From: Alexander Miroshnichenko <alex@millerson.name>
To: Dominick Grift <dac.override@gmail.com>
Cc: <selinux-refpolicy@vger.kernel.org>
Subject: Re: [PATCH v2 2/2] ssh: Add interface ssh_search_dir
Date: Thu, 20 Jun 2019 18:05:57 +0300 [thread overview]
Message-ID: <642ea6d9-97c9-4ec4-a7ed-84995a953b48@millerson.name> (raw)
In-Reply-To: <20190620145011.GC2647@brutus.lan>
On четверг, 20 июня 2019 г. 17:50:11 MSK, Dominick Grift wrote:
> On Thu, Jun 20, 2019 at 05:41:38PM +0300, Alexander Miroshnichenko wrote:
>> Create interface ssh_search_dir to allow ssh_server search for
>> keys in non-standard location.
>>
>> Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
>> ---
>> policy/modules/services/ssh.if | 18 ++++++++++++++++++
>> 1 file changed, 18 insertions(+)
>>
>> diff --git a/policy/modules/services/ssh.if
>> b/policy/modules/services/ssh.if
>> index 0941f133711e..51c64ded00c4 100644
>> --- a/policy/modules/services/ssh.if
>> +++ b/policy/modules/services/ssh.if
>> @@ -680,6 +680,24 @@ interface(`ssh_agent_exec',`
>> can_exec($1, ssh_agent_exec_t)
>> ')
>>
>> +########################################
>> +## <summary>
>> +## Search for keys in non-standard location
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`ssh_search_dir',`
>> + gen_require(`
>> + type sshd_t;
>> + ')
>> +
>> + allow sshd_t $1:dir search_dir_perms;
>
> This is generally not allowed. The caller should generally be the source.
> Regardless of the above. Keys should be in user home
> directories. I wonder what specific scenario prompted you to
> propose this interface?
GIT hosting software like gitolite/gitosis/gitea manage users ssh keys and
store them own location like /var/lib/gitolite/.ssh .
/var/lib/gitolite have gitosis_var_lib_t type,
/var/lib/gitolite/.ssh have gitosis_ssh_home_t type (in patched policy
which
I want to submit).
If sshd does not have { search getattr } permissions to full path to ssh
key
user fail to login.
Can you propose corret way to give such permissions to multiple policies?
It is incorrect to label /var/lib/gitolite as user_home_dir_t type, IMHO.
>> +')
>> +
>> ########################################
>> ## <summary>
>> ## Read ssh home directory content ...
>
next prev parent reply other threads:[~2019-06-20 15:06 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-20 14:41 [PATCH v2 0/2] ssh policy new interfaces Alexander Miroshnichenko
2019-06-20 14:41 ` [PATCH v2 1/2] ssh: Add ssh_exec_keygen interface Alexander Miroshnichenko
2019-06-20 14:46 ` Dominick Grift
2019-06-20 14:41 ` [PATCH v2 2/2] ssh: Add interface ssh_search_dir Alexander Miroshnichenko
2019-06-20 14:50 ` Dominick Grift
2019-06-20 15:05 ` Alexander Miroshnichenko [this message]
2019-06-20 15:27 ` Dominick Grift
2019-06-20 15:38 ` Alexander Miroshnichenko
2019-06-20 15:50 ` Dominick Grift
2019-06-20 15:40 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=642ea6d9-97c9-4ec4-a7ed-84995a953b48@millerson.name \
--to=alex@millerson.name \
--cc=dac.override@gmail.com \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).