more ssh agent fixes

This commit is contained in:
Chris PeBenito 2006-07-26 21:16:45 +00:00
parent 528811e040
commit 81aa67fcc0

View File

@ -262,6 +262,10 @@ template(`ssh_per_userdomain_template',`
userdom_user_home_dir_filetrans($1,$1_ssh_t,$1_home_ssh_t,{ dir sock_file })
# Allow the ssh program to communicate with ssh-agent.
allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto;
allow $1_ssh_t $1_ssh_agent_tmp_t:sock_file write;
allow $1_ssh_t $1_ssh_agent_tmp_t:dir search;
allow $1_ssh_t sshd_t:unix_stream_socket connectto;
userdom_use_unpriv_users_fds($1_ssh_t)
@ -320,9 +324,7 @@ template(`ssh_per_userdomain_template',`
allow $1_ssh_agent_t { $1_ssh_agent_t $2 }:process signull;
allow $1_ssh_agent_t self:unix_stream_socket { connectto rw_socket_perms };
allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto;
allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow $1_ssh_agent_t $1_ssh_agent_tmp_t:dir manage_dir_perms;
allow $1_ssh_agent_t $1_ssh_agent_tmp_t:sock_file manage_file_perms;
@ -330,6 +332,7 @@ template(`ssh_per_userdomain_template',`
# for ssh-add
allow $2 $1_ssh_agent_t:unix_stream_socket connectto;
allow $2 $1_ssh_agent_tmp_t:sock_file write;
# Allow the user shell to signal the ssh program.
allow $2 $1_ssh_agent_t:process signal;
@ -405,12 +408,6 @@ template(`ssh_per_userdomain_template',`
')
dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read };
allow $1_ssh_t $1_tmp_t:sock_file write;
# Allow the ssh program to communicate with ssh-agent.
allow $1_ssh_t $1_tmp_t:sock_file write;
allow $1_ssh_t $2:unix_stream_socket connectto;
') dnl endif TODO
##############################