Hi, We are writing SELinux policy for a sftp server to run in a confined domain when an openssh sftp connection is made to it. Using ls -Z we can see the running process labeled as system_u:system_r:sshd_t: s0-s15:c0.c1023 root sshd: guard [priv] system_u:system_r:sshd_t :s0-s15:c0.c1023 guard sshd: guard@notty system_u:system_r:unconfined_t:s0-s15:c0.c1023 guard /usr/lib/openssh/sftpserver with the sftpserver running in the unconfined domain rather than the confined domain sftpserver. The sftp-server executable file is labeled as system_u:system_r:sftpserver_exec_t:s0-s15:c0.c1023 in the directory /usr/lib/openssh. The policy module contains the following statements – attribute sftpserver; ssh_server_template(sftpserver) iptables_domtrans(sftpserver_t) type sftpserver_exec_t; init_daemon_domain(sftpserver_t, sftpserver_exec_t) allow sshd_t sftpserver_exec_t:file { getattr execute ioctl }; corenet_tcp_connect_ssh_port(sftpserver_t) corenet_tcp_bind_ssh_port(sftpserver_t) corenet_tcp_sendrecv_ssh_port(sftpserver_t) Is there a boolean that will block the sftpserver from running in the unconfined domain, and are there missing policy statements that will allow the sftpserver to run in the confined domain? Thanks in advance for any feedback. Kim |
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
