PERFORCE change 67894 for review

Andrew Reisse areisse at FreeBSD.org
Thu Dec 30 13:58:08 GMT 2004 

http://perforce.freebsd.org/chv.cgi?CH=67894

Change 67894 by areisse at areisse_tislabs on 2004/12/30 13:57:50

	Add UseLogin support back to the ssh policy (the current NSA policy
	dropped support for this)
	Fix labelling of newrole.
	The system now boots and runs in enforcing mode, but very little has
	been tested (console logins and ssh).

Affected files ...

.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ssh.te#9 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/program/newrole.fc#5 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/admin_macros.te#5 edit

Differences ...

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ssh.te#9 (text+ko) ====

@@ -126,6 +126,7 @@
 # type of the pty for the child
 define(`sshd_spawn_domain', `
 login_spawn_domain($1, $2)
+domain_auto_trans($1_t, shell_exec_t, user_t)
 ifdef(`xauth.te', `
 domain_trans($1_t, xauth_exec_t, $2)
 ')
@@ -211,6 +212,10 @@
 role_transition sysadm_r sshd_exec_t system_r;
 ')
 
+# for UseLogin
+sshd_program_domain(sshd_login)
+domain_auto_trans(sshd_t, login_exec_t, sshd_login_t)
+
 undefine(`sshd_program_domain')
 
 # so a tunnel can point to another ssh tunnel...
@@ -269,3 +274,31 @@
 
 allow user_cvs_rw_t sshd_t:fd use;
 ')
+
+#################################
+#
+# Rules for the sshd_login_t domain
+#
+# sshd_login_t is the domain of a login process
+# spawned by sshd
+read_locale(sshd_login_t);
+
+# Use the pty created by sshd
+allow sshd_login_t sshd_devpts_t:chr_file { setattr rw_file_perms poll };
+
+# Write to /var/log/lastlog
+allow sshd_login_t lastlog_t:file rw_file_perms;
+
+# Relabel ptys created by sshd
+allow sshd_login_t sshd_devpts_t:chr_file { relabelfrom relabelto };
+allow sshd_login_t userpty_type:chr_file { getattr relabelfrom relabelto };
+
+# open old-style ptys
+#allow sshd_login_t devpts_t:chr_file { read write relabelfrom relabelto getattr setattr };
+
+allow sshd_login_t self:capability { linux_immutable sys_resource };
+
+# run user shells
+domain_auto_trans(sshd_login_t, shell_exec_t, user_t)
+domain_trans(sshd_login_t, shell_exec_t, unpriv_userdomain)
+

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/program/newrole.fc#5 (text+ko) ====

@@ -1,2 +1,2 @@
 # newrole
-/usr/bin/newrole	--		system_u:object_r:newrole_exec_t
+/usr/sbin/sebsd_newrole	--		system_u:object_r:newrole_exec_t

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/admin_macros.te#5 (text+ko) ====

@@ -25,6 +25,7 @@
 
 # Type for tty devices.
 type $1_tty_device_t, file_type, sysadmfile, ttyfile;
+allow $1_tty_device_t device_t:filesystem associate;
 
 # Inherit rules for ordinary users.
 base_user_domain($1)
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list