[DSE-User] SELinux on Wheezy: ssh
Arno Schuring
aelschuring at hotmail.com
Thu Feb 9 22:39:24 UTC 2012
Apart from the /run path modification, there is only one change
required for sshd: kerberos_manage_host_rcache is supposedly required
to make sure that /var/tmp/host_0 gets labeled correctly.
However, even with this change, the file is still labeled as sshd_tmp_t
instead of krb5_host_rcache_t. I remember reading somewhere that the
labeling should be done by the krb5 library, but I can't seem to find
it right now. Pointers appreciated.
Regards,
Arno
-8<--
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 078bcd7..dd5963f 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -14,3 +14,4 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
+/run/sshd/.* gen_context(system_u:object_r:sshd_var_run_t,s0)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 854c66b..c3bbe07 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -1,4 +1,4 @@
-policy_module(ssh, 2.2.0)
+policy_module(ssh, 2.2.1)
########################################
#
@@ -278,6 +278,7 @@ optional_policy(`
optional_policy(`
kerberos_keytab_template(sshd, sshd_t)
+ kerberos_manage_host_rcache(sshd_t)
')
optional_policy(`
More information about the Selinux-user
mailing list