All of lore.kernel.org
 help / color / mirror / Atom feed
* [refpolicy] [PATCH 0/2] Have mkhomedir_helper working for sshd
@ 2011-12-28 19:34 Sven Vermeulen
  2011-12-28 19:35 ` [refpolicy] [PATCH 1/2] Mark mkhomedir_helper as oddjob_mkhomedir_exec_t Sven Vermeulen
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Sven Vermeulen @ 2011-12-28 19:34 UTC (permalink / raw)
  To: refpolicy

The next two patches allow SSHd (through PAM) to create home dirs when new
users log on to the system (as is used on larger environments with
centralized authentication services).

The necessary services (interfaces) for this are already available in the
reference policy through the oddjob module. All we need to do is have sshd
be able to domtrans to the proper oddjob domain and mark the
mkhomedir_helper as a proper entry point.

Wkr,
	Sven Vermeulen

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [refpolicy] [PATCH 1/2] Mark mkhomedir_helper as oddjob_mkhomedir_exec_t
  2011-12-28 19:34 [refpolicy] [PATCH 0/2] Have mkhomedir_helper working for sshd Sven Vermeulen
@ 2011-12-28 19:35 ` Sven Vermeulen
  2011-12-28 19:36 ` [refpolicy] [PATCH 2/2] sshd can call mkhomedir when a new user logs on Sven Vermeulen
  2012-01-04 13:14 ` [refpolicy] [PATCH 0/2] Have mkhomedir_helper working for sshd Christopher J. PeBenito
  2 siblings, 0 replies; 4+ messages in thread
From: Sven Vermeulen @ 2011-12-28 19:35 UTC (permalink / raw)
  To: refpolicy

The mkhomedir_helper application (part of the PAM distribution) is here marked as an oddjob_mkhomedir_exec_t type so that
calls from applications that have oddjob_mkhomedir_domtrans() rights (or _run()) succeed in the correct domain.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 oddjob.fc |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/oddjob.fc b/oddjob.fc
index bdf8c89..734253e 100644
--- a/oddjob.fc
+++ b/oddjob.fc
@@ -2,4 +2,6 @@
 
 /usr/sbin/oddjobd		--	gen_context(system_u:object_r:oddjob_exec_t,s0)
 
+/sbin/mkhomedir_helper		--	gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+
 /var/run/oddjobd\.pid			gen_context(system_u:object_r:oddjob_var_run_t,s0)
-- 
1.7.3.4

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [refpolicy] [PATCH 2/2] sshd can call mkhomedir when a new user logs on
  2011-12-28 19:34 [refpolicy] [PATCH 0/2] Have mkhomedir_helper working for sshd Sven Vermeulen
  2011-12-28 19:35 ` [refpolicy] [PATCH 1/2] Mark mkhomedir_helper as oddjob_mkhomedir_exec_t Sven Vermeulen
@ 2011-12-28 19:36 ` Sven Vermeulen
  2012-01-04 13:14 ` [refpolicy] [PATCH 0/2] Have mkhomedir_helper working for sshd Christopher J. PeBenito
  2 siblings, 0 replies; 4+ messages in thread
From: Sven Vermeulen @ 2011-12-28 19:36 UTC (permalink / raw)
  To: refpolicy

These services are offered through the oddjob module.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/services/ssh.te |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 3f1dc47..83d44e2 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -269,6 +269,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	oddjob_domtrans_mkhomedir(sshd_t)
+')
+
+optional_policy(`
 	rpm_use_script_fds(sshd_t)
 ')
 
-- 
1.7.3.4

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [refpolicy] [PATCH 0/2] Have mkhomedir_helper working for sshd
  2011-12-28 19:34 [refpolicy] [PATCH 0/2] Have mkhomedir_helper working for sshd Sven Vermeulen
  2011-12-28 19:35 ` [refpolicy] [PATCH 1/2] Mark mkhomedir_helper as oddjob_mkhomedir_exec_t Sven Vermeulen
  2011-12-28 19:36 ` [refpolicy] [PATCH 2/2] sshd can call mkhomedir when a new user logs on Sven Vermeulen
@ 2012-01-04 13:14 ` Christopher J. PeBenito
  2 siblings, 0 replies; 4+ messages in thread
From: Christopher J. PeBenito @ 2012-01-04 13:14 UTC (permalink / raw)
  To: refpolicy

On 12/28/11 14:34, Sven Vermeulen wrote:
> The next two patches allow SSHd (through PAM) to create home dirs when new
> users log on to the system (as is used on larger environments with
> centralized authentication services).
> 
> The necessary services (interfaces) for this are already available in the
> reference policy through the oddjob module. All we need to do is have sshd
> be able to domtrans to the proper oddjob domain and mark the
> mkhomedir_helper as a proper entry point.

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2012-01-04 13:14 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-12-28 19:34 [refpolicy] [PATCH 0/2] Have mkhomedir_helper working for sshd Sven Vermeulen
2011-12-28 19:35 ` [refpolicy] [PATCH 1/2] Mark mkhomedir_helper as oddjob_mkhomedir_exec_t Sven Vermeulen
2011-12-28 19:36 ` [refpolicy] [PATCH 2/2] sshd can call mkhomedir when a new user logs on Sven Vermeulen
2012-01-04 13:14 ` [refpolicy] [PATCH 0/2] Have mkhomedir_helper working for sshd Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.