Initial commit.

.github/workflows/build.yml

@@ -0,0 +1,33 @@
+name: Build RPM
+on:
+  push:
+    paths:
+      - 'policy/**'
+  workflow_dispatch:
+
+env:
+  POLICY_NAME: ssh_daemon
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    container:
+      image: rockylinux:9-minimal
+    steps:
+    - name: Install prerequirements
+      run: microdnf install -y selinux-policy-devel tar findutils rpm-build
+    - name: Check out repository code
+      uses: actions/checkout@v4
+    - name: Build SELinux policy
+      working-directory: ./policy
+      run: make -f /usr/share/selinux/devel/Makefile ${POLICY_NAME}.pp
+    - name: Build RPM
+      working-directory: ./policy
+      run: |
+        pwd=$(pwd)
+        rpmbuild --define "_sourcedir ${pwd}" --define "_specdir ${pwd}" --define "_builddir ${pwd}" --define "_srcrpmdir ${pwd}" --define "_rpmdir ${pwd}" --define "_buildrootdir ${pwd}/.build" -ba ${POLICY_NAME}_selinux.spec
+    - name: Upload artifact
+      uses: actions/upload-artifact@v3
+      with:
+        name: Binary RPM
+        path: ./policy/noarch/*.rpm

.github/workflows/publish.yml

@@ -0,0 +1,132 @@
+name: Publish package
+
+on:
+  push:
+    tags:
+      - 'v*'
+  workflow_dispatch:
+
+env:
+  POLICY_NAME: ssh_daemon
+  RPM_ARTIFACT_NAME: rpm_artifact
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    container:
+      image: rockylinux:9-minimal
+    steps:
+    - name: Install prerequirements for build
+      run: microdnf install -y selinux-policy-devel rpm-build rpm-sign
+    - name: Check out repository code
+      uses: actions/checkout@v4
+    - name: Build SELinux policy
+      working-directory: ./policy
+      run: make -f /usr/share/selinux/devel/Makefile ${POLICY_NAME}.pp
+    - name: Build RPM
+      working-directory: ./policy
+      run: |
+        pwd=$(pwd)
+        rpmbuild --define "_sourcedir ${pwd}" --define "_specdir ${pwd}" --define "_builddir ${pwd}" --define "_srcrpmdir ${pwd}" --define "_rpmdir ${pwd}/packages" --define "_buildrootdir ${pwd}/.build" -ba ${POLICY_NAME}_selinux.spec
+        rpm_path=$(find ${pwd}/packages -type f -name "*.rpm" -print0 | head -z)
+        echo "rpm_path=${rpm_path}" >> "$GITHUB_ENV"
+    - name: Import GPG key
+      id: import_gpg
+      uses: crazy-max/ghaction-import-gpg@v6
+      with:
+        gpg_private_key: ${{ secrets.SIGN_SECRET }}
+    - name: Sign RPM
+      run: |
+        export GPG_TTY=$(tty)
+        gpg --list-keys --with-subkey-fingerprints
+        rpm --define "%_signature gpg" --define "%_gpg_name ${{ steps.import_gpg.outputs.fingerprint }}" --addsign ${rpm_path}
+    - name: Archive RPM
+      uses: actions/upload-artifact@v3
+      with:
+        name: ${{ env.RPM_ARTIFACT_NAME }}
+        path: ${{ env.rpm_path }}
+        retention-days: 1
+  list-releases:
+    runs-on: ubuntu-latest
+    steps:
+    - name: List release ids
+      uses: actions/github-script@v6
+      id: get-release-id-list
+      with:
+        script: |
+          const resp = await github.rest.repos.listReleases({
+              owner: context.repo.owner,
+              repo: context.repo.repo
+          });
+          return resp.data.map((release) => release.id);
+    - name: Print list release
+      run: echo "${{ steps.get-release-id-list.outputs.result }}"
+  fetch-previous-rpms:
+    needs: list-releases
+    if: ${{ needs.get-release-id-list.outputs.result != '[]' && needs.get-release-id-list.outputs.result != '' }}
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        release-id: ${{ fromJson(needs.get-release-id-list.outputs.result) }}
+    steps:
+    - uses: robinraju/[email protected]
+      with:
+        releaseId: ${{ matrix.release-id }}
+        out-file-path: .
+    - name: Archive previous RPM
+      uses: actions/upload-artifact@v3
+      with:
+        name: "previous_${{ matrix.release-id }}"
+        path: ./*.rpm
+        retention-days: 1
+  create-release:
+    needs: [build, fetch-previous-rpms]
+    if: ${{ !cancelled() && !failure() && startsWith(github.ref, 'refs/tags/') }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+    - uses: actions/download-artifact@v3
+      with:
+        name: ${{ env.RPM_ARTIFACT_NAME }}
+        path: .
+    - name: Create release
+      uses: softprops/action-gh-release@v1
+      with:
+        files: ./*.rpm
+  create-rpm-repo:
+    needs: [build, fetch-previous-rpms]
+    if: ${{ !cancelled() && !failure() }}
+    runs-on: ubuntu-latest
+    container:
+      image: rockylinux:9-minimal
+    steps:
+    - name: Install prerequirements for publish
+      run: microdnf install -y findutils createrepo_c tar
+    - name: Download new RPM
+      uses: actions/download-artifact@v3
+      with:
+        path: ./artifacts
+    - name: Display structure of downloaded files
+      run: ls -R
+    - name: Reorganize RPMs
+      run: |
+        mkdir -p ./repo/packages
+        find ./artifacts -name "*.rpm" -type f -print0 | xargs -0 mv -t ./repo/packages
+    - name: Crate RPM repository
+      run: |
+        pwd=$(pwd)
+        createrepo_c --repo "SELinux policy module to run ssh as a daemon" -v ${pwd}/repo/
+    - name: Upload artifacts to GitHub Pages
+      uses: actions/upload-pages-artifact@v2
+      with:
+        path: "repo/"
+  publish-rpm-repo:
+    needs: create-rpm-repo
+    if: ${{ !cancelled() && !failure() }}
+    runs-on: ubuntu-latest
+    permissions:
+      pages: write
+      id-token: write
+    steps:
+      - uses: actions/deploy-pages@v2

README.md

@@ -0,0 +1,41 @@
+# SELinux policy module to run ssh as a daemon
+
+Installing this policy allows ssh (not sshd) to run as a daemon. This is useful, for example, when using a SOCKS Proxy with ssh as a daemon.
+
+## Requirements
+
+- Distribution : Rocky Linux 9
+
+I believe it works in other environments as well. I would like information on confirmation that it works.
+
+## Installation
+
+### Step. 1 : Add DNF repository
+
+Execute the following command as root
+
+```sh
+dnf config-manager --add-repo https://raw.githubusercontent.com/Mine02C4/ssh_daemon_selinux/main/repo/flexnet_selinux.repo
+```
+
+If you want to import GPG keys in advance, execute the following command. (Optional)
+
+```sh
+rpm --import https://raw.githubusercontent.com/Mine02C4/ssh_daemon_selinux/main/signature/public.gpg
+```
+
+### Step. 2 : Install package
+
+Execute the following command as root
+
+```sh
+dnf install flexnet_selinux
+```
+
+If you run the command for the first time without importing the GPG key, the fingerprint of the GPG key will be confirmed. Please check if it matches the following.
+
+```
+Userid     : "NIWA Naoya (ssh_daemon_selinux) <[email protected]>"
+Fingerprint: ABCB BA2A 5C19 7F24 1C6D  0AF5 4C2C 05FE 51E5 7A2F
+From       : https://raw.githubusercontent.com/Mine02C4/ssh_daemon_selinux/main/signature/public.gpg
+```

policy/.gitignore

@@ -0,0 +1,3 @@
+/*.pp
+/tmp
+*.rpm

policy/ssh_daemon.if

@@ -0,0 +1 @@
+## <summary>policy for ssh_daemon</summary>

policy/ssh_daemon.sh

@@ -0,0 +1,48 @@
+#!/bin/sh -e
+
+DIRNAME=`dirname $0`
+cd $DIRNAME
+USAGE="$0 [ --update ]"
+if [ `id -u` != 0 ]; then
+echo 'You must be root to run this script'
+exit 1
+fi
+
+if [ $# -eq 1 ]; then
+	if [ "$1" = "--update" ] ; then
+		time=`ls -l --time-style="+%x %X" ssh_daemon.te | awk '{ printf "%s %s", $6, $7 }'`
+		rules=`ausearch --start $time -m avc --raw -se ssh_daemon`
+		if [ x"$rules" != "x" ] ; then
+			echo "Found avc's to update policy with"
+			echo -e "$rules" | audit2allow -R
+			echo "Do you want these changes added to policy [y/n]?"
+			read ANS
+			if [ "$ANS" = "y" -o "$ANS" = "Y" ] ; then
+				echo "Updating policy"
+				echo -e "$rules" | audit2allow -R >> ssh_daemon.te
+				# Fall though and rebuild policy
+			else
+				exit 0
+			fi
+		else
+			echo "No new avcs found"
+			exit 0
+		fi
+	else
+		echo -e $USAGE
+		exit 1
+	fi
+elif [ $# -ge 2 ] ; then
+	echo -e $USAGE
+	exit 1
+fi
+
+echo "Building and Loading Policy"
+set -x
+make -f /usr/share/selinux/devel/Makefile ssh_daemon.pp || exit
+/usr/sbin/semodule -i ssh_daemon.pp
+
+# Generate a rpm package for the newly generated policy
+
+pwd=$(pwd)
+rpmbuild --define "_sourcedir ${pwd}" --define "_specdir ${pwd}" --define "_builddir ${pwd}" --define "_srcrpmdir ${pwd}" --define "_rpmdir ${pwd}" --define "_buildrootdir ${pwd}/.build"  -ba ssh_daemon_selinux.spec

policy/ssh_daemon.te

@@ -0,0 +1,24 @@
+policy_module(ssh_daemon, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+gen_require(`type init_t;')
+gen_require(`type ssh_t;')
+gen_require(`type ssh_exec_t;')
+role system_r types ssh_t;
+
+########################################
+#
+# Policy
+#
+
+domtrans_pattern(init_t, ssh_exec_t, ssh_t)
+can_exec(init_t, ssh_exec_t)
+corenet_tcp_bind_all_unreserved_ports(ssh_t)
+corenet_tcp_connect_all_unreserved_ports(ssh_t)
+corenet_tcp_bind_all_ephemeral_ports(ssh_t)
+corenet_tcp_connect_all_ephemeral_ports(ssh_t)
+

policy/ssh_daemon_selinux.spec

@@ -0,0 +1,68 @@
+# vim: sw=4:ts=4:et
+
+
+%define relabel_files() \
+restorecon -R /usr/bin/ssh; \
+
+%define selinux_policyver 38.1.23-1
+
+Name:   ssh_daemon_selinux
+Version:	1.0
+Release:	1%{?dist}
+Summary:	SELinux policy module to run ssh as a daemon
+
+Group:	System Environment/Base
+License:	GPLv2+
+# This is an example. You will need to change it.
+# For a complete guide on packaging your policy
+# see https://fedoraproject.org/wiki/SELinux/IndependentPolicy
+URL:		https://github.com/Mine02C4/ssh_daemon_selinux
+Source0:	ssh_daemon.pp
+Source1:	ssh_daemon.if
+
+
+Requires: policycoreutils-python-utils, libselinux-utils
+Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils-python-utils
+Requires(postun): policycoreutils-python-utils
+BuildArch: noarch
+
+%description
+This package installs and sets up the  SELinux policy security module for ssh_daemon.
+
+%install
+install -d %{buildroot}%{_datadir}/selinux/packages
+install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages
+install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib
+install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/
+install -d %{buildroot}/etc/selinux/targeted/contexts/users/
+
+
+%post
+semodule -n -i %{_datadir}/selinux/packages/ssh_daemon.pp
+if /usr/sbin/selinuxenabled ; then
+    /usr/sbin/load_policy
+    %relabel_files
+
+fi;
+exit 0
+
+%postun
+if [ $1 -eq 0 ]; then
+    semodule -n -r ssh_daemon
+    if /usr/sbin/selinuxenabled ; then
+       /usr/sbin/load_policy
+       %relabel_files
+
+    fi;
+fi;
+exit 0
+
+%files
+%attr(0600,root,root) %{_datadir}/selinux/packages/ssh_daemon.pp
+%{_datadir}/selinux/devel/include/contrib/ssh_daemon.if
+
+
+%changelog
+* Sat Apr 13 2024 NIWA Naoya <[email protected]> 1.0-1
+- Initial version
+

signature/public.gpg

@@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGYakVIBEADN0Krod9GK/VwP/Umd4X+1odQsdtQTy0sqPB+Wd6TILAO2ZZ6n
+NkbNlSJSPPsR5jnj7o3oNoy0+lhL+KpZkROG+ugAka4j3NBkze3PfrLe/Nl3b4F/
+PcElJeaa0wI4oq7rHPDXuxP1rYefBEBIbswSb1ZSjGrcWq9W8KSnhn1b2dZVRNNm
+e3GRSXt1mxUcdLEJqpKQTcq5KI8l4nGsrm/+1Q5DnQjZns0k3asVn40cLtFLGIY+
+MTnHjUoARRG30eMHVjzL+TKshmGqvv22je/AZ4xewrymSjf7+F/jRclQQWtzkz6n
+nJaVtgCDiw3iWZZ/t/FoUL5CmWEWl98o8Xgvr575MzlWRiSGisNPnaJLWWznfMeq
+f7dXkOhi1qcrglTFJooL27pp9ftSRsLOcOdyhP1yigQQS8H4WuEomc3V4togxqm1
+xxQQVZ6l1FfPIM5iHm+8RvC7RfdEkaDbknRlRhGM25gABPKSfFPyiwsUGLSh57ek
+SnlWxkH5pyEzMBNmKM5sI57l/4pOalJbx96f1zATH16AZwxe8/0aBYxQuB0y4Pr6
+GPHY6Ervp8Shi/6LGzQKJdavJ6szBGSvbJrgkiLe8H+fzfHS5maHD0/hYLbmXsaz
+eGkBxCNU+bkDuCIBtGTtbWtmC2kYdjnZ/da11mErT/C4tYzkXgEinUGu0QARAQAB
+tDZOSVdBIE5hb3lhIChzc2hfZGFlbW9uX3NlbGludXgpIDxtaW5lQG1pbmUwMmM0
+Lm5hZ295YT6JAlIEEwEIADwWIQSry7oqXBl/JBxtCvVMLAX+UeV6LwUCZhqRUgIb
+LwULCQgHAgMiAgEGFQoJCAsCBBYCAwECHgcCF4AACgkQTCwF/lHlei/7qw//fyQ8
++/wg/HaltERIRgsF9nE7nStTaItf02FVQYM/k6YWAzjXoceMr2wr1mrxwq0PfLE8
+6Jj0rzk66ls6XH0mWvhVuGwIdLkD+BmfqlOK32m7jCZk1NmhVzUK/X2xYj8mvi2V
+G/RRAE/dSeAmBQj+OA82L/zp+y/QZA7OTBunUHlRmjP1tWqCeJfizYkR3VB1GHm3
+VWWPTr9nkiVa7tPuhlG31EC4OgYWr4ncybe/lf3q6l1VoKLD+bqKzlXJkxMPxn3j
+6oEDG+qZy6SrreWavnJ/TQjSMDqhzrxyiL88DE76HZoNjrGZH48kEVL6PB/kqO4N
+XCPaTgGlmKmDoAfO0W/nd1nxnBEOTcZL1ErXtAdXUaHK/P3ilDG4N1TKq3AqOBM3
+WVQhR8qTiuNbOnzb+INcSZqNnyh1RwMEgw5QjXfSQMBlTOwfmgqbFnkeGscWlC9H
+U8mIRA9vVcJeGxv+VSHCKMWn4OnjqB5E+TY/6Y5zBgSIm4RbQI8S1MXv+ri7UPVb
+LrKbXHmI1qgphoaHtq6VwOUwgWy5BUcWfOnN579Qv13/Ud78ut+EpE9YPGVOCaOV
+PC6N7DJjpcxB+1cCrz91OcDaANMKwK0Dvb+KhqLbyVtfbGX0yJirQi+lp72CfI/R
+KTB30Zzjm1UZE+992vNdGh5t8Bn7WbjJVTDcbD0=
+=kfn6
+-----END PGP PUBLIC KEY BLOCK-----