Project

General

Profile

Actions
Copy link

Refactor #8256

open

Foreman should transition to ssh_t domain;

Added by Lukas Zapletal over 9 years ago. Updated over 9 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

Instead of

optional_policy(`
    tunable_policy(`passenger_can_spawn_ssh',`
        require {
            class process { getcap setcap };
        }
        allow passenger_t self:process { getcap setcap };

        ssh_exec(passenger_t)
        ssh_read_user_home_files(passenger_t)
    ')
')

We should do something like: 
optional_policy(`
    tunable_policy(`passenger_can_spawn_ssh',`
        ssh_domtrans(passenger_t)
        #ssh_read_user_home_files(passenger_t) # wont be likely needed too
    ')
')
Actions
Copy link
 #1

Updated by Lukas Zapletal over 9 years ago

This needs to be tested tho, I am not entirely sure if we spawn ssh binary in all cases.

Actions
Copy link

Also available in: Atom PDF