work on user transition

refpolicy/policy/modules/kernel/terminal.if

@@ -366,6 +366,44 @@ interface(`term_dontaudit_getattr_all_user_ptys',`
 	dontaudit $1 ptynode:chr_file getattr;
 ')
 
+########################################
+## <summary>
+##	Set the attributes of all user
+##	pty device nodes.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`term_setattr_all_user_ptys',`
+	gen_require(`
+		attribute ptynode;
+		class dir r_dir_perms;
+		class chr_file setattr;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 devpts_t:dir r_dir_perms;
+	allow $1 ptynode:chr_file setattr;
+')
+
+########################################
+## <summary>
+##	Relabel to all user ptys.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`term_relabelto_all_user_ptys',`
+	gen_require(`
+		attribute ptynode;
+		class chr_file relabelto;
+	')
+
+	allow $1 ptynode:chr_file relabelto;
+')
+
 ########################################
 ## <desc>
 ##	Read and write all user ptys.

refpolicy/policy/modules/services/ssh.if

@@ -77,6 +77,12 @@ template(`ssh_per_userdomain_template',`
 	allow $1_t $1_home_ssh_t:lnk_file create_lnk_perms;
 	allow $1_t $1_home_ssh_t:sock_file create_file_perms;
 
+	# inheriting stream sockets is needed for "ssh host command" as no pty
+	# is allocated
+	# cjp: should probably fix target to be an attribute for ssh servers
+	# or "regular" (not special like sshd_extern_t) servers
+	allow $1_t sshd_t:unix_stream_socket rw_stream_socket_perms;
+
 	# ssh client can manage the keys and config
 	allow $1_ssh_t $1_home_ssh_t:file create_file_perms;
 	allow $1_ssh_t $1_home_ssh_t:lnk_file { getattr read };

refpolicy/policy/modules/services/ssh.te

@@ -72,30 +72,33 @@ seutil_read_config(sshd_t)
 # Allow checking users mail at login
 mta_getattr_spool(sshd_t)
 
+tunable_policy(`ssh_sysadm_login',`
+	# Relabel and access ptys created by sshd
+	# ioctl is necessary for logout() processing for utmp entry and for w to
+	# display the tty.
+	# some versions of sshd on the new SE Linux require setattr
+	allow sshd_t ptyfile:chr_file relabelto;
+	term_use_all_user_ptys(sshd_t)
+	term_setattr_all_user_ptys(sshd_t)
+	term_relabelto_all_user_ptys(sshd_t)
+
+	userdom_spec_domtrans_all_users(sshd_t)
+	userdom_signal_all_users(sshd_t)
+',`
+	userdom_spec_domtrans_unpriv_users(sshd_t)
+	userdom_signal_unpriv_users(sshd_t)
+')
+
 optional_policy(`rpm.te',`
 	rpm_use_script_fd(sshd_t)
 ')
 
 ifdef(`TODO',`
 tunable_policy(`ssh_sysadm_login',`
-	userdom_spec_domtrans_all_users(sshd_t)
-	userdom_signal_all_users(sshd_t)
-
 	optional_policy(`xauth.te',`
 		domain_trans(sshd_t, xauth_exec_t, userdomain)
 	')
-	# Relabel and access ptys created by sshd
-	# ioctl is necessary for logout() processing for utmp entry and for w to
-	# display the tty.
-	# some versions of sshd on the new SE Linux require setattr
-	allow sshd_t ptyfile:chr_file { relabelto read write getattr ioctl setattr };
-	# inheriting stream sockets is needed for "ssh host command" as no pty
-	# is allocated
-	allow userdomain sshd_t:unix_stream_socket rw_stream_socket_perms;
 ',`
-	userdom_spec_domtrans_unpriv_users(sshd_t)
-	userdom_signal_unpriv_users(sshd_t)
-
 	optional_policy(`xauth.te',`
 		domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
 	')
@@ -104,14 +107,7 @@ tunable_policy(`ssh_sysadm_login',`
 	# display the tty.
 	# some versions of sshd on the new SE Linux require setattr
 	allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr };
-	# inheriting stream sockets is needed for "ssh host command" as no pty
-	# is allocated
-	allow userdomain sshd_t:unix_stream_socket rw_stream_socket_perms;
 ')
-
-# for when the network connection breaks after running newrole -r sysadm_r
-dontaudit sshd_t sysadm_devpts_t:chr_file setattr;
-
 ') dnl endif TODO
 
 #################################