From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/services/
Date: Wed, 4 Mar 2015 17:03:04 +0000 (UTC) [thread overview]
Message-ID: <1425487353.66bb200d47dcfa85b39c491171b4f3a6a4f341ed.swift@gentoo> (raw)
commit: 66bb200d47dcfa85b39c491171b4f3a6a4f341ed
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Mar 4 16:42:33 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Mar 4 16:42:33 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=66bb200d
Support SSH agent forwarding
When using SSH agent forwarding, the SSH daemon creates the necessary
sockets somewhere in a random /tmp/ssh-* location. These sockets get the
sshd_tmp_t type associated.
Currently, the SSH client (running as ssh_t) does not have any
privileges on sshd_tmp_t *socket* files, but it has manage rights on the
*regular* files. This means that any attempt to make use of the agent
forwarding (i.e. from the logged-in server, attempt to SSH to another
server while using the SSH agent running on the users' workstation) will
fail.
By granting rw_socket_file_perms permissions to ssh_t against the
sshd_tmp_t socket files, agent forwarding is working well.
X-Gentoo-Bug: 529336
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=529336
policy/modules/services/ssh.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 147888c..b63f585 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -358,3 +358,8 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
+
+ifdef(`distro_gentoo',`
+ # Fix bug #529336 - Allow ssh_t to read/write sshd_tmp_t sockets (ssh agent forwarding)
+ allow ssh_t sshd_tmp_t:sock_file rw_sock_file_perms;
+')
WARNING: multiple messages have this Message-ID (diff)
From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
Date: Wed, 4 Mar 2015 16:45:06 +0000 (UTC) [thread overview]
Message-ID: <1425487353.66bb200d47dcfa85b39c491171b4f3a6a4f341ed.swift@gentoo> (raw)
Message-ID: <20150304164506.Pysgns3qo0k356hzPYYx62G_pSgQDnBx52iVm_tK9pw@z> (raw)
commit: 66bb200d47dcfa85b39c491171b4f3a6a4f341ed
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Mar 4 16:42:33 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Mar 4 16:42:33 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=66bb200d
Support SSH agent forwarding
When using SSH agent forwarding, the SSH daemon creates the necessary
sockets somewhere in a random /tmp/ssh-* location. These sockets get the
sshd_tmp_t type associated.
Currently, the SSH client (running as ssh_t) does not have any
privileges on sshd_tmp_t *socket* files, but it has manage rights on the
*regular* files. This means that any attempt to make use of the agent
forwarding (i.e. from the logged-in server, attempt to SSH to another
server while using the SSH agent running on the users' workstation) will
fail.
By granting rw_socket_file_perms permissions to ssh_t against the
sshd_tmp_t socket files, agent forwarding is working well.
X-Gentoo-Bug: 529336
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=529336
policy/modules/services/ssh.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 147888c..b63f585 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -358,3 +358,8 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
+
+ifdef(`distro_gentoo',`
+ # Fix bug #529336 - Allow ssh_t to read/write sshd_tmp_t sockets (ssh agent forwarding)
+ allow ssh_t sshd_tmp_t:sock_file rw_sock_file_perms;
+')
next reply other threads:[~2015-03-04 17:03 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-04 17:03 Sven Vermeulen [this message]
2015-03-04 16:45 ` [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/ Sven Vermeulen
-- strict thread matches above, loose matches on Subject: below --
2015-08-02 19:26 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-08-02 19:26 Jason Zaman
2015-10-10 16:11 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-10-11 10:48 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-08-17 16:59 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-08-17 16:59 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-12-06 13:39 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-12-06 14:24 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-12-06 14:24 Jason Zaman
2017-01-01 16:37 Jason Zaman
2017-09-10 14:03 Jason Zaman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1425487353.66bb200d47dcfa85b39c491171b4f3a6a4f341ed.swift@gentoo \
--to=swift@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox