As part of the libssh2 test suite, we run sshd inside mock and see that
we can connect to it successfully. This entails manipulation of some
file contexts in the chroot to get sshd running in sshd_t so that it can
correctly assign a login context when connected to. With the latest mock
(1.1.11), I found I needed the following local policy to achieve this:
# restorecon under mock needs to execute /%{_lib}/libselinux.so.*
# and read temp file for /proc/filesystems in mock selinux plugin
# and write to a mock_var_lib_t /dev/null
allow setfiles_t mock_var_lib_t:file execute;
allow setfiles_t mock_var_lib_t:chr_file write;
mock_read_lib_files(setfiles_t)
userdom_read_user_tmp_files(setfiles_t)
# Need to run sshd under mock
allow sshd_t mock_var_lib_t:file { execute getattr read open ioctl
execute_no_trans };
corenet_tcp_bind_generic_port(sshd_t)
hostname_exec(sshd_t)
mock_manage_lib_chr_files(sshd_t)
mock_manage_lib_symlinks(sshd_t)
mock_search_lib(sshd_t)
I guess a bunch of these are rather too permissive to allow generally?
Paul.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
