From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=+6c8=UT=vger.kernel.org=selinux-refpolicy-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,
	SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 77F7DC43613
	for <selinux-refpolicy@archiver.kernel.org>; Thu, 20 Jun 2019 15:06:02 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 228C92084A
	for <selinux-refpolicy@archiver.kernel.org>; Thu, 20 Jun 2019 15:06:02 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=millerson.name header.i=@millerson.name header.b="Kdz64B+C"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726757AbfFTPGC (ORCPT
        <rfc822;selinux-refpolicy@archiver.kernel.org>);
        Thu, 20 Jun 2019 11:06:02 -0400
Received: from host89-222-249-147.netorn.net ([89.222.249.147]:50528 "EHLO
        mail.millerson.name" rhost-flags-OK-FAIL-OK-OK) by vger.kernel.org
        with ESMTP id S1726551AbfFTPGB (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Thu, 20 Jun 2019 11:06:01 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
        d=millerson.name; s=mail; h=User-Agent:In-Reply-To:Message-ID:MIME-Version:
        Date:Subject:To:From; bh=v0zvhN08rTCoAND6Es1hC+CYR0CSZGS7LlyGKMqZDk0=; b=Kdz6
        4B+CRsFo6xXjoOZiGpO1emOxeZFSnszEAh3UZFNz6Q/7hBZu1foCNYcQ4OA9YUxCeHqFDQUKym61F
        v+K8g6czR/Ciqi3P7OAS1aH0sMwOya3XamASg++tiywLJfgBdCOVA93UGNTiUen6BduYtfLBNVjRT
        oLHsCVsPT5qNU=;
Received: from localhost ([127.0.0.1] helo=mail.millerson.name)
        by mail.millerson.name with esmtpsa id 1hdydT-0006Lk-Ac
        (envelope-from <alex@millerson.name>); Thu, 20 Jun 2019 18:05:59 +0300
Received: from localhost ([2a04:4a00:5:966:a55:5884:e3f8:8906])
        by mail.millerson.name with ESMTPSA
        id jQx8NNagC11ZXwAAXPwaFA
        (envelope-from <alex@millerson.name>); Thu, 20 Jun 2019 18:05:58 +0300
From:   Alexander Miroshnichenko <alex@millerson.name>
To:     Dominick Grift <dac.override@gmail.com>
Cc:     <selinux-refpolicy@vger.kernel.org>
Subject: Re: [PATCH v2 2/2] ssh: Add interface =?iso-8859-1?Q?ssh=5Fsearch=5Fdir?=
Date:   Thu, 20 Jun 2019 18:05:57 +0300
MIME-Version: 1.0
Message-ID: <642ea6d9-97c9-4ec4-a7ed-84995a953b48@millerson.name>
In-Reply-To: <20190620145011.GC2647@brutus.lan>
References: <20190620144138.15172-1-alex@millerson.name>
 <20190620144138.15172-3-alex@millerson.name>
 <20190620145011.GC2647@brutus.lan>
User-Agent: Trojita/0.7; Qt/5.12.3; xcb; Linux; Gentoo Base System release 2.6
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable
X-GIT-Signature: dcf8ce731544dbc3208cac54d534d0e6
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

On =D1=87=D0=B5=D1=82=D0=B2=D0=B5=D1=80=D0=B3, 20 =D0=B8=D1=8E=D0=BD=D1=8F 20=
19 =D0=B3. 17:50:11 MSK, Dominick Grift wrote:
> On Thu, Jun 20, 2019 at 05:41:38PM +0300, Alexander Miroshnichenko wrote:
>> Create interface ssh_search_dir to allow ssh_server search for=20
>> keys in non-standard location.
>>=20
>> Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
>> ---
>>  policy/modules/services/ssh.if | 18 ++++++++++++++++++
>>  1 file changed, 18 insertions(+)
>>=20
>> diff --git a/policy/modules/services/ssh.if=20
>> b/policy/modules/services/ssh.if
>> index 0941f133711e..51c64ded00c4 100644
>> --- a/policy/modules/services/ssh.if
>> +++ b/policy/modules/services/ssh.if
>> @@ -680,6 +680,24 @@ interface(`ssh_agent_exec',`
>>  =09can_exec($1, ssh_agent_exec_t)
>>  ')
>> =20
>> +########################################
>> +## <summary>
>> +##      Search for keys in non-standard location
>> +## </summary>
>> +## <param name=3D"domain">
>> +##      <summary>
>> +##      Domain allowed access.
>> +##      </summary>
>> +## </param>
>> +#
>> +interface(`ssh_search_dir',`
>> +        gen_require(`
>> +                type sshd_t;
>> +        ')
>> +
>> +=09allow sshd_t $1:dir search_dir_perms;
>
> This is generally not allowed. The caller should generally be the source.
> Regardless of the above. Keys should be in user home=20
> directories. I wonder what specific scenario prompted you to=20
> propose this interface?

GIT hosting software like gitolite/gitosis/gitea manage users ssh keys and=20=

store them own location like /var/lib/gitolite/.ssh .=20
/var/lib/gitolite have gitosis_var_lib_t type,=20
/var/lib/gitolite/.ssh have gitosis_ssh_home_t type (in patched policy=20
which=20
I want to submit).
If sshd does not have { search getattr } permissions to full path to ssh=20
key=20
user fail to login.
Can you propose corret way to give such permissions to multiple policies?
It is incorrect to label /var/lib/gitolite as user_home_dir_t type, IMHO.

>> +')
>> +
>>  ########################################
>>  ## <summary>
>>  ##=09Read ssh home directory content ...
>