work on user transition
This commit is contained in:
parent
c13146d97a
commit
e5590ea5ec
@ -366,6 +366,44 @@ interface(`term_dontaudit_getattr_all_user_ptys',`
|
||||
dontaudit $1 ptynode:chr_file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Set the attributes of all user
|
||||
## pty device nodes.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`term_setattr_all_user_ptys',`
|
||||
gen_require(`
|
||||
attribute ptynode;
|
||||
class dir r_dir_perms;
|
||||
class chr_file setattr;
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 devpts_t:dir r_dir_perms;
|
||||
allow $1 ptynode:chr_file setattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel to all user ptys.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`term_relabelto_all_user_ptys',`
|
||||
gen_require(`
|
||||
attribute ptynode;
|
||||
class chr_file relabelto;
|
||||
')
|
||||
|
||||
allow $1 ptynode:chr_file relabelto;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## Read and write all user ptys.
|
||||
|
@ -77,6 +77,12 @@ template(`ssh_per_userdomain_template',`
|
||||
allow $1_t $1_home_ssh_t:lnk_file create_lnk_perms;
|
||||
allow $1_t $1_home_ssh_t:sock_file create_file_perms;
|
||||
|
||||
# inheriting stream sockets is needed for "ssh host command" as no pty
|
||||
# is allocated
|
||||
# cjp: should probably fix target to be an attribute for ssh servers
|
||||
# or "regular" (not special like sshd_extern_t) servers
|
||||
allow $1_t sshd_t:unix_stream_socket rw_stream_socket_perms;
|
||||
|
||||
# ssh client can manage the keys and config
|
||||
allow $1_ssh_t $1_home_ssh_t:file create_file_perms;
|
||||
allow $1_ssh_t $1_home_ssh_t:lnk_file { getattr read };
|
||||
|
@ -72,30 +72,33 @@ seutil_read_config(sshd_t)
|
||||
# Allow checking users mail at login
|
||||
mta_getattr_spool(sshd_t)
|
||||
|
||||
tunable_policy(`ssh_sysadm_login',`
|
||||
# Relabel and access ptys created by sshd
|
||||
# ioctl is necessary for logout() processing for utmp entry and for w to
|
||||
# display the tty.
|
||||
# some versions of sshd on the new SE Linux require setattr
|
||||
allow sshd_t ptyfile:chr_file relabelto;
|
||||
term_use_all_user_ptys(sshd_t)
|
||||
term_setattr_all_user_ptys(sshd_t)
|
||||
term_relabelto_all_user_ptys(sshd_t)
|
||||
|
||||
userdom_spec_domtrans_all_users(sshd_t)
|
||||
userdom_signal_all_users(sshd_t)
|
||||
',`
|
||||
userdom_spec_domtrans_unpriv_users(sshd_t)
|
||||
userdom_signal_unpriv_users(sshd_t)
|
||||
')
|
||||
|
||||
optional_policy(`rpm.te',`
|
||||
rpm_use_script_fd(sshd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
tunable_policy(`ssh_sysadm_login',`
|
||||
userdom_spec_domtrans_all_users(sshd_t)
|
||||
userdom_signal_all_users(sshd_t)
|
||||
|
||||
optional_policy(`xauth.te',`
|
||||
domain_trans(sshd_t, xauth_exec_t, userdomain)
|
||||
')
|
||||
# Relabel and access ptys created by sshd
|
||||
# ioctl is necessary for logout() processing for utmp entry and for w to
|
||||
# display the tty.
|
||||
# some versions of sshd on the new SE Linux require setattr
|
||||
allow sshd_t ptyfile:chr_file { relabelto read write getattr ioctl setattr };
|
||||
# inheriting stream sockets is needed for "ssh host command" as no pty
|
||||
# is allocated
|
||||
allow userdomain sshd_t:unix_stream_socket rw_stream_socket_perms;
|
||||
',`
|
||||
userdom_spec_domtrans_unpriv_users(sshd_t)
|
||||
userdom_signal_unpriv_users(sshd_t)
|
||||
|
||||
optional_policy(`xauth.te',`
|
||||
domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
|
||||
')
|
||||
@ -104,14 +107,7 @@ tunable_policy(`ssh_sysadm_login',`
|
||||
# display the tty.
|
||||
# some versions of sshd on the new SE Linux require setattr
|
||||
allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr };
|
||||
# inheriting stream sockets is needed for "ssh host command" as no pty
|
||||
# is allocated
|
||||
allow userdomain sshd_t:unix_stream_socket rw_stream_socket_perms;
|
||||
')
|
||||
|
||||
# for when the network connection breaks after running newrole -r sysadm_r
|
||||
dontaudit sshd_t sysadm_devpts_t:chr_file setattr;
|
||||
|
||||
') dnl endif TODO
|
||||
|
||||
#################################
|
||||
|
Loading…
Reference in New Issue
Block a user