1 |
commit: ee4eba3c01aff37e2c201ce4f998887aa0b211be |
2 |
Author: Luis Ressel <aranea <AT> aixah <DOT> de> |
3 |
AuthorDate: Sun Feb 2 12:19:31 2014 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Feb 9 10:51:03 2014 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ee4eba3c |
7 |
|
8 |
Conditionally allow ssh to use gpg-agent |
9 |
|
10 |
gpg-agent also offers an ssh-compatible interface. This is useful e.g. |
11 |
for smartcard authentication. |
12 |
|
13 |
--- |
14 |
policy/modules/services/ssh.if | 7 +++++++ |
15 |
policy/modules/services/ssh.te | 13 +++++++++++++ |
16 |
2 files changed, 20 insertions(+) |
17 |
|
18 |
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if |
19 |
index 48eb1c8..33ad1b4 100644 |
20 |
--- a/policy/modules/services/ssh.if |
21 |
+++ b/policy/modules/services/ssh.if |
22 |
@@ -426,6 +426,13 @@ template(`ssh_role_template',` |
23 |
xserver_use_xdm_fds($1_ssh_agent_t) |
24 |
xserver_rw_xdm_pipes($1_ssh_agent_t) |
25 |
') |
26 |
+ |
27 |
+ optional_policy(` |
28 |
+ tunable_policy(`ssh_use_gpg_agent',` |
29 |
+ # for ssh-add |
30 |
+ gpg_agent_connect($3) |
31 |
+ ') |
32 |
+ ') |
33 |
') |
34 |
|
35 |
######################################## |
36 |
|
37 |
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te |
38 |
index 2022f28..65b5be9 100644 |
39 |
--- a/policy/modules/services/ssh.te |
40 |
+++ b/policy/modules/services/ssh.te |
41 |
@@ -19,6 +19,13 @@ gen_tunable(allow_ssh_keysign, false) |
42 |
## </desc> |
43 |
gen_tunable(ssh_sysadm_login, false) |
44 |
|
45 |
+## <desc> |
46 |
+## <p> |
47 |
+## Allow ssh to use gpg-agent |
48 |
+## </p> |
49 |
+## </desc> |
50 |
+gen_tunable(ssh_use_gpg_agent, false) |
51 |
+ |
52 |
attribute ssh_server; |
53 |
attribute ssh_agent_type; |
54 |
|
55 |
@@ -202,6 +209,12 @@ optional_policy(` |
56 |
xserver_domtrans_xauth(ssh_t) |
57 |
') |
58 |
|
59 |
+optional_policy(` |
60 |
+ tunable_policy(`ssh_use_gpg_agent',` |
61 |
+ gpg_agent_connect(ssh_t) |
62 |
+ ') |
63 |
+') |
64 |
+ |
65 |
############################## |
66 |
# |
67 |
# ssh_keysign_t local policy |