From fccee972a96787e1a318a2e5e4fe6b6f6b26a7e2 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Wed, 8 Jan 2025 18:04:38 +0100 Subject: [PATCH 1/3] Allow ssh generator work with systemd unit files Resolves: RHEL-72549 --- policy/modules/system/systemd.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 25e4a5cd12..29af776d1e 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1293,6 +1293,7 @@ init_exec_script_files(systemd_rc_local_generator_t) ### ssh generator allow systemd_ssh_generator_t self:vsock_socket create; allow systemd_ssh_generator_t vsock_device_t:chr_file { read_chr_file_perms }; +allow systemd_ssh_generator_t systemd_unit_file_t:file { create_file_perms rw_file_perms }; kernel_read_sysctl(systemd_ssh_generator_t) From 043d5093defbd0cd4f1fa0eff0a737afa2e3d5e3 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Sat, 9 Nov 2024 00:42:31 +0100 Subject: [PATCH 2/3] Support ssh connections via systemd-ssh-generator The commit addresses the following AVC denial: type=AVC msg=audit(1730885285.653:214): avc: denied { read write } for pid=1191 comm="sshd" path="socket:[11153]" dev="sockfs" ino=11153 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=0 Command which triggers the denial: ssh -o "StrictHostKeyChecking no" root@qemu:system/guest Resolves: RHEL-72549 --- policy/modules/services/ssh.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 0ab8ad12bd..e4902e3911 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -320,6 +320,7 @@ optional_policy(` allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; allow sshd_t self:process setcurrent; +allow sshd_t self:vsock_socket rw_socket_perms; allow sshd_t sshd_keytab_t:file read_file_perms; @@ -642,6 +643,8 @@ logging_send_audit_msgs(sshd_sandbox_t) # sshd [net] child local policy # +allow sshd_net_t sshd_t:vsock_socket rw_socket_perms; + allow sshd_t sshd_net_t:process signal; allow sshd_net_t self:process setrlimit; From 7808e39279a343898ee4b14be6a4a9b22f6487a5 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Wed, 8 Jan 2025 19:08:09 +0100 Subject: [PATCH 3/3] Allow init create vsock socket for sshd Resolves: RHEL-72549 --- policy/modules/services/ssh.if | 18 ++++++++++++++++++ policy/modules/system/init.te | 1 + 2 files changed, 19 insertions(+) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index 133932f136..0e7e730f6a 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -1166,3 +1166,21 @@ interface(`ssh_getattr_unit_file',` systemd_search_unit_dirs($1) allow $1 sshd_unit_file_t:file getattr_file_perms; ') + +####################################### +## +## Allow caller to create vsock socket for sshd +## +## +## +## Domain allowed access. +## +## +# +interface(`ssh_create_vsock_socket',` + gen_require(` + type sshd_t; + ') + + allow $1 sshd_t:vsock_socket create_stream_socket_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index eb8758c98f..4c4d3f9317 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -854,6 +854,7 @@ optional_policy(` optional_policy(` ssh_getattr_server_keys(init_t) + ssh_create_vsock_socket(init_t) ') optional_policy(`