1 |
commit: 3c2ad3e4b5919b0012847ae45f7197cdc0830e94 |
2 |
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be> |
3 |
AuthorDate: Wed Feb 5 21:23:31 2014 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Feb 9 10:50:58 2014 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3c2ad3e4 |
7 |
|
8 |
Add fcontext for sshd pidfile and directory used for privsep |
9 |
|
10 |
Also allow sshd_t domain to chroot(2) in this directory as explained in |
11 |
the README.privsep file in the openssh tarball. |
12 |
|
13 |
Thanks to Russell Coker for this patch |
14 |
|
15 |
--- |
16 |
policy/modules/services/ssh.fc | 2 ++ |
17 |
policy/modules/services/ssh.if | 1 + |
18 |
2 files changed, 3 insertions(+) |
19 |
|
20 |
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc |
21 |
index 76d9f66..8168244 100644 |
22 |
--- a/policy/modules/services/ssh.fc |
23 |
+++ b/policy/modules/services/ssh.fc |
24 |
@@ -13,4 +13,6 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) |
25 |
|
26 |
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) |
27 |
|
28 |
+/var/run/sshd(/.*)? gen_context(system_u:object_r:sshd_var_run_t,s0) |
29 |
/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) |
30 |
+/var/run/sshd\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) |
31 |
|
32 |
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if |
33 |
index fe0c682..48eb1c8 100644 |
34 |
--- a/policy/modules/services/ssh.if |
35 |
+++ b/policy/modules/services/ssh.if |
36 |
@@ -196,6 +196,7 @@ template(`ssh_server_template', ` |
37 |
manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) |
38 |
fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file) |
39 |
|
40 |
+ allow $1_t $1_var_run_t:dir search_dir_perms; |
41 |
allow $1_t $1_var_run_t:file manage_file_perms; |
42 |
files_pid_filetrans($1_t, $1_var_run_t, file) |