##
-## Allow OnDemand to use Shell app
+## Allow OnDemand to use SSH
##
##
-gen_tunable(ondemand_use_shell_app, true)
+gen_tunable(ondemand_use_ssh, true)
-tunable_policy(`ondemand_use_shell_app',`
+tunable_policy(`ondemand_use_ssh',`
allow ood_pun_t ptmx_t:chr_file { ioctl open read write };
- can_exec(ood_pun_t, ssh_exec_t)
+ ssh_exec(ood_pun_t)
+ can_exec(ood_pun_t, ssh_keysign_exec_t)
corenet_tcp_connect_ssh_port(ood_pun_t)
+ allow ood_pun_t sshd_key_t:file read_file_perms;
allow ood_pun_t self:key { read view write };
')
-tunable_policy(`ondemand_use_shell_app && ondemand_manage_user_home_dir',`
+tunable_policy(`ondemand_use_ssh && ondemand_manage_user_home_dir',`
manage_dirs_pattern(ood_pun_t, ssh_home_t, ssh_home_t)
manage_files_pattern(ood_pun_t, ssh_home_t, ssh_home_t)
')
@@ -201,6 +210,44 @@ tunable_policy(`ondemand_use_slurm',`
corenet_tcp_connect_generic_port(ood_pun_t)
# Access munge socket
allow ood_pun_t var_run_t:sock_file { getattr write };
+ # SLURM commands like squeue
+ allow ood_pun_t self:netlink_route_socket { create_netlink_socket_perms };
+')
+
+##