From 4cffc71d22d406c918f80acce1f2fb13e007b743 Mon Sep 17 00:00:00 2001 From: Nikola Knazekova Date: Wed, 19 Jul 2023 13:48:09 +0200 Subject: [PATCH] Boolean: Allow virt_qemu_ga create ssh directory Add interface ssh_create_home_dirs to allow domain to create .ssh directory and set attributes. Allow virt_qemu_ga create ssh directory in tunable boolean SSH key could be added to VM, but the .ssh directory cannot be created by VM after creating new user. Addresses the following denial: type=PROCTITLE msg=audit(07/19/2023 10:39:00.319:191) : proctitle=/usr/bin/qemu-ga --method=virtio-serial --path=/dev/virtio-ports/org.qemu.guest_agent.0 --block-rpcs=guest-file-open,guest-file- type=SYSCALL msg=audit(07/19/2023 10:39:00.319:191) : arch=x86_64 syscall=mkdir success=no exit=EACCES(Permission denied) a0=0x565274901da0 a1=0700 a2=0x0 a3=0x0 items=0 ppid=1 pid=1050 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=qemu-ga exe=/usr/bin/qemu-ga subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null) type=AVC msg=audit(07/19/2023 10:39:00.319:191) : avc: denied { create } for pid=1050 comm=qemu-ga name=.ssh scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:ssh_home_t:s0 tclass=dir permissive=0 Resolves: rhbz#2181402 --- policy/modules/contrib/virt.te | 1 + policy/modules/services/ssh.if | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index b2e42fe3d2..9968daf0be 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -1842,6 +1842,7 @@ optional_policy(` tunable_policy(`virt_qemu_ga_manage_ssh',` allow virt_qemu_ga_t self:capability { chown dac_override dac_read_search fowner fsetid }; + ssh_create_home_dirs(virt_qemu_ga_t) ssh_manage_home_files(virt_qemu_ga_t) ') ') diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index 474a60d4b1..5e7f8557a6 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -908,6 +908,25 @@ interface(`ssh_manage_home_files',` userdom_search_user_home_dirs($1) ') +######################################## +## +## Create ssh home directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`ssh_create_home_dirs',` + gen_require(` + type ssh_home_t; + ') + + allow $1 ssh_home_t:dir create_dir_perms; + setattr_dirs_pattern($1, ssh_home_t, ssh_home_t) +') + ####################################### ## ## Delete from the ssh temp files.