Changeset 2752
- Timestamp:
- 07/09/08 08:49:46 (5 months ago)
- Files:
-
- branches/rbacsep/policy/modules/roles/auditadm.te (modified) (1 diff)
- branches/rbacsep/policy/modules/roles/secadm.te (modified) (1 diff)
- branches/rbacsep/policy/modules/roles/staff.te (modified) (1 diff)
- branches/rbacsep/policy/modules/roles/sysadm.te (modified) (1 diff)
- branches/rbacsep/policy/modules/roles/unprivuser.te (modified) (1 diff)
- branches/rbacsep/policy/modules/services/ssh.if (modified) (2 diffs)
- branches/rbacsep/policy/modules/services/ssh.te (modified) (4 diffs)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
branches/rbacsep/policy/modules/roles/auditadm.te
r2751 r2752 133 133 134 134 optional_policy(` 135 ssh_role (auditadm_r, auditadm_t)135 ssh_role_template(auditadm, auditadm_r, auditadm_t) 136 136 ') 137 137 branches/rbacsep/policy/modules/roles/secadm.te
r2751 r2752 145 145 146 146 optional_policy(` 147 ssh_role (secadm_r, secadm_t)147 ssh_role_template(secadm, secadm_r, secadm_t) 148 148 ') 149 149 branches/rbacsep/policy/modules/roles/staff.te
r2751 r2752 117 117 118 118 optional_policy(` 119 ssh_role (staff_r, staff_t)119 ssh_role_template(staff, staff_r, staff_t) 120 120 ') 121 121 branches/rbacsep/policy/modules/roles/sysadm.te
r2751 r2752 351 351 352 352 optional_policy(` 353 ssh_role (sysadm_r, sysadm_t)353 ssh_role_template(sysadm, sysadm_r, sysadm_t) 354 354 ') 355 355 branches/rbacsep/policy/modules/roles/unprivuser.te
r2751 r2752 107 107 108 108 optional_policy(` 109 ssh_role (user_r, user_t)109 ssh_role_template(user, user_r, user_t) 110 110 ') 111 111 branches/rbacsep/policy/modules/services/ssh.if
r2727 r2752 292 292 ## Role access for ssh 293 293 ## </summary> 294 ## <param name="role_prefix"> 295 ## <summary> 296 ## The prefix of the role (e.g., user 297 ## is the prefix for user_r). 298 ## </summary> 299 ## </param> 294 300 ## <param name="role"> 295 301 ## <summary> … … 303 309 ## </param> 304 310 # 305 interface(`ssh_role',` 306 gen_require(` 311 template(`ssh_role_template',` 312 gen_require(` 313 attribute ssh_agent_type; 314 307 315 type ssh_t, ssh_exec_t, ssh_tmpfs_t, home_ssh_t; 308 type ssh_agent_t, ssh_agent_exec_t, ssh_agent_tmp_t; 309 type ssh_keysign_t, ssh_tmpfs_t; 310 ') 311 312 role $1 types { ssh_t ssh_tmpfs_t home_ssh_t ssh_tmpfs_t }; 313 role $1 types { ssh_agent_t ssh_agent_tmp_t ssh_keysign_t }; 316 type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t; 317 ') 318 319 ############################## 320 # 321 # Declarations 322 # 323 324 type $1_ssh_agent_t, ssh_agent_type; 325 application_domain($1_ssh_agent_t, ssh_agent_exec_t) 326 domain_interactive_fd($1_ssh_agent_t) 327 role $2 types $1_ssh_agent_t; 328 329 ############################## 330 # 331 # Local policy 332 # 314 333 315 334 # Transition from the domain to the derived domain. 316 domtrans_pattern($ 2, ssh_exec_t, ssh_t)335 domtrans_pattern($3, ssh_exec_t, ssh_t) 317 336 318 337 # inheriting stream sockets is needed for "ssh host command" as no pty 319 338 # is allocated 320 allow $ 2ssh_server:unix_stream_socket rw_stream_socket_perms;339 allow $3 ssh_server:unix_stream_socket rw_stream_socket_perms; 321 340 322 341 # allow ps to show ssh 323 ps_process_pattern($ 2,ssh_t)324 allow $ 2ssh_t:process signal;342 ps_process_pattern($3, ssh_t) 343 allow $3 ssh_t:process signal; 325 344 326 345 # for rsync 327 allow ssh_t $ 2:unix_stream_socket rw_socket_perms;328 allow ssh_t $ 2:unix_stream_socket connectto;346 allow ssh_t $3:unix_stream_socket rw_socket_perms; 347 allow ssh_t $3:unix_stream_socket connectto; 329 348 330 349 # user can manage the keys and config 331 manage_files_pattern($2, home_ssh_t, home_ssh_t) 332 manage_lnk_files_pattern($2, home_ssh_t, home_ssh_t) 333 manage_sock_files_pattern($2, home_ssh_t, home_ssh_t) 334 335 domtrans_pattern($2, ssh_agent_exec_t, ssh_agent_t) 336 allow ssh_agent_t $2:process signull; 350 manage_files_pattern($3, home_ssh_t, home_ssh_t) 351 manage_lnk_files_pattern($3, home_ssh_t, home_ssh_t) 352 manage_sock_files_pattern($3, home_ssh_t, home_ssh_t) 353 354 ############################## 355 # 356 # SSH agent local policy 357 # 358 359 allow $1_ssh_agent_t self:process setrlimit; 360 allow $1_ssh_agent_t self:capability setgid; 361 362 allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull; 363 364 allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto }; 365 366 manage_dirs_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t) 367 manage_sock_files_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t) 368 files_tmp_filetrans($1_ssh_agent_t, ssh_agent_tmp_t, { dir sock_file }) 369 370 # for ssh-add 371 stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t) 372 373 # Allow the user shell to signal the ssh program. 374 allow $3 $1_ssh_agent_t:process signal; 337 375 338 376 # allow ps to show ssh 339 ps_process_pattern($2, ssh_agent_t) 340 allow $2 ssh_agent_t:process signal; 341 342 # for ssh-add 343 stream_connect_pattern($2, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_t) 377 ps_process_pattern($3, $1_ssh_agent_t) 378 379 domtrans_pattern($3, ssh_agent_exec_t, $1_ssh_agent_t) 380 381 kernel_read_kernel_sysctls($1_ssh_agent_t) 382 383 dev_read_urand($1_ssh_agent_t) 384 dev_read_rand($1_ssh_agent_t) 385 386 fs_search_auto_mountpoints($1_ssh_agent_t) 344 387 345 388 # transition back to normal privs upon exec 346 corecmd_shell_domtrans(ssh_agent_t, $2) 347 corecmd_bin_domtrans(ssh_agent_t, $2) 389 corecmd_shell_domtrans($1_ssh_agent_t, $3) 390 corecmd_bin_domtrans($1_ssh_agent_t, $3) 391 392 domain_use_interactive_fds($1_ssh_agent_t) 393 394 files_read_etc_files($1_ssh_agent_t) 395 files_read_etc_runtime_files($1_ssh_agent_t) 396 files_search_home($1_ssh_agent_t) 397 398 libs_read_lib_files($1_ssh_agent_t) 399 libs_use_ld_so($1_ssh_agent_t) 400 libs_use_shared_libs($1_ssh_agent_t) 401 402 logging_send_syslog_msg($1_ssh_agent_t) 403 404 miscfiles_read_localization($1_ssh_agent_t) 405 406 seutil_dontaudit_read_config($1_ssh_agent_t) 407 408 # Write to the user domain tty. 409 userdom_use_user_terminals($1_ssh_agent_t) 348 410 349 411 # for the transition back to normal privs upon exec 350 userdom_user_home_domtrans( ssh_agent_t,$2)351 allow $ 2ssh_agent_t:fd use;352 allow $ 2ssh_agent_t:fifo_file rw_file_perms;353 allow $ 2ssh_agent_t:process sigchld;412 userdom_user_home_domtrans($1_ssh_agent_t, $3) 413 allow $3 $1_ssh_agent_t:fd use; 414 allow $3 $1_ssh_agent_t:fifo_file rw_file_perms; 415 allow $3 $1_ssh_agent_t:process sigchld; 354 416 355 417 tunable_policy(`use_nfs_home_dirs',` 418 fs_manage_nfs_files($1_ssh_agent_t) 419 356 420 # transition back to normal privs upon exec 357 fs_nfs_domtrans( ssh_agent_t, $2)421 fs_nfs_domtrans($1_ssh_agent_t, $3) 358 422 ') 359 423 360 424 tunable_policy(`use_samba_home_dirs',` 425 fs_manage_cifs_files($1_ssh_agent_t) 426 361 427 # transition back to normal privs upon exec 362 fs_cifs_domtrans(ssh_agent_t, $2) 428 fs_cifs_domtrans($1_ssh_agent_t, $3) 429 ') 430 431 optional_policy(` 432 nis_use_ypbind($1_ssh_agent_t) 433 ') 434 435 optional_policy(` 436 xserver_use_xdm_fds($1_ssh_agent_t) 437 xserver_rw_xdm_pipes($1_ssh_agent_t) 363 438 ') 364 439 ') branches/rbacsep/policy/modules/services/ssh.te
r2727 r2752 22 22 23 23 attribute ssh_server; 24 attribute ssh_agent_type; 24 25 25 26 type ssh_keygen_t; … … 50 51 type ssh_exec_t; 51 52 application_domain(ssh_t, ssh_exec_t) 52 53 type ssh_agent_t;54 type ssh_agent_exec_t;55 application_domain(ssh_agent_t, ssh_agent_exec_t)56 domain_interactive_fd(ssh_agent_t)57 53 58 54 type ssh_agent_tmp_t; … … 107 103 108 104 # Allow the ssh program to communicate with ssh-agent. 109 stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_t )105 stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type) 110 106 111 107 allow ssh_t sshd_t:unix_stream_socket connectto; … … 213 209 xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t) 214 210 xserver_domtrans_xauth(ssh_t) 215 ')216 217 ##############################218 #219 # ssh_agent_t local policy220 #221 222 allow ssh_agent_t self:process setrlimit;223 allow ssh_agent_t self:capability setgid;224 225 allow ssh_agent_t self:process signull;226 227 allow ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };228 229 manage_dirs_pattern(ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t)230 manage_sock_files_pattern(ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t)231 files_tmp_filetrans(ssh_agent_t, ssh_agent_tmp_t,{ dir sock_file })232 233 kernel_read_kernel_sysctls(ssh_agent_t)234 235 dev_read_urand(ssh_agent_t)236 dev_read_rand(ssh_agent_t)237 238 fs_search_auto_mountpoints(ssh_agent_t)239 240 domain_use_interactive_fds(ssh_agent_t)241 242 files_read_etc_files(ssh_agent_t)243 files_read_etc_runtime_files(ssh_agent_t)244 files_search_home(ssh_agent_t)245 246 libs_read_lib_files(ssh_agent_t)247 libs_use_ld_so(ssh_agent_t)248 libs_use_shared_libs(ssh_agent_t)249 250 logging_send_syslog_msg(ssh_agent_t)251 252 miscfiles_read_localization(ssh_agent_t)253 254 seutil_dontaudit_read_config(ssh_agent_t)255 256 # Write to the user domain tty.257 userdom_use_user_terminals(ssh_agent_t)258 259 tunable_policy(`use_nfs_home_dirs',`260 fs_manage_nfs_files(ssh_agent_t)261 ')262 263 tunable_policy(`use_samba_home_dirs',`264 fs_manage_cifs_files(ssh_agent_t)265 ')266 267 optional_policy(`268 nis_use_ypbind(ssh_agent_t)269 ')270 271 optional_policy(`272 xserver_use_xdm_fds(ssh_agent_t)273 xserver_rw_xdm_pipes(ssh_agent_t)274 211 ') 275 212
