On 05/27/2014 06:02 PM, Kim Lawson-Jenkins wrote:
> Hi,
>
>
>
> We are writing SELinux policy for a sftp server to run in a confined
> domain when an openssh sftp connection is made to it.
>
>
>
> Using ls -Z we can see the running process labeled as
>
>
>
> system_u:system_r:sshd_t: s0-s15:c0.c1023 root
> sshd: guard [priv]
>
> system_u:system_r:sshd_t :s0-s15:c0.c1023 guard sshd:
> guard@notty
>
> system_u:system_r:unconfined_t:s0-s15:c0.c1023 guard
> /usr/lib/openssh/sftpserver
>
>
>
> with the sftpserver running in the unconfined domain rather than the
> confined domain sftpserver. The sftp-server executable file is labeled as
>
>
>
> system_u:system_r:sftpserver_exec_t:s0-s15:c0.c1023
>
>
>
> in the directory /usr/lib/openssh.
>
>
>
> The policy module contains the following statements –
>
>
>
> attribute sftpserver;
>
> ssh_server_template(sftpserver)
>
> iptables_domtrans(sftpserver_t)
>
> type sftpserver_exec_t;
>
> init_daemon_domain(sftpserver_t, sftpserver_exec_t)
>
> allow sshd_t sftpserver_exec_t:file { getattr execute ioctl };
>
>
>
> corenet_tcp_connect_ssh_port(sftpserver_t)
>
> corenet_tcp_bind_ssh_port(sftpserver_t)
>
> corenet_tcp_sendrecv_ssh_port(sftpserver_t)
>
>
>
>
>
> Is there a boolean that will block the sftpserver from running in the
> unconfined domain, and are there missing policy statements that will
> allow the sftpserver to run in the confined domain?
This is a refpolicy-specific question and thus should go to the
refpolicy mailing list.
I'd would guess that sshd is explicitly setting the context when
launching the sftpserver based on your seusers and users configurations
(semanage login -l; semanage user -l) for the guard user?
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
