SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
From: Dominick Grift <dac.override@gmail.com>
To: Alexander Miroshnichenko <alex@millerson.name>
Cc: selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH v2 2/2] ssh: Add interface ssh_search_dir
Date: Thu, 20 Jun 2019 17:50:55 +0200
Message-ID: <20190620155055.GF2647@brutus.lan> (raw)
In-Reply-To: <d15b7000-6866-46bb-8622-33c7cad5cc4b@millerson.name>

[-- Attachment #1: Type: text/plain, Size: 1709 bytes --]

On Thu, Jun 20, 2019 at 06:38:10PM +0300, Alexander Miroshnichenko wrote:
> On четверг, 20 июня 2019 г. 18:27:31 MSK, Dominick Grift wrote:
> > On Thu, Jun 20, 2019 at 06:05:57PM +0300, Alexander Miroshnichenko wrote:
> > > On четверг, 20 июня 2019 г. 17:50:11 MSK, Dominick Grift wrote: ...
> > 
> > Yes this sucks. I would probably do the following instead:
> > 
> > 1. echo "ignoredirs=/var/lib/gitolite" >> /etc/selinux/semanage.conf
> > 2. semodule -B && restorecon -RvF /var/lib/gitolite
> > 3. gitosis_read_lib_files(sshd_t)
> 
> I can't use sshd_t in another policy without require statement.
> Or I need to add gitosis_read_lib_files(sshd_t) to ssh.te policy file.
> All 3 steps are ugly comparing with new ssh_search_dir() interface.
> Why such restrictions where caller must be the source for interface? It is
> not flexible.

You would need to add the gitosis_read_var_lib_files(sshd_t) to ssh.te yes.
I agree that this is ugly but the alternative is even more ugly, and I will say that this is just what I would do (you might want to wait for maintainer's advice instead of taking my advice)
This is one of those scenario's that are the exception rather than the rule. All options are bad.
The "restriction" is actually an unwritten rule as I cannot find any references to it in https://github.com/SELinuxProject/refpolicy/wiki/StyleGuide so you might be able to get away with it.

> 
> > 
> > Dont bother with labeling /var/lib/gitolite/.ssh differently
> > 
> > >  ...
> > 
> 

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

  reply index

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-06-20 14:41 [PATCH v2 0/2] ssh policy new interfaces Alexander Miroshnichenko
2019-06-20 14:41 ` [PATCH v2 1/2] ssh: Add ssh_exec_keygen interface Alexander Miroshnichenko
2019-06-20 14:46   ` Dominick Grift
2019-06-20 14:41 ` [PATCH v2 2/2] ssh: Add interface ssh_search_dir Alexander Miroshnichenko
2019-06-20 14:50   ` Dominick Grift
2019-06-20 15:05     ` Alexander Miroshnichenko
2019-06-20 15:27       ` Dominick Grift
2019-06-20 15:38         ` Alexander Miroshnichenko
2019-06-20 15:50           ` Dominick Grift [this message]
2019-06-20 15:40         ` Dominick Grift

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190620155055.GF2647@brutus.lan \
    --to=dac.override@gmail.com \
    --cc=alex@millerson.name \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org
	public-inbox-index selinux-refpolicy

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git