[refpolicy] [PATCH 1/2] Add fcontext for sshd pidfile and directory used for privsep

Christopher J. PeBenito cpebenito at tresys.com
Fri Jan 31 22:02:27 EST 2014


On 1/27/2014 5:18 PM, Laurent Bigonville wrote:
> Le Mon, 27 Jan 2014 13:23:02 -0500,
> "Christopher J. PeBenito" <cpebenito at tresys.com> a écrit :
> 
>> On 01/25/14 05:43, Laurent Bigonville wrote:
>>> diff --git a/policy/modules/services/ssh.te
>>> b/policy/modules/services/ssh.te index 30726f2..a19c9f9 100644
>>> --- a/policy/modules/services/ssh.te
>>> +++ b/policy/modules/services/ssh.te
>>> @@ -34,6 +34,7 @@ ssh_server_template(sshd)
>>>  init_daemon_domain(sshd_t, sshd_exec_t)
>>>  
>>>  ifdef(`distro_debian',`
>>> +	allow sshd_t sshd_var_run_t:dir { getattr search };
>>>  	init_daemon_run_dir(sshd_var_run_t, "sshd")
>>>  ')
>>
>> This looks like it should be in ssh_server_template().  Also please
>> use search_dir_perms permission set.
>>
> 
> Shouldn't the complete ifdef moved to this then?
 
The init_daemon_run_dir() pairs up with the sshd_var_run_t declaration inside the ssh_server_template(), so no.  However, it should probably move to the end of the declarations block.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com


More information about the refpolicy mailing list