On Thu, May 21, 2015 at 06:24:41PM +0200, Dominick Grift wrote: > On Thu, May 21, 2015 at 06:14:22PM +0200, Petr Lautrbach wrote: > > openssh in Fedora uses "sshd_net_t" type for privilege separated > > processes in the preauthentication phase. Similarly, openssh portable uses > > "sftp_t" for internal-sftp processes. Both type are hardcoded what is not ideal. > > Therefore selinux_openssh_contexts_path() was created to get a path where sshd > > can get a correct types prepared by a distribution or an administrator. > > I requested this feature and i am using this feature in my personal policy. So hereby my ACK for what it is worth. > > However: > > That SYSTEMD_CONTEXTS though, that must have been a mistake? As far as i am concerned this commit should be reverted: https://github.com/SELinuxProject/selinux/commit/ce2a8848ad45e375cfdb58cebe28bc12431bb3db I just did a grep -ri systemd_contexts in the systemd repository and nothing returned. I also cannot place that commit message. > > I do not believe that this is used or that it is needed/wanted. > > > > > Signed-off-by: Petr Lautrbach <plautrba@xxxxxxxxxx> > > --- > > libselinux/include/selinux/selinux.h | 1 + > > libselinux/src/file_path_suffixes.h | 1 + > > libselinux/src/selinux_config.c | 12 ++++++++++-- > > libselinux/src/selinux_internal.h | 1 + > > 4 files changed, 13 insertions(+), 2 deletions(-) > > > > diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h > > index d0eb5c6..4beb170 100644 > > --- a/libselinux/include/selinux/selinux.h > > +++ b/libselinux/include/selinux/selinux.h > > @@ -543,6 +543,7 @@ extern const char *selinux_virtual_image_context_path(void); > > extern const char *selinux_lxc_contexts_path(void); > > extern const char *selinux_x_context_path(void); > > extern const char *selinux_sepgsql_context_path(void); > > +extern const char *selinux_openssh_contexts_path(void); > > extern const char *selinux_systemd_contexts_path(void); > > extern const char *selinux_contexts_path(void); > > extern const char *selinux_securetty_types_path(void); > > diff --git a/libselinux/src/file_path_suffixes.h b/libselinux/src/file_path_suffixes.h > > index 3c92424..d1f9b48 100644 > > --- a/libselinux/src/file_path_suffixes.h > > +++ b/libselinux/src/file_path_suffixes.h > > @@ -23,6 +23,7 @@ S_(BINPOLICY, "/policy/policy") > > S_(VIRTUAL_DOMAIN, "/contexts/virtual_domain_context") > > S_(VIRTUAL_IMAGE, "/contexts/virtual_image_context") > > S_(LXC_CONTEXTS, "/contexts/lxc_contexts") > > + S_(OPENSSH_CONTEXTS, "/contexts/openssh_contexts") > > S_(SYSTEMD_CONTEXTS, "/contexts/systemd_contexts") > > S_(FILE_CONTEXT_SUBS, "/contexts/files/file_contexts.subs") > > S_(FILE_CONTEXT_SUBS_DIST, "/contexts/files/file_contexts.subs_dist") > > diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c > > index 0a80141..bec5f3b 100644 > > --- a/libselinux/src/selinux_config.c > > +++ b/libselinux/src/selinux_config.c > > @@ -48,8 +48,9 @@ > > #define FILE_CONTEXT_SUBS_DIST 25 > > #define LXC_CONTEXTS 26 > > #define BOOLEAN_SUBS 27 > > -#define SYSTEMD_CONTEXTS 28 > > -#define NEL 29 > > +#define OPENSSH_CONTEXTS 28 > > +#define SYSTEMD_CONTEXTS 29 > > +#define NEL 30 > > > > /* Part of one-time lazy init */ > > static pthread_once_t once = PTHREAD_ONCE_INIT; > > @@ -491,6 +492,13 @@ const char *selinux_lxc_contexts_path(void) > > > > hidden_def(selinux_lxc_contexts_path) > > > > +const char *selinux_openssh_contexts_path(void) > > +{ > > + return get_path(OPENSSH_CONTEXTS); > > +} > > + > > +hidden_def(selinux_openssh_contexts_path) > > + > > const char *selinux_systemd_contexts_path(void) > > { > > return get_path(SYSTEMD_CONTEXTS); > > diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h > > index 0abf1b4..844e408 100644 > > --- a/libselinux/src/selinux_internal.h > > +++ b/libselinux/src/selinux_internal.h > > @@ -83,6 +83,7 @@ hidden_proto(selinux_mkload_policy) > > hidden_proto(selinux_media_context_path) > > hidden_proto(selinux_x_context_path) > > hidden_proto(selinux_sepgsql_context_path) > > + hidden_proto(selinux_openssh_contexts_path) > > hidden_proto(selinux_systemd_contexts_path) > > hidden_proto(selinux_path) > > hidden_proto(selinux_check_passwd_access) > > -- > > 2.4.1 > > > > _______________________________________________ > > Selinux mailing list > > Selinux@xxxxxxxxxxxxx > > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. > > -- > 02DFF788 > 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 > http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 > Dominick Grift -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift
Attachment:
pgpWvzvjMf0QW.pgp
Description: PGP signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
