commit: 3303ae8a309b91c8d0a0b3124be8d65475d4fdf8 Author: Fiona Klute <fiona.klute <AT> gmx <DOT> de> AuthorDate: Sat Oct 11 13:40:07 2025 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Sun Nov 16 00:22:34 2025 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3303ae8a
ssh: set file context for default locations of split binaries The upstream default install location for sshd-auth, sshd-session, and ssh-keysign is /usr/libexec (see [1]). Add those paths to the module so they are labeled correctly. [1] https://github.com/openssh/openssh-portable/blob/b6fd0e6d085ef519982c968b57fbaa9e509e1a3a/pathnames.h Signed-off-by: Fiona Klute <fiona.klute <AT> gmx.de> Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> policy/modules/services/ssh.fc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc index bf47884f5..c36f27498 100644 --- a/policy/modules/services/ssh.fc +++ b/policy/modules/services/ssh.fc @@ -8,6 +8,9 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0) /usr/bin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) +/usr/libexec/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) +/usr/libexec/sshd-auth -- gen_context(system_u:object_r:sshd_exec_t,s0) +/usr/libexec/sshd-session -- gen_context(system_u:object_r:sshd_exec_t,s0) /usr/lib/misc/sshd-auth -- gen_context(system_u:object_r:sshd_exec_t,s0) /usr/lib/misc/sshd-session -- gen_context(system_u:object_r:sshd_exec_t,s0) /usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
