Hi,

Since I upgraded to Fedora 8 selinux has started blocking pam_ssh (sets
up ssh-agent when you log in) from working.

I've made a policy module which I plan to propose for the rpm (see
below) but I wanted to check here first to make sure it's all sane. All
the permissions I've granted were asked for at some point on the gdm
login, it took several iterations to get it working. I've copied them
for console and ssh since I also have it configured for those.

Any feedback welcome.

Cheers,

Martin.


policy_module(pam_ssh,VERSION)

require {
type local_login_t;
type local_login_tmp_t;
type ssh_agent_exec_t;
type sshd_t;
type xdm_t;
type user_home_ssh_t;
type var_run_t;
class dir { write add_name };
class file { read getattr execute execute_no_trans };
class sock_file create;
}

allow local_login_t ssh_agent_exec_t:file { read execute
execute_no_trans };
allow local_login_t user_home_ssh_t:file { read getattr };
allow local_login_t var_run_t:dir { write add_name };
allow local_login_t var_run_t:file { create read getattr };
allow local_login_t local_login_tmp_t:sock_file create;

allow sshd_t ssh_agent_exec_t:file { read execute execute_no_trans };
allow sshd_t user_home_ssh_t:file { read getattr };
allow sshd_t var_run_t:dir { write add_name };
allow sshd_t var_run_t:file { create read getattr };
allow sshd_t local_login_tmp_t:sock_file create;

allow xdm_t ssh_agent_exec_t:file { read execute execute_no_trans };
allow xdm_t user_home_ssh_t:file { read getattr };
allow xdm_t var_run_t:dir { write add_name };
allow xdm_t var_run_t:file { create read getattr };
allow xdm_t local_login_tmp_t:sock_file create;


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list