[policy-1.9-11] ssh-agent takes all the CPU in enforcing mode.

Russell Coker russell at coker.com.au
Wed Mar 24 12:54:36 UTC 2004


On Wed, 24 Mar 2004 21:50, Aleksey Nogin <aleksey at nogin.org> wrote:
> What I see in the logs is
>
> audit(1080124752.283:0): avc:  denied  { write } for  pid=2885
> exe=/usr/bin/ssh-agent path=/home/aleksey/.xsession-errors dev=hda2
> ino=310712 scontext=aleksey:staff_r:staff_ssh_agent_t
> tcontext=aleksey:object_r:staff_home_t tclass=file

Try using the attached ssh_agent_macros.te.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page
-------------- next part --------------
#
# Macros for ssh agent
#

#
# Author:  Russell Coker <russell at coker.com.au>
#

# 
# ssh_agent_domain(domain_prefix)
#
# Define a derived domain for the ssh program when executed
# by a user domain.
#
# The type declaration for the executable type for this program is
# provided separately in domains/program/ssh.te. 
#
define(`ssh_agent_domain',`
# Define a derived domain for the ssh-agent program when executed
# by a user domain.
# Derived domain based on the calling user domain and the program.
type $1_ssh_agent_t, domain, privlog;

# Transition from the user domain to the derived domain.
domain_auto_trans($1_t, ssh_agent_exec_t, $1_ssh_agent_t)

# The user role is authorized for this domain.
role $1_r types $1_ssh_agent_t;

allow $1_ssh_agent_t privfd:fd use;

# Write to the user domain tty.
allow $1_ssh_agent_t $1_tty_device_t:chr_file rw_file_perms;
allow $1_ssh_agent_t $1_devpts_t:chr_file rw_file_perms;

# Allow the user shell to signal the ssh program.
allow $1_t $1_ssh_agent_t:process signal;
# allow ps to show ssh
can_ps($1_t, $1_ssh_agent_t)

dontaudit $1_ssh_agent_t proc_t:dir { search };

can_ypbind($1_ssh_agent_t)
ifdef(`nfs_home_dirs', `
ifdef(`automount.te', `
allow $1_ssh_agent_t autofs_t:dir { search getattr };
')
rw_dir_create_file($1_ssh_agent_t, nfs_t)
can_exec($1_ssh_agent_t, nfs_t)
')dnl end nfs_home_dirs

uses_shlib($1_ssh_agent_t)
read_locale($1_ssh_agent_t)

# Access the ssh temporary files. Should we have an own type here
# to which only ssh, ssh-agent and ssh-add have access?
allow $1_ssh_agent_t $1_tmp_t:dir r_dir_perms;
file_type_auto_trans($1_ssh_agent_t, tmp_t, $1_tmp_t)
allow $1_ssh_agent_t self:unix_stream_socket create_stream_socket_perms;
allow $1_ssh_agent_t self:unix_dgram_socket create_socket_perms;

allow $1_ssh_agent_t self:process { fork sigchld setrlimit };

# access the random devices
allow $1_ssh_agent_t { random_device_t urandom_device_t }:chr_file read;

# for ssh-add
can_unix_connect($1_t, $1_ssh_agent_t)

# transition back to normal privs upon exec
domain_auto_trans($1_ssh_agent_t, { bin_t shell_exec_t }, $1_t)
allow $1_ssh_agent_t bin_t:dir search;

# allow reading of /usr/bin/X11 (is a symlink)
allow $1_ssh_agent_t bin_t:lnk_file read;

allow $1_ssh_agent_t { $1_ssh_agent_t $1_t }:process signull;

allow $1_ssh_agent_t { home_root_t $1_home_dir_t }:dir search;
allow $1_ssh_agent_t $1_home_t:file { getattr write append };

allow $1_ssh_t $1_tmp_t:sock_file write;
allow $1_ssh_t $1_t:unix_stream_socket connectto;
allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto;

# Allow the ssh program to communicate with ssh-agent.
allow $1_ssh_t $1_tmp_t:sock_file write;
allow $1_ssh_t $1_t:unix_stream_socket connectto;
allow $1_ssh_t sshd_t:unix_stream_socket connectto;
')dnl end if ssh_agent


More information about the fedora-selinux-list mailing list