commit: 66bb200d47dcfa85b39c491171b4f3a6a4f341ed Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> AuthorDate: Wed Mar 4 16:42:33 2015 +0000 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> CommitDate: Wed Mar 4 16:42:33 2015 +0000 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=66bb200d
Support SSH agent forwarding When using SSH agent forwarding, the SSH daemon creates the necessary sockets somewhere in a random /tmp/ssh-* location. These sockets get the sshd_tmp_t type associated. Currently, the SSH client (running as ssh_t) does not have any privileges on sshd_tmp_t *socket* files, but it has manage rights on the *regular* files. This means that any attempt to make use of the agent forwarding (i.e. from the logged-in server, attempt to SSH to another server while using the SSH agent running on the users' workstation) will fail. By granting rw_socket_file_perms permissions to ssh_t against the sshd_tmp_t socket files, agent forwarding is working well. X-Gentoo-Bug: 529336 X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=529336 policy/modules/services/ssh.te | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 147888c..b63f585 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -358,3 +358,8 @@ optional_policy(` optional_policy(` udev_read_db(ssh_keygen_t) ') + +ifdef(`distro_gentoo',` + # Fix bug #529336 - Allow ssh_t to read/write sshd_tmp_t sockets (ssh agent forwarding) + allow ssh_t sshd_tmp_t:sock_file rw_sock_file_perms; +')
