On Thu, Jun 20, 2019 at 05:41:38PM +0300, Alexander Miroshnichenko wrote:
> Create interface ssh_search_dir to allow ssh_server search for keys in non-standard location.
> 
> Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
> ---
>  policy/modules/services/ssh.if | 18 ++++++++++++++++++
>  1 file changed, 18 insertions(+)
> 
> diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
> index 0941f133711e..51c64ded00c4 100644
> --- a/policy/modules/services/ssh.if
> +++ b/policy/modules/services/ssh.if
> @@ -680,6 +680,24 @@ interface(`ssh_agent_exec',`
>  	can_exec($1, ssh_agent_exec_t)
>  ')
>  
> +########################################
> +## <summary>
> +##      Search for keys in non-standard location
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`ssh_search_dir',`
> +        gen_require(`
> +                type sshd_t;
> +        ')
> +
> +	allow sshd_t $1:dir search_dir_perms;

This is generally not allowed. The caller should generally be the source.
Regardless of the above. Keys should be in user home directories. I wonder what specific scenario prompted you to propose this interface?

> +')
> +
>  ########################################
>  ## <summary>
>  ##	Read ssh home directory content
> -- 
> 2.21.0
> 

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift