add rssh, bug 1544
This commit is contained in:
Chris PeBenito
parent
70b8a7231e
commit
5540e76ac7
@ -65,6 +65,7 @@
|
||||
qmail (Petre Rodan)
|
||||
resmgr
|
||||
rhgb
|
||||
rssh
|
||||
snort
|
||||
soundserver
|
||||
speedtouch
|
||||
|
||||
1
refpolicy/policy/modules/apps/rssh.fc
Normal file
1
refpolicy/policy/modules/apps/rssh.fc
Normal file
@ -0,0 +1 @@
|
||||
/usr/bin/rssh -- gen_context(system_u:object_r:rssh_exec_t,s0)
|
||||
143
refpolicy/policy/modules/apps/rssh.if
Normal file
143
refpolicy/policy/modules/apps/rssh.if
Normal file
@ -0,0 +1,143 @@
|
||||
## <summary>Restricted (scp/sftp) only shell</summary>
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## The per user domain template for the rssh module.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## This template creates a derived domains which are used
|
||||
## for rssh client sessions. Derived types are also created
|
||||
## for read-only and read-write file access.
|
||||
## </p>
|
||||
## <p>
|
||||
## This template is invoked automatically for each user, and
|
||||
## generally does not need to be invoked directly
|
||||
## by policy writers.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="userdomain_prefix">
|
||||
## <summary>
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`rssh_per_userdomain_template',`
|
||||
|
||||
##############################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type $1_rssh_t alias rssh_$1_t, rssh_domain_type;
|
||||
domain_type($1_rssh_t)
|
||||
domain_entry_file($1_rssh_t,rssh_exec_t)
|
||||
domain_user_exemption_target($1_t)
|
||||
domain_interactive_fd($1_rssh_t)
|
||||
role system_r types $1_rssh_t;
|
||||
|
||||
type $1_rssh_devpts_t alias rssh_$1_devpts_t;
|
||||
term_user_pty($1_rssh_t,$1_rssh_devpts_t)
|
||||
|
||||
type $1_rssh_ro_t alias rssh_$1_ro_t, rssh_ro_content_type;
|
||||
userdom_user_home_content($1,$1_rssh_ro_t)
|
||||
|
||||
type $1_rssh_rw_t alias rssh_$1_rw_t;
|
||||
userdom_user_home_content($1,$1_rssh_rw_t)
|
||||
|
||||
##############################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow $1_rssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow $1_rssh_t self:fd use;
|
||||
allow $1_rssh_t self:fifo_file rw_file_perms;
|
||||
allow $1_rssh_t self:unix_dgram_socket create_socket_perms;
|
||||
allow $1_rssh_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow $1_rssh_t self:unix_dgram_socket sendto;
|
||||
allow $1_rssh_t self:unix_stream_socket connectto;
|
||||
allow $1_rssh_t self:shm create_shm_perms;
|
||||
allow $1_rssh_t self:sem create_sem_perms;
|
||||
allow $1_rssh_t self:msgq create_msgq_perms;
|
||||
allow $1_rssh_t self:msg { send receive };
|
||||
|
||||
allow $1_rssh_t $1_rssh_devpts_t:chr_file { rw_file_perms setattr };
|
||||
term_create_pty($1_rssh_t,$1_rssh_devpts_t)
|
||||
|
||||
allow $1_rssh_t $1_rssh_ro_t:dir list_dir_perms;
|
||||
allow $1_rssh_t $1_rssh_ro_t:file read_file_perms;
|
||||
|
||||
allow $1_rssh_t $1_rssh_rw_t:dir manage_dir_perms;
|
||||
allow $1_rssh_t $1_rssh_rw_t:file manage_file_perms;
|
||||
|
||||
kernel_read_system_state($1_rssh_t)
|
||||
kernel_read_kernel_sysctls($1_rssh_t)
|
||||
|
||||
files_read_etc_files($1_rssh_t)
|
||||
files_read_etc_runtime_files($1_rssh_t)
|
||||
files_list_home($1_rssh_t)
|
||||
files_read_usr_files($1_rssh_t)
|
||||
files_list_var($1_rssh_t)
|
||||
|
||||
fs_search_auto_mountpoints($1_rssh_t)
|
||||
|
||||
libs_use_ld_so($1_rssh_t)
|
||||
libs_use_shared_libs($1_rssh_t)
|
||||
|
||||
logging_send_syslog_msg($1_rssh_t)
|
||||
|
||||
miscfiles_read_localization($1_rssh_t)
|
||||
|
||||
userdom_use_unpriv_users_fds($1_rssh_t)
|
||||
|
||||
ssh_rw_tcp_sockets($1_rssh_t)
|
||||
ssh_rw_stream_sockets($1_rssh_t)
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind($1_rssh_t)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Transition to all user rssh domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`rssh_spec_domtrans_all_users',`
|
||||
gen_require(`
|
||||
attribute rssh_domain_type;
|
||||
type rssh_exec_t;
|
||||
')
|
||||
|
||||
domain_trans($1,rssh_exec_t,rssh_domain_type)
|
||||
allow rssh_domain_type $1:fd use;
|
||||
allow rssh_domain_type $1:fifo_file rw_file_perms;
|
||||
allow rssh_domain_type $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read all users rssh read-only content.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`rssh_read_all_users_ro_content',`
|
||||
gen_require(`
|
||||
attribute rssh_ro_content_type;
|
||||
')
|
||||
|
||||
allow $1 rssh_ro_content_type:dir r_dir_perms;
|
||||
allow $1 rssh_ro_content_type:file r_file_perms;
|
||||
allow $1 rssh_ro_content_type:lnk_file { getattr read };
|
||||
')
|
||||
13
refpolicy/policy/modules/apps/rssh.te
Normal file
13
refpolicy/policy/modules/apps/rssh.te
Normal file
@ -0,0 +1,13 @@
|
||||
|
||||
policy_module(rssh,1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
attribute rssh_domain_type;
|
||||
attribute rssh_ro_content_type;
|
||||
|
||||
type rssh_exec_t;
|
||||
corecmd_executable_file(rssh_exec_t)
|
||||
@ -596,6 +596,42 @@ interface(`ssh_read_pipes',`
|
||||
allow $1 sshd_t:fifo_file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write ssh server unix domain stream sockets.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`ssh_rw_stream_sockets',`
|
||||
gen_require(`
|
||||
type sshd_t;
|
||||
')
|
||||
|
||||
allow $1 sshd_t:unix_stream_socket rw_stream_socket_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write ssh server TCP sockets.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`ssh_rw_tcp_sockets',`
|
||||
gen_require(`
|
||||
type sshd_t;
|
||||
')
|
||||
|
||||
allow $1 sshd_t:tcp_socket rw_stream_socket_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to read and write
|
||||
|
||||
@ -70,7 +70,7 @@ ifdef(`targeted_policy',`
|
||||
# sshd_t is the domain for the sshd program.
|
||||
#
|
||||
|
||||
ifdef(`targeted_policy',`',`
|
||||
ifdef(`strict_policy',`
|
||||
# so a tunnel can point to another ssh tunnel
|
||||
allow sshd_t self:tcp_socket { acceptfrom connectto recvfrom };
|
||||
|
||||
@ -120,6 +120,12 @@ ifdef(`targeted_policy',`',`
|
||||
rpm_use_script_fds(sshd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
rssh_spec_domtrans_all_users(sshd_t)
|
||||
# For reading /home/user/.ssh
|
||||
rssh_read_all_users_ro_content(sshd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
tunable_policy(`ssh_sysadm_login',`
|
||||
# Relabel and access ptys created by sshd
|
||||
@ -151,7 +157,7 @@ ifdef(`targeted_policy',`',`
|
||||
# sshd_extern_t is the domain for ssh from outside our network
|
||||
#
|
||||
|
||||
ifdef(`targeted_policy',`',`
|
||||
ifdef(`strict_policy',`
|
||||
ifdef(`TODO',`
|
||||
domain_trans(sshd_extern_t, shell_exec_t, user_mini_domain)
|
||||
# Signal the user domains.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user