[refpolicy] [PATCH 1/2] Add fcontext for sshd pidfile and directory used for privsep

Laurent Bigonville bigon at debian.org
Sat Jan 25 05:43:56 EST 2014


From: Laurent Bigonville <bigon at bigon.be>

Also allow sshd_t domain to chroot(2) in this directory as explained in
the README.privsep file in the openssh tarball.

Thanks to Russell Coker for this patch
---
 policy/modules/services/ssh.fc | 2 ++
 policy/modules/services/ssh.te | 1 +
 2 files changed, 3 insertions(+)

diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 76d9f66..8168244 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -13,4 +13,6 @@ HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 
 /usr/sbin/sshd			--	gen_context(system_u:object_r:sshd_exec_t,s0)
 
+/var/run/sshd(/.*)?			gen_context(system_u:object_r:sshd_var_run_t,s0)
 /var/run/sshd\.init\.pid	--	gen_context(system_u:object_r:sshd_var_run_t,s0)
+/var/run/sshd\.pid		--	gen_context(system_u:object_r:sshd_var_run_t,s0)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 30726f2..a19c9f9 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -34,6 +34,7 @@ ssh_server_template(sshd)
 init_daemon_domain(sshd_t, sshd_exec_t)
 
 ifdef(`distro_debian',`
+	allow sshd_t sshd_var_run_t:dir { getattr search };
 	init_daemon_run_dir(sshd_var_run_t, "sshd")
 ')
 
-- 
1.8.5.3



More information about the refpolicy mailing list