commit: d9d9625aac1689fb43498015b6ac36274ad21912
Author: Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sun Nov 7 01:35:24 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Nov 11 21:26:50 2021 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d9d9625a
ssh: fix for polyinstantiation
If using polyinstantiation, sshd needs to be able to create a new tmp
directory for remote users.
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/services/ssh.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index e386032f..96038e49 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -289,6 +289,11 @@ tunable_policy(`ssh_sysadm_login',`
userdom_signal_unpriv_users(sshd_t)
')
+tunable_policy(`allow_polyinstantiation',`
+ allow sshd_t self:capability dac_override;
+ files_relabel_generic_tmp_dirs(sshd_t)
+')
+
optional_policy(`
daemontools_service_domain(sshd_t, sshd_exec_t)
')
