From 5540e76ac7daa5c6c0a57e2746ef8e4c1f06c517 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 25 Apr 2006 19:17:43 +0000 Subject: [PATCH] add rssh, bug 1544 --- refpolicy/Changelog | 1 + refpolicy/policy/modules/apps/rssh.fc | 1 + refpolicy/policy/modules/apps/rssh.if | 143 +++++++++++++++++++++++ refpolicy/policy/modules/apps/rssh.te | 13 +++ refpolicy/policy/modules/services/ssh.if | 36 ++++++ refpolicy/policy/modules/services/ssh.te | 10 +- 6 files changed, 202 insertions(+), 2 deletions(-) create mode 100644 refpolicy/policy/modules/apps/rssh.fc create mode 100644 refpolicy/policy/modules/apps/rssh.if create mode 100644 refpolicy/policy/modules/apps/rssh.te diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 584bfc6bd..4c130fe22 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -65,6 +65,7 @@ qmail (Petre Rodan) resmgr rhgb + rssh snort soundserver speedtouch diff --git a/refpolicy/policy/modules/apps/rssh.fc b/refpolicy/policy/modules/apps/rssh.fc new file mode 100644 index 000000000..4c091ca37 --- /dev/null +++ b/refpolicy/policy/modules/apps/rssh.fc @@ -0,0 +1 @@ +/usr/bin/rssh -- gen_context(system_u:object_r:rssh_exec_t,s0) diff --git a/refpolicy/policy/modules/apps/rssh.if b/refpolicy/policy/modules/apps/rssh.if new file mode 100644 index 000000000..2a84766e5 --- /dev/null +++ b/refpolicy/policy/modules/apps/rssh.if @@ -0,0 +1,143 @@ +## Restricted (scp/sftp) only shell + +####################################### +## +## The per user domain template for the rssh module. +## +## +##

+## This template creates a derived domains which are used +## for rssh client sessions. Derived types are also created +## for read-only and read-write file access. +##

+##

+## This template is invoked automatically for each user, and +## generally does not need to be invoked directly +## by policy writers. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +# +template(`rssh_per_userdomain_template',` + + ############################## + # + # Declarations + # + + type $1_rssh_t alias rssh_$1_t, rssh_domain_type; + domain_type($1_rssh_t) + domain_entry_file($1_rssh_t,rssh_exec_t) + domain_user_exemption_target($1_t) + domain_interactive_fd($1_rssh_t) + role system_r types $1_rssh_t; + + type $1_rssh_devpts_t alias rssh_$1_devpts_t; + term_user_pty($1_rssh_t,$1_rssh_devpts_t) + + type $1_rssh_ro_t alias rssh_$1_ro_t, rssh_ro_content_type; + userdom_user_home_content($1,$1_rssh_ro_t) + + type $1_rssh_rw_t alias rssh_$1_rw_t; + userdom_user_home_content($1,$1_rssh_rw_t) + + ############################## + # + # Local policy + # + + allow $1_rssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow $1_rssh_t self:fd use; + allow $1_rssh_t self:fifo_file rw_file_perms; + allow $1_rssh_t self:unix_dgram_socket create_socket_perms; + allow $1_rssh_t self:unix_stream_socket create_stream_socket_perms; + allow $1_rssh_t self:unix_dgram_socket sendto; + allow $1_rssh_t self:unix_stream_socket connectto; + allow $1_rssh_t self:shm create_shm_perms; + allow $1_rssh_t self:sem create_sem_perms; + allow $1_rssh_t self:msgq create_msgq_perms; + allow $1_rssh_t self:msg { send receive }; + + allow $1_rssh_t $1_rssh_devpts_t:chr_file { rw_file_perms setattr }; + term_create_pty($1_rssh_t,$1_rssh_devpts_t) + + allow $1_rssh_t $1_rssh_ro_t:dir list_dir_perms; + allow $1_rssh_t $1_rssh_ro_t:file read_file_perms; + + allow $1_rssh_t $1_rssh_rw_t:dir manage_dir_perms; + allow $1_rssh_t $1_rssh_rw_t:file manage_file_perms; + + kernel_read_system_state($1_rssh_t) + kernel_read_kernel_sysctls($1_rssh_t) + + files_read_etc_files($1_rssh_t) + files_read_etc_runtime_files($1_rssh_t) + files_list_home($1_rssh_t) + files_read_usr_files($1_rssh_t) + files_list_var($1_rssh_t) + + fs_search_auto_mountpoints($1_rssh_t) + + libs_use_ld_so($1_rssh_t) + libs_use_shared_libs($1_rssh_t) + + logging_send_syslog_msg($1_rssh_t) + + miscfiles_read_localization($1_rssh_t) + + userdom_use_unpriv_users_fds($1_rssh_t) + + ssh_rw_tcp_sockets($1_rssh_t) + ssh_rw_stream_sockets($1_rssh_t) + + optional_policy(` + nis_use_ypbind($1_rssh_t) + ') +') + +######################################## +## +## Transition to all user rssh domains. +## +## +## +## Domain allowed access. +## +## +# +interface(`rssh_spec_domtrans_all_users',` + gen_require(` + attribute rssh_domain_type; + type rssh_exec_t; + ') + + domain_trans($1,rssh_exec_t,rssh_domain_type) + allow rssh_domain_type $1:fd use; + allow rssh_domain_type $1:fifo_file rw_file_perms; + allow rssh_domain_type $1:process sigchld; +') + +######################################## +## +## Read all users rssh read-only content. +## +## +## +## Domain allowed access. +## +## +# +interface(`rssh_read_all_users_ro_content',` + gen_require(` + attribute rssh_ro_content_type; + ') + + allow $1 rssh_ro_content_type:dir r_dir_perms; + allow $1 rssh_ro_content_type:file r_file_perms; + allow $1 rssh_ro_content_type:lnk_file { getattr read }; +') diff --git a/refpolicy/policy/modules/apps/rssh.te b/refpolicy/policy/modules/apps/rssh.te new file mode 100644 index 000000000..8419801e0 --- /dev/null +++ b/refpolicy/policy/modules/apps/rssh.te @@ -0,0 +1,13 @@ + +policy_module(rssh,1.0.0) + +######################################## +# +# Declarations +# + +attribute rssh_domain_type; +attribute rssh_ro_content_type; + +type rssh_exec_t; +corecmd_executable_file(rssh_exec_t) diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if index 8d7a18871..de3e1b7cd 100644 --- a/refpolicy/policy/modules/services/ssh.if +++ b/refpolicy/policy/modules/services/ssh.if @@ -596,6 +596,42 @@ interface(`ssh_read_pipes',` allow $1 sshd_t:fifo_file { getattr read }; ') +######################################## +## +## Read and write ssh server unix domain stream sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`ssh_rw_stream_sockets',` + gen_require(` + type sshd_t; + ') + + allow $1 sshd_t:unix_stream_socket rw_stream_socket_perms; +') + +######################################## +## +## Read and write ssh server TCP sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`ssh_rw_tcp_sockets',` + gen_require(` + type sshd_t; + ') + + allow $1 sshd_t:tcp_socket rw_stream_socket_perms; +') + ######################################## ## ## Do not audit attempts to read and write diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te index 8254d66d8..fa32d3474 100644 --- a/refpolicy/policy/modules/services/ssh.te +++ b/refpolicy/policy/modules/services/ssh.te @@ -70,7 +70,7 @@ ifdef(`targeted_policy',` # sshd_t is the domain for the sshd program. # -ifdef(`targeted_policy',`',` +ifdef(`strict_policy',` # so a tunnel can point to another ssh tunnel allow sshd_t self:tcp_socket { acceptfrom connectto recvfrom }; @@ -120,6 +120,12 @@ ifdef(`targeted_policy',`',` rpm_use_script_fds(sshd_t) ') + optional_policy(` + rssh_spec_domtrans_all_users(sshd_t) + # For reading /home/user/.ssh + rssh_read_all_users_ro_content(sshd_t) + ') + ifdef(`TODO',` tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd @@ -151,7 +157,7 @@ ifdef(`targeted_policy',`',` # sshd_extern_t is the domain for ssh from outside our network # -ifdef(`targeted_policy',`',` +ifdef(`strict_policy',` ifdef(`TODO',` domain_trans(sshd_extern_t, shell_exec_t, user_mini_domain) # Signal the user domains.