From mboxrd@z Thu Jan 1 00:00:00 1970 From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Sat, 8 Feb 2014 08:32:06 -0500 Subject: [refpolicy] [PATCH v2] Conditionally allow ssh to use gpg-agent In-Reply-To: <1391343571-18264-1-git-send-email-aranea@aixah.de> References: <20140202130500.2160f475@gentp.lnet> <1391343571-18264-1-git-send-email-aranea@aixah.de> Message-ID: <52F631D6.5040508@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 2/2/2014 7:19 AM, Luis Ressel wrote: > gpg-agent also offers an ssh-compatible interface. This is useful e.g. > for smartcard authentication. > --- > policy/modules/services/ssh.if | 7 +++++++ > policy/modules/services/ssh.te | 13 +++++++++++++ > 2 files changed, 20 insertions(+) > > diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if > index fe0c682..7e7b6f6 100644 > --- a/policy/modules/services/ssh.if > +++ b/policy/modules/services/ssh.if > @@ -425,6 +425,13 @@ template(`ssh_role_template',` > xserver_use_xdm_fds($1_ssh_agent_t) > xserver_rw_xdm_pipes($1_ssh_agent_t) > ') > + > + optional_policy(` > + tunable_policy(`ssh_use_gpg_agent',` > + # for ssh-add > + gpg_agent_connect($3) > + ') > + ') > ') > > ######################################## > diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te > index 30726f2..68e70e9 100644 > --- a/policy/modules/services/ssh.te > +++ b/policy/modules/services/ssh.te > @@ -19,6 +19,13 @@ gen_tunable(allow_ssh_keysign, false) > ## > gen_tunable(ssh_sysadm_login, false) > > +## > +##

> +## Allow ssh to use gpg-agent > +##

> +## > +gen_tunable(ssh_use_gpg_agent, false) > + > attribute ssh_server; > attribute ssh_agent_type; > > @@ -202,6 +209,12 @@ optional_policy(` > xserver_domtrans_xauth(ssh_t) > ') > > +optional_policy(` > + tunable_policy(`ssh_use_gpg_agent',` > + gpg_agent_connect(ssh_t) > + ') > +') > + > ############################## > # > # ssh_keysign_t local policy Merged. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com