Date: Thu, 30 Dec 2004 13:58:08 GMT From: Andrew Reisse <areisse@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 67894 for review Message-ID: <200412301358.iBUDw8vR015872@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=67894 Change 67894 by areisse@areisse_tislabs on 2004/12/30 13:57:50 Add UseLogin support back to the ssh policy (the current NSA policy dropped support for this) Fix labelling of newrole. The system now boots and runs in enforcing mode, but very little has been tested (console logins and ssh). Affected files ... .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ssh.te#9 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/program/newrole.fc#5 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/admin_macros.te#5 edit Differences ... ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ssh.te#9 (text+ko) ==== @@ -126,6 +126,7 @@ # type of the pty for the child define(`sshd_spawn_domain', ` login_spawn_domain($1, $2) +domain_auto_trans($1_t, shell_exec_t, user_t) ifdef(`xauth.te', ` domain_trans($1_t, xauth_exec_t, $2) ') @@ -211,6 +212,10 @@ role_transition sysadm_r sshd_exec_t system_r; ') +# for UseLogin +sshd_program_domain(sshd_login) +domain_auto_trans(sshd_t, login_exec_t, sshd_login_t) + undefine(`sshd_program_domain') # so a tunnel can point to another ssh tunnel... @@ -269,3 +274,31 @@ allow user_cvs_rw_t sshd_t:fd use; ') + +################################# +# +# Rules for the sshd_login_t domain +# +# sshd_login_t is the domain of a login process +# spawned by sshd +read_locale(sshd_login_t); + +# Use the pty created by sshd +allow sshd_login_t sshd_devpts_t:chr_file { setattr rw_file_perms poll }; + +# Write to /var/log/lastlog +allow sshd_login_t lastlog_t:file rw_file_perms; + +# Relabel ptys created by sshd +allow sshd_login_t sshd_devpts_t:chr_file { relabelfrom relabelto }; +allow sshd_login_t userpty_type:chr_file { getattr relabelfrom relabelto }; + +# open old-style ptys +#allow sshd_login_t devpts_t:chr_file { read write relabelfrom relabelto getattr setattr }; + +allow sshd_login_t self:capability { linux_immutable sys_resource }; + +# run user shells +domain_auto_trans(sshd_login_t, shell_exec_t, user_t) +domain_trans(sshd_login_t, shell_exec_t, unpriv_userdomain) + ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/program/newrole.fc#5 (text+ko) ==== @@ -1,2 +1,2 @@ # newrole -/usr/bin/newrole -- system_u:object_r:newrole_exec_t +/usr/sbin/sebsd_newrole -- system_u:object_r:newrole_exec_t ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/admin_macros.te#5 (text+ko) ==== @@ -25,6 +25,7 @@ # Type for tty devices. type $1_tty_device_t, file_type, sysadmfile, ttyfile; +allow $1_tty_device_t device_t:filesystem associate; # Inherit rules for ordinary users. base_user_domain($1)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200412301358.iBUDw8vR015872>