On Wed, 24 Mar 2004 21:50, Aleksey Nogin <aleksey@xxxxxxxxx> wrote: > What I see in the logs is > > audit(1080124752.283:0): avc: denied { write } for pid=2885 > exe=/usr/bin/ssh-agent path=/home/aleksey/.xsession-errors dev=hda2 > ino=310712 scontext=aleksey:staff_r:staff_ssh_agent_t > tcontext=aleksey:object_r:staff_home_t tclass=file Try using the attached ssh_agent_macros.te. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
# # Macros for ssh agent # # # Author: Russell Coker <russell@xxxxxxxxxxxx> # # # ssh_agent_domain(domain_prefix) # # Define a derived domain for the ssh program when executed # by a user domain. # # The type declaration for the executable type for this program is # provided separately in domains/program/ssh.te. # define(`ssh_agent_domain',` # Define a derived domain for the ssh-agent program when executed # by a user domain. # Derived domain based on the calling user domain and the program. type $1_ssh_agent_t, domain, privlog; # Transition from the user domain to the derived domain. domain_auto_trans($1_t, ssh_agent_exec_t, $1_ssh_agent_t) # The user role is authorized for this domain. role $1_r types $1_ssh_agent_t; allow $1_ssh_agent_t privfd:fd use; # Write to the user domain tty. allow $1_ssh_agent_t $1_tty_device_t:chr_file rw_file_perms; allow $1_ssh_agent_t $1_devpts_t:chr_file rw_file_perms; # Allow the user shell to signal the ssh program. allow $1_t $1_ssh_agent_t:process signal; # allow ps to show ssh can_ps($1_t, $1_ssh_agent_t) dontaudit $1_ssh_agent_t proc_t:dir { search }; can_ypbind($1_ssh_agent_t) ifdef(`nfs_home_dirs', ` ifdef(`automount.te', ` allow $1_ssh_agent_t autofs_t:dir { search getattr }; ') rw_dir_create_file($1_ssh_agent_t, nfs_t) can_exec($1_ssh_agent_t, nfs_t) ')dnl end nfs_home_dirs uses_shlib($1_ssh_agent_t) read_locale($1_ssh_agent_t) # Access the ssh temporary files. Should we have an own type here # to which only ssh, ssh-agent and ssh-add have access? allow $1_ssh_agent_t $1_tmp_t:dir r_dir_perms; file_type_auto_trans($1_ssh_agent_t, tmp_t, $1_tmp_t) allow $1_ssh_agent_t self:unix_stream_socket create_stream_socket_perms; allow $1_ssh_agent_t self:unix_dgram_socket create_socket_perms; allow $1_ssh_agent_t self:process { fork sigchld setrlimit }; # access the random devices allow $1_ssh_agent_t { random_device_t urandom_device_t }:chr_file read; # for ssh-add can_unix_connect($1_t, $1_ssh_agent_t) # transition back to normal privs upon exec domain_auto_trans($1_ssh_agent_t, { bin_t shell_exec_t }, $1_t) allow $1_ssh_agent_t bin_t:dir search; # allow reading of /usr/bin/X11 (is a symlink) allow $1_ssh_agent_t bin_t:lnk_file read; allow $1_ssh_agent_t { $1_ssh_agent_t $1_t }:process signull; allow $1_ssh_agent_t { home_root_t $1_home_dir_t }:dir search; allow $1_ssh_agent_t $1_home_t:file { getattr write append }; allow $1_ssh_t $1_tmp_t:sock_file write; allow $1_ssh_t $1_t:unix_stream_socket connectto; allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto; # Allow the ssh program to communicate with ssh-agent. allow $1_ssh_t $1_tmp_t:sock_file write; allow $1_ssh_t $1_t:unix_stream_socket connectto; allow $1_ssh_t sshd_t:unix_stream_socket connectto; ')dnl end if ssh_agent