diff options
author | Kenton Groombridge <concord@gentoo.org> | 2024-05-06 15:53:46 -0400 |
---|---|---|
committer | Kenton Groombridge <concord@gentoo.org> | 2024-05-14 13:41:31 -0400 |
commit | b2ceb53d4b7b1df545f740ae9b4ed2e77f640dca (patch) | |
tree | 6d2e82b4e43a696ff6587a6441a4894fd0c2d2b7 | |
parent | files context for merged-usr profile on gentoo (diff) | |
download | hardened-refpolicy-b2ceb53d4b7b1df545f740ae9b4ed2e77f640dca.tar.gz hardened-refpolicy-b2ceb53d4b7b1df545f740ae9b4ed2e77f640dca.tar.bz2 hardened-refpolicy-b2ceb53d4b7b1df545f740ae9b4ed2e77f640dca.zip |
init: allow systemd to use sshd pidfds
Without this, a lengthy 2 minute delay can be observed SSHing into a
system while pam_systemd tries to create a login session.
May 06 14:22:08 megumin.fuwafuwatime.moe sshd[29384]: pam_systemd(sshd:session): Failed to create session: Connection timed out
type=AVC msg=audit(1715019897.540:13855): avc: denied { use } for pid=1 comm="systemd" path="anon_inode:[pidfd]" dev="anon_inodefs" ino=10 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:sshd_t:s0 tclass=fd permissive=1
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
-rw-r--r-- | policy/modules/services/ssh.if | 19 | ||||
-rw-r--r-- | policy/modules/system/init.te | 4 |
2 files changed, 23 insertions, 0 deletions
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index dcbabf6b0..4b5fd5d33 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -537,6 +537,25 @@ interface(`ssh_signull',` ######################################## ## <summary> +## Use PIDFD file descriptors from the +## ssh server. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ssh_use_sshd_pidfds',` + gen_require(` + type sshd_t; + ') + + allow $1 sshd_t:fd use; +') + +######################################## +## <summary> ## Read a ssh server unnamed pipe. ## </summary> ## <param name="domain"> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 8f3772dcb..03d0de8ed 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -631,6 +631,10 @@ ifdef(`init_systemd',` ') optional_policy(` + ssh_use_sshd_pidfds(init_t) + ') + + optional_policy(` # for systemd --user: unconfined_search_keys(init_t) unconfined_create_keys(init_t) |