { getattr read };
|
||||
dontaudit $1_ssh_t $1_home_t:dir { getattr search };
|
||||
|
||||
# for /bin/sh used to execute xauth
|
||||
dontaudit $1_ssh_t proc_t:{ lnk_file file } { getattr read };
|
||||
|
||||
# allow ps to show ssh
|
||||
can_ps($1_t, $1_ssh_t)
|
||||
|
||||
#allow ssh to access keys stored on removable media
|
||||
# Should we have a boolean around this?
|
||||
files_search_mnt($1_ssh_t)
|
||||
@ -552,11 +595,11 @@ template(`ssh_server_template', `
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
mount_send_nfs_client_request($1_t)
|
||||
nscd_socket_use($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use($1_t)
|
||||
nx_spec_domtrans_server($1_t)
|
||||
')
|
||||
')
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ssh,1.3.2)
|
||||
policy_module(ssh,1.3.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
Loading…
Reference in New Issue
Block a user