I am having some problems with ssh: ssh works fine as long as I just call a shell. However, when ssh is called like "ssh host command" it doesn't allocate a pty. See the comment in domains/program/ssh.te: # inheriting stream sockets is needed for "ssh host command" as no pty # is allocated allow unpriv_userdomain sshd_t:unix_stream_socket rw_stream_socket_perms; This works for userdomains but breaks horribly when transitioning to another domain. We use ssh for remote system administration here, so to this date I had to add permissions to the following domains to access the unix_stream_socket of sshd_t and send sigchld to sshd_t: dmesg_t hostname_t checkpolicy_t load_policy_t restorecon_t mount_t setfiles_t ldconfig_t sysadm_gpg_t bootloader_t user_ssh_agent_t rpm_t More are probably needed. I am not sure what the right way is to handle this problem, so I'm asking here. Is it possible to just always allocate a pty? That seems to be the most correct solution. I wouldn't like to give every domain which can be called by a user access to sshd_t:unix_stream_socket. Thomas -- http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA D09E C562 2BAE B2F4 ABE7
Attachment:
signature.asc
Description: Digital signature