From owner-p4-projects@FreeBSD.ORG Thu Dec 30 13:58:09 2004 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 1B82016A4D1; Thu, 30 Dec 2004 13:58:09 +0000 (GMT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB42C16A4CE for ; Thu, 30 Dec 2004 13:58:08 +0000 (GMT) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8ADB643D1F for ; Thu, 30 Dec 2004 13:58:08 +0000 (GMT) (envelope-from areisse@nailabs.com) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.1/8.13.1) with ESMTP id iBUDw8cC015875 for ; Thu, 30 Dec 2004 13:58:08 GMT (envelope-from areisse@nailabs.com) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.1/8.13.1/Submit) id iBUDw8vR015872 for perforce@freebsd.org; Thu, 30 Dec 2004 13:58:08 GMT (envelope-from areisse@nailabs.com) Date: Thu, 30 Dec 2004 13:58:08 GMT Message-Id: <200412301358.iBUDw8vR015872@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to areisse@nailabs.com using -f From: Andrew Reisse To: Perforce Change Reviews Subject: PERFORCE change 67894 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Dec 2004 13:58:09 -0000 http://perforce.freebsd.org/chv.cgi?CH=67894 Change 67894 by areisse@areisse_tislabs on 2004/12/30 13:57:50 Add UseLogin support back to the ssh policy (the current NSA policy dropped support for this) Fix labelling of newrole. The system now boots and runs in enforcing mode, but very little has been tested (console logins and ssh). Affected files ... .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ssh.te#9 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/program/newrole.fc#5 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/admin_macros.te#5 edit Differences ... ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ssh.te#9 (text+ko) ==== @@ -126,6 +126,7 @@ # type of the pty for the child define(`sshd_spawn_domain', ` login_spawn_domain($1, $2) +domain_auto_trans($1_t, shell_exec_t, user_t) ifdef(`xauth.te', ` domain_trans($1_t, xauth_exec_t, $2) ') @@ -211,6 +212,10 @@ role_transition sysadm_r sshd_exec_t system_r; ') +# for UseLogin +sshd_program_domain(sshd_login) +domain_auto_trans(sshd_t, login_exec_t, sshd_login_t) + undefine(`sshd_program_domain') # so a tunnel can point to another ssh tunnel... @@ -269,3 +274,31 @@ allow user_cvs_rw_t sshd_t:fd use; ') + +################################# +# +# Rules for the sshd_login_t domain +# +# sshd_login_t is the domain of a login process +# spawned by sshd +read_locale(sshd_login_t); + +# Use the pty created by sshd +allow sshd_login_t sshd_devpts_t:chr_file { setattr rw_file_perms poll }; + +# Write to /var/log/lastlog +allow sshd_login_t lastlog_t:file rw_file_perms; + +# Relabel ptys created by sshd +allow sshd_login_t sshd_devpts_t:chr_file { relabelfrom relabelto }; +allow sshd_login_t userpty_type:chr_file { getattr relabelfrom relabelto }; + +# open old-style ptys +#allow sshd_login_t devpts_t:chr_file { read write relabelfrom relabelto getattr setattr }; + +allow sshd_login_t self:capability { linux_immutable sys_resource }; + +# run user shells +domain_auto_trans(sshd_login_t, shell_exec_t, user_t) +domain_trans(sshd_login_t, shell_exec_t, unpriv_userdomain) + ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/program/newrole.fc#5 (text+ko) ==== @@ -1,2 +1,2 @@ # newrole -/usr/bin/newrole -- system_u:object_r:newrole_exec_t +/usr/sbin/sebsd_newrole -- system_u:object_r:newrole_exec_t ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/admin_macros.te#5 (text+ko) ==== @@ -25,6 +25,7 @@ # Type for tty devices. type $1_tty_device_t, file_type, sysadmfile, ttyfile; +allow $1_tty_device_t device_t:filesystem associate; # Inherit rules for ordinary users. base_user_domain($1)