fix sshd
This commit is contained in:
Chris PeBenito
parent
d14c0e7092
commit
f6abfdb89d
@ -108,6 +108,8 @@ template(`ssh_per_userdomain_template',`
|
||||
allow $2 sshd_t:unix_stream_socket rw_stream_socket_perms;
|
||||
|
||||
# ssh client can manage the keys and config
|
||||
userdom_search_user_home($1,$1_ssh_t)
|
||||
allow $1_ssh_t $1_home_ssh_t:dir r_dir_perms;
|
||||
allow $1_ssh_t $1_home_ssh_t:file create_file_perms;
|
||||
allow $1_ssh_t $1_home_ssh_t:lnk_file { getattr read };
|
||||
|
||||
@ -497,6 +499,7 @@ template(`ssh_server_template', `
|
||||
|
||||
sysnet_read_config($1_t)
|
||||
|
||||
userdom_dontaudit_relabelfrom_unpriv_user_pty($1_t)
|
||||
userdom_search_all_users_home($1_t)
|
||||
|
||||
# Allow checking users mail at login
|
||||
@ -540,17 +543,6 @@ template(`ssh_server_template', `
|
||||
optional_policy(`nscd',`
|
||||
nscd_use_socket($1_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
# Read /var.
|
||||
allow $1_t var_t:dir getattr;
|
||||
|
||||
allow $1_t home_dir_type:dir getattr;
|
||||
|
||||
dontaudit sshd_t userpty_type:chr_file relabelfrom;
|
||||
|
||||
') dnl end TODO
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -111,6 +111,10 @@ ifdef(`targeted_policy',`',`
|
||||
',`
|
||||
userdom_spec_domtrans_unpriv_users(sshd_t)
|
||||
userdom_signal_unpriv_users(sshd_t)
|
||||
|
||||
userdom_setattr_unpriv_user_pty(sshd_t)
|
||||
userdom_relabelto_unpriv_user_pty(sshd_t)
|
||||
userdom_use_unpriv_user_pty(sshd_t)
|
||||
')
|
||||
|
||||
optional_policy(`daemontools',`
|
||||
|
||||
@ -3690,6 +3690,39 @@ interface(`userdom_dontaudit_use_unpriv_user_pty',`
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel files to unprivileged user pty types.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_relabelto_unpriv_user_pty',`
|
||||
gen_require(`
|
||||
attribute user_ptynode;
|
||||
')
|
||||
|
||||
allow $1 user_ptynode:chr_file relabelto;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to relabel files from
|
||||
## unprivileged user pty types.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_dontaudit_relabelfrom_unpriv_user_pty',`
|
||||
gen_require(`
|
||||
attribute user_ptynode;
|
||||
')
|
||||
|
||||
dontaudit $1 user_ptynode:chr_file relabelfrom;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read all unprivileged users temporary directories.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user