From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: <gentoo-commits+bounces-779388-garchives=archives.gentoo.org@lists.gentoo.org> Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 40613138CC1 for <garchives@archives.gentoo.org>; Wed, 4 Mar 2015 17:03:10 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 642ACE08E0; Wed, 4 Mar 2015 17:03:09 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 03CBEE08DC for <gentoo-commits@lists.gentoo.org>; Wed, 4 Mar 2015 17:03:08 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 1A0633407C9 for <gentoo-commits@lists.gentoo.org>; Wed, 4 Mar 2015 17:03:08 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id AA53F13091 for <gentoo-commits@lists.gentoo.org>; Wed, 4 Mar 2015 17:03:04 +0000 (UTC) From: "Sven Vermeulen" <swift@gentoo.org> To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <swift@gentoo.org> Message-ID: <1425487353.66bb200d47dcfa85b39c491171b4f3a6a4f341ed.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/services/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/services/ssh.te X-VCS-Directories: policy/modules/services/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 66bb200d47dcfa85b39c491171b4f3a6a4f341ed X-VCS-Branch: next Date: Wed, 4 Mar 2015 17:03:04 +0000 (UTC) Precedence: bulk List-Post: <mailto:gentoo-commits@lists.gentoo.org> List-Help: <mailto:gentoo-commits+help@lists.gentoo.org> List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org> List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org> List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org> X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 301fbe81-cd65-49ff-819a-c64444e42ea6 X-Archives-Hash: a7fc71af7fde164e817a5a93be0618ef commit: 66bb200d47dcfa85b39c491171b4f3a6a4f341ed Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> AuthorDate: Wed Mar 4 16:42:33 2015 +0000 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> CommitDate: Wed Mar 4 16:42:33 2015 +0000 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=66bb200d Support SSH agent forwarding When using SSH agent forwarding, the SSH daemon creates the necessary sockets somewhere in a random /tmp/ssh-* location. These sockets get the sshd_tmp_t type associated. Currently, the SSH client (running as ssh_t) does not have any privileges on sshd_tmp_t *socket* files, but it has manage rights on the *regular* files. This means that any attempt to make use of the agent forwarding (i.e. from the logged-in server, attempt to SSH to another server while using the SSH agent running on the users' workstation) will fail. By granting rw_socket_file_perms permissions to ssh_t against the sshd_tmp_t socket files, agent forwarding is working well. X-Gentoo-Bug: 529336 X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=529336 policy/modules/services/ssh.te | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 147888c..b63f585 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -358,3 +358,8 @@ optional_policy(` optional_policy(` udev_read_db(ssh_keygen_t) ') + +ifdef(`distro_gentoo',` + # Fix bug #529336 - Allow ssh_t to read/write sshd_tmp_t sockets (ssh agent forwarding) + allow ssh_t sshd_tmp_t:sock_file rw_sock_file_perms; +') From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: <gentoo-commits+bounces-779384-garchives=archives.gentoo.org@lists.gentoo.org> Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id C5CCF138CA3 for <garchives@archives.gentoo.org>; Wed, 4 Mar 2015 16:45:11 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 8E28BE08D6; Wed, 4 Mar 2015 16:45:10 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 3F03DE08D6 for <gentoo-commits@lists.gentoo.org>; Wed, 4 Mar 2015 16:45:10 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id DDBF73406AE for <gentoo-commits@lists.gentoo.org>; Wed, 4 Mar 2015 16:45:08 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id A91AA13087 for <gentoo-commits@lists.gentoo.org>; Wed, 4 Mar 2015 16:45:06 +0000 (UTC) From: "Sven Vermeulen" <swift@gentoo.org> To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <swift@gentoo.org> Message-ID: <1425487353.66bb200d47dcfa85b39c491171b4f3a6a4f341ed.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/services/ssh.te X-VCS-Directories: policy/modules/services/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 66bb200d47dcfa85b39c491171b4f3a6a4f341ed X-VCS-Branch: master Date: Wed, 4 Mar 2015 16:45:06 +0000 (UTC) Precedence: bulk List-Post: <mailto:gentoo-commits@lists.gentoo.org> List-Help: <mailto:gentoo-commits+help@lists.gentoo.org> List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org> List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org> List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org> X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: b56ff0fd-abf4-42b4-870c-1383787e5e24 X-Archives-Hash: f716d66543a61653dba8d71dccf8fa04 Message-ID: <20150304164506.Pysgns3qo0k356hzPYYx62G_pSgQDnBx52iVm_tK9pw@z> commit: 66bb200d47dcfa85b39c491171b4f3a6a4f341ed Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> AuthorDate: Wed Mar 4 16:42:33 2015 +0000 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> CommitDate: Wed Mar 4 16:42:33 2015 +0000 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=66bb200d Support SSH agent forwarding When using SSH agent forwarding, the SSH daemon creates the necessary sockets somewhere in a random /tmp/ssh-* location. These sockets get the sshd_tmp_t type associated. Currently, the SSH client (running as ssh_t) does not have any privileges on sshd_tmp_t *socket* files, but it has manage rights on the *regular* files. This means that any attempt to make use of the agent forwarding (i.e. from the logged-in server, attempt to SSH to another server while using the SSH agent running on the users' workstation) will fail. By granting rw_socket_file_perms permissions to ssh_t against the sshd_tmp_t socket files, agent forwarding is working well. X-Gentoo-Bug: 529336 X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=529336 policy/modules/services/ssh.te | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 147888c..b63f585 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -358,3 +358,8 @@ optional_policy(` optional_policy(` udev_read_db(ssh_keygen_t) ') + +ifdef(`distro_gentoo',` + # Fix bug #529336 - Allow ssh_t to read/write sshd_tmp_t sockets (ssh agent forwarding) + allow ssh_t sshd_tmp_t:sock_file rw_sock_file_perms; +')