rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

changes to make inetd work

Browse Source
This commit is contained in:
Chris PeBenito 2005-06-27 18:37:33 +00:00
parent 24bf11c62a
commit 80436b9b8f
4 changed files with 101 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
refpolicy/policy/modules/services/ssh.if
View File

@ -211,7 +211,7 @@ template(`ssh_per_userdomain_template',`
#allow ssh to access keys stored on removable media #allow ssh to access keys stored on removable media
# Should we have a boolean around this? # Should we have a boolean around this?
allow $1_ssh_t mnt_t:dir search; files_search_mnt($1_ssh_t)
r_dir_file($1_ssh_t, removable_t) r_dir_file($1_ssh_t, removable_t)
ifdef(`xdm.te', ` ifdef(`xdm.te', `
@ -404,6 +404,10 @@ template(`sshd_program_domain', `
auth_rw_login_records($1_t) auth_rw_login_records($1_t)
auth_rw_lastlog($1_t) auth_rw_lastlog($1_t)
corecmd_read_bin_symlink($1_t)
# for sshd subsystems, such as sftp-server.
corecmd_getattr_bin_file($1_t)
domain_wide_inherit_fd($1_t) domain_wide_inherit_fd($1_t)
domain_subj_id_change_exempt($1_t) domain_subj_id_change_exempt($1_t)
domain_role_change_exempt($1_t) domain_role_change_exempt($1_t)
@ -436,43 +440,36 @@ template(`sshd_program_domain', `
fs_read_cifs_files($1_t) fs_read_cifs_files($1_t)
') ')
optional_policy(`inetd.te',`
tunable_policy(`run_ssh_inetd',`
allow $1_t self:process signal;
files_list_pids($1_t)
',`
corenet_tcp_bind_ssh_port($1_t)
init_use_fd($1_t)
init_use_script_pty($1_t)
')
',`
# These rules should match the else block
# of the run_ssh_inetd tunable directly above
corenet_tcp_bind_ssh_port($1_t)
init_use_fd($1_t)
init_use_script_pty($1_t)
')
optional_policy(`mount.te', ` optional_policy(`mount.te', `
mount_send_nfs_client_request($1_t) mount_send_nfs_client_request($1_t)
') ')
ifdef(`TODO',` ifdef(`TODO',`
allow $1_t bin_t:dir search;
allow $1_t bin_t:lnk_file read;
# for sshd subsystems, such as sftp-server.
allow $1_t bin_t:file getattr;
# Read /var. # Read /var.
allow $1_t var_t:dir getattr; allow $1_t var_t:dir getattr;
allow $1_t { home_root_t home_dir_type }:dir getattr; allow $1_t home_dir_type:dir getattr;
dontaudit sshd_t userpty_type:chr_file relabelfrom; dontaudit sshd_t userpty_type:chr_file relabelfrom;
optional_policy(`inetd.te',`
if (run_ssh_inetd) {
allow $1_t self:process signal;
allow $1_t inetd_t:tcp_socket rw_socket_perms;
allow $1_t var_run_t:dir getattr;
files_search_pids($1_t)
} else {
corenet_tcp_bind_ssh_port($1_t)
init_use_fd($1_t)
init_use_script_pty($1_t)
}
',`
# These rules should match the else block
# of the run_ssh_inetd conditional directly above
corenet_tcp_bind_ssh_port($1_t)
init_use_fd($1_t)
init_use_script_pty($1_t)
')
') dnl end TODO ') dnl end TODO
') ')

34
refpolicy/policy/modules/services/ssh.te
View File

@ -23,6 +23,19 @@ role system_r types ssh_keygen_t;
sshd_program_domain(sshd) sshd_program_domain(sshd)
optional_policy(`inetd.te',`
# CJP: commenting this out until typeattribute works in a conditional
# tunable_policy(`run_ssh_inetd',`
inetd_tcp_service_domain(sshd_t,sshd_exec_t)
# ',`
# init_daemon_domain(sshd_t,sshd_exec_t)
# ')
',`
# These rules should match the else block
# of the run_ssh_inetd tunable directly above
init_daemon_domain(sshd_t,sshd_exec_t)
')
type sshd_exec_t; type sshd_exec_t;
files_file_type(sshd_exec_t) files_file_type(sshd_exec_t)
@ -59,18 +72,6 @@ seutil_read_config(sshd_t)
# Allow checking users mail at login # Allow checking users mail at login
mta_getattr_spool(sshd_t) mta_getattr_spool(sshd_t)
optional_policy(`inetd.te',`
tunable_policy(`run_ssh_inetd',`
inetd_service_domain(sshd_t,sshd_exec_t)
',`
init_daemon_domain(sshd_t,sshd_exec_t)
')
',`
# These rules should match the else block
# of the run_ssh_inetd tunable directly above
init_daemon_domain(sshd_t,sshd_exec_t)
')
ifdef(`TODO',` ifdef(`TODO',`
tunable_policy(`ssh_sysadm_login',` tunable_policy(`ssh_sysadm_login',`
userdom_spec_domtrans_all_users(sshd_t) userdom_spec_domtrans_all_users(sshd_t)
@ -104,11 +105,6 @@ tunable_policy(`ssh_sysadm_login',`
allow userdomain sshd_t:unix_stream_socket rw_stream_socket_perms; allow userdomain sshd_t:unix_stream_socket rw_stream_socket_perms;
') ')
# this goes to inetd
tunable_policy(`run_ssh_inetd',`
corenet_tcp_bind_ssh_port(inetd_t)
')
# for when the network connection breaks after running newrole -r sysadm_r # for when the network connection breaks after running newrole -r sysadm_r
dontaudit sshd_t sysadm_devpts_t:chr_file setattr; dontaudit sshd_t sysadm_devpts_t:chr_file setattr;
@ -161,10 +157,6 @@ domain_auto_trans(sysadm_t, sshd_exec_t, sshd_t)
role_transition sysadm_r sshd_exec_t system_r; role_transition sysadm_r sshd_exec_t system_r;
') ')
# so a tunnel can point to another ssh tunnel...
allow sshd_t kernel_t:tcp_socket recvfrom;
allow sshd_t kernel_t:tcp_socket recvfrom;
# for port forwarding # for port forwarding
allow userdomain sshd_t:tcp_socket { connectto recvfrom }; allow userdomain sshd_t:tcp_socket { connectto recvfrom };
allow sshd_t userdomain:tcp_socket { acceptfrom recvfrom }; allow sshd_t userdomain:tcp_socket { acceptfrom recvfrom };

57
refpolicy/policy/modules/system/corecommands.if
View File

@ -3,10 +3,12 @@
## in /bin, /sbin, /usr/bin, and /usr/sbin. ## in /bin, /sbin, /usr/bin, and /usr/sbin.
## </summary> ## </summary>
####################################### ## <summary>
# ## Make the shell an entrypoint for the specified domain.
# corecmd_shell_entry_type(domain) ## </summary>
# ## <param name="domain">
## The domain for which the shell is an entrypoint.
## </param>
interface(`corecmd_shell_entry_type',` interface(`corecmd_shell_entry_type',`
gen_require(` gen_require(`
type shell_exec_t; type shell_exec_t;
@ -41,6 +43,38 @@ interface(`corecmd_list_bin',`
allow $1 bin_t:dir r_dir_perms; allow $1 bin_t:dir r_dir_perms;
') ')
## <summary>
## Get the attributes of files in bin directories.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
interface(`corecmd_getattr_bin_file',`
gen_require(`
type bin_t;
class file getattr;
')
allow $1 bin_t:file getattr;
')
## <summary>
## Read symbolic links in bin directories.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
interface(`corecmd_read_bin_symlink',`
gen_require(`
type bin_t;
class dir search;
class lnk_file read;
')
allow $1 bin_t:dir search;
allow $1 bin_t:lnk_file read;
')
######################################## ########################################
# #
# corecmd_exec_bin(domain) # corecmd_exec_bin(domain)
@ -84,6 +118,19 @@ interface(`corecmd_list_sbin',`
allow $1 sbin_t:dir r_dir_perms; allow $1 sbin_t:dir r_dir_perms;
') ')
########################################
#
# corecmd_getattr_sbin_file(domain)
#
interface(`corecmd_getattr_sbin_file',`
gen_require(`
type sbin_t;
class file getattr;
')
allow $1 sbin_t:file getattr;
')
######################################## ########################################
# #
# corecmd_dontaudit_getattr_sbin_file(domain) # corecmd_dontaudit_getattr_sbin_file(domain)
@ -94,7 +141,7 @@ interface(`corecmd_dontaudit_getattr_sbin_file',`
class file getattr; class file getattr;
') ')
allow $1 sbin_t:file getattr; dontaudit $1 sbin_t:file getattr;
') ')
######################################## ########################################

13
refpolicy/policy/modules/system/files.if
View File

@ -647,6 +647,19 @@ interface(`files_list_home',`
allow $1 home_root_t:dir r_dir_perms; allow $1 home_root_t:dir r_dir_perms;
') ')
########################################
#
# files_search_mnt(domain)
#
interface(`files_search_mnt',`
gen_require(`
type mnt_t;
class dir search;
')
allow $1 mnt_t:dir search;
')
######################################## ########################################
# #
# files_list_mnt(domain) # files_list_mnt(domain)