aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKenton Groombridge <concord@gentoo.org>2024-07-05 14:47:47 -0400
committerJason Zaman <perfinion@gentoo.org>2024-09-21 15:28:29 -0700
commit1ef1ca2342e7a0cab4716ff54ccde983146f9865 (patch)
tree6bbf88ecab27349d710c099d98b05a7849ef6a69
parentSetting bluetooth helper domain for bluetoothctl (diff)
downloadhardened-refpolicy-1ef1ca2342e7a0cab4716ff54ccde983146f9865.tar.gz
hardened-refpolicy-1ef1ca2342e7a0cab4716ff54ccde983146f9865.tar.bz2
hardened-refpolicy-1ef1ca2342e7a0cab4716ff54ccde983146f9865.zip
sshd: label sshd-session as sshd_exec_t
OpenSSH 9.8 splits out much of the session code from the main sshd binary into a new sshd-session binary. Allow the sshd server to execute this binary by labeling it as sshd_exec_t. Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
-rw-r--r--policy/modules/services/ssh.fc1
1 files changed, 1 insertions, 0 deletions
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 5c512e97..a30d01af 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -8,6 +8,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
/usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
/usr/bin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
+/usr/lib/misc/sshd-session -- gen_context(system_u:object_r:sshd_exec_t,s0)
/usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
/usr/lib/ssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)