PERFORCE change 38890 for review

Tue Sep 30 15:40:45 GMT 2003

http://perforce.freebsd.org/chv.cgi?CH=38890

Change 38890 by areisse at areisse_tislabs on 2003/09/30 08:39:52

	Allow limited remote command execution from sshd.
	Initial policy for cvs. To use the "secure" cvs, it must be accessed from ssh
	via a repository specification such as :ext:localhost:/cvs. Repositories
	must be labelled with user_cvsrep_t or similar.

Affected files ...

.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/ssh.te#5 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/unused/cvs.te#1 add
.. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/program/cvs.fc#1 add
.. //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/types.fc#3 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/macros/global_macros.te#4 edit
.. //depot/projects/trustedbsd/sebsd_policy/policy/macros/program/cvs_macros.te#1 add
.. //depot/projects/trustedbsd/sebsd_policy/policy/macros/program/ssh_macros.te#4 edit

Differences ...

==== //depot/projects/trustedbsd/sebsd_policy/policy/domains/program/ssh.te#5 (text+ko) ====

@@ -204,3 +204,24 @@
 # Everything else is in the ssh_domain macro in
 # macros/program/ssh_macros.te.
 
+# Transitory domain to run cvs from sshd
+ifdef(`cvs.te',`
+type sshd_user_shell_t, domain;
+domain_auto_trans(sshd_t, shell_exec_t, sshd_user_shell_t)
+domain_auto_trans(sshd_user_shell_t, cvs_exec_t, user_cvs_rw_t)
+role system_r types sshd_user_shell_t;
+role system_r types user_cvs_rw_t;
+
+allow sshd_user_shell_t { self sshd_t }:fd { create use };
+allow sshd_user_shell_t { sbin_t bin_t home_root_t user_home_dir_t usr_t etc_t }:dir search;
+allow sshd_user_shell_t etc_t:file r_file_perms;
+allow sshd_user_shell_t { sbin_t bin_t }:file rx_file_perms;
+allow sshd_user_shell_t { sbin_t bin_t }:file execute_no_trans;
+
+uses_shlib(sshd_user_shell_t)
+
+allow sshd_user_shell_t user_home_t:file r_file_perms;
+allow sshd_user_shell_t { user_home_dir_t user_home_t }:dir r_dir_perms;
+
+allow user_cvs_rw_t sshd_t:fd use;
+')

==== //depot/projects/trustedbsd/sebsd_policy/policy/file_contexts/types.fc#3 (text+ko) ====

@@ -84,8 +84,8 @@
 /home/[^/]+	-d		system_u:object_r:user_home_dir_t
 /home/[^/]+/.+			system_u:object_r:user_home_t
 /usr/home			system_u:object_r:home_root_t
-/home/[^/]+	-d		system_u:object_r:user_home_dir_t
-/home/[^/]+/.+			system_u:object_r:user_home_t
+/usr/home/[^/]+	-d		system_u:object_r:user_home_dir_t
+/usr/home/[^/]+/.+		system_u:object_r:user_home_t
 
 #
 # Other staff home directories, replace "jadmin" with appropriate name

==== //depot/projects/trustedbsd/sebsd_policy/policy/macros/global_macros.te#4 (text+ko) ====

@@ -706,7 +706,7 @@
 # Access file descriptions, pipes, and sockets
 # created by processes in the same domain.
 allow $1 self:fd *;
-allow $1 self:fifo_file rw_file_perms;
+allow $1 self:fifo_file { poll rw_file_perms };
 allow $1 self:unix_dgram_socket create_socket_perms;
 allow $1 self:unix_stream_socket create_stream_socket_perms;
 

==== //depot/projects/trustedbsd/sebsd_policy/policy/macros/program/ssh_macros.te#4 (text+ko) ====

@@ -128,6 +128,8 @@
 allow $1_ssh_t $1_tty_device_t:chr_file { poll rw_file_perms };
 allow $1_ssh_t $1_devpts_t:chr_file { poll rw_file_perms };
 
+allow $1_ssh_t $1_t:fifo_file poll;
+
 # Allow the user shell to signal the ssh program.
 allow $1_t $1_ssh_t:process signal;
 # allow ps to show ssh
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

