]>
Commit | Line | Data |
---|---|---|
0404a390 | 1 | |
42c5c5f6 | 2 | policy_module(ssh,1.5.0) |
0404a390 CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
45239964 | 9 | attribute ssh_server; |
0404a390 | 10 | |
0404a390 CP |
11 | # ssh client executable. |
12 | type ssh_exec_t; | |
fb63d0b5 | 13 | corecmd_executable_file(ssh_exec_t) |
0404a390 | 14 | |
75beb950 | 15 | type ssh_keygen_t; |
0404a390 | 16 | type ssh_keygen_exec_t; |
75beb950 CP |
17 | init_system_domain(ssh_keygen_t,ssh_keygen_exec_t) |
18 | role system_r types ssh_keygen_t; | |
0404a390 | 19 | |
a0824843 | 20 | type ssh_keysign_exec_t; |
4c44b8d5 | 21 | corecmd_executable_file(ssh_keysign_exec_t) |
a0824843 | 22 | |
e070dd2d | 23 | type sshd_exec_t; |
fb63d0b5 | 24 | corecmd_executable_file(sshd_exec_t) |
c3812748 | 25 | |
375c2415 CP |
26 | type sshd_key_t; |
27 | files_type(sshd_key_t) | |
9ccd96df | 28 | |
375c2415 CP |
29 | ifdef(`targeted_policy',` |
30 | unconfined_alias_domain(sshd_t) | |
31 | init_system_domain(sshd_t,sshd_exec_t) | |
2d13f729 CP |
32 | |
33 | type sshd_var_run_t; | |
34 | files_type(sshd_var_run_t) | |
e070dd2d CP |
35 | |
36 | ifdef(`enable_mcs',` | |
37 | init_ranged_system_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh) | |
38 | ') | |
375c2415 CP |
39 | ',` |
40 | # Type for the ssh-agent executable. | |
41 | type ssh_agent_exec_t; | |
42 | files_type(ssh_agent_exec_t) | |
43 | ||
375c2415 CP |
44 | ssh_server_template(sshd) |
45 | ssh_server_template(sshd_extern) | |
46 | ||
47 | # cjp: commenting this out until typeattribute works in a conditional | |
bb7170f6 | 48 | # optional_policy(` |
375c2415 CP |
49 | # tunable_policy(`run_ssh_inetd',` |
50 | # inetd_tcp_service_domain(sshd_t,sshd_exec_t) | |
51 | # ',` | |
52 | # init_daemon_domain(sshd_t,sshd_exec_t) | |
53 | # ') | |
80436b9b | 54 | # ',` |
375c2415 CP |
55 | # These rules should match the else block |
56 | # of the run_ssh_inetd tunable directly above | |
57 | init_daemon_domain(sshd_t,sshd_exec_t) | |
e070dd2d CP |
58 | |
59 | ifdef(`enable_mcs',` | |
60 | init_ranged_daemon_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh) | |
61 | ') | |
80436b9b | 62 | # ') |
0404a390 | 63 | |
375c2415 CP |
64 | type sshd_tmp_t; |
65 | files_tmp_file(sshd_tmp_t) | |
66 | ') | |
0404a390 CP |
67 | |
68 | ################################# | |
69 | # | |
70 | # sshd local policy | |
71 | # | |
72 | # sshd_t is the domain for the sshd program. | |
73 | # | |
74 | ||
5540e76a | 75 | ifdef(`strict_policy',` |
375c2415 | 76 | # so a tunnel can point to another ssh tunnel |
165b42d2 | 77 | allow sshd_t self:netlink_route_socket r_netlink_socket_perms; |
693d4aed | 78 | allow sshd_t self:key { search link write }; |
0404a390 | 79 | |
c0868a7a CP |
80 | manage_dirs_pattern(sshd_t,sshd_tmp_t,sshd_tmp_t) |
81 | manage_files_pattern(sshd_t,sshd_tmp_t,sshd_tmp_t) | |
82 | manage_sock_files_pattern(sshd_t,sshd_tmp_t,sshd_tmp_t) | |
103fe280 | 83 | files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file }) |
0404a390 | 84 | |
693d4aed CP |
85 | kernel_link_key(sshd_t) |
86 | ||
375c2415 CP |
87 | # for X forwarding |
88 | corenet_tcp_bind_xserver_port(sshd_t) | |
141cffdd | 89 | corenet_sendrecv_xserver_server_packets(sshd_t) |
0404a390 | 90 | |
375c2415 CP |
91 | tunable_policy(`ssh_sysadm_login',` |
92 | # Relabel and access ptys created by sshd | |
93 | # ioctl is necessary for logout() processing for utmp entry and for w to | |
94 | # display the tty. | |
95 | # some versions of sshd on the new SE Linux require setattr | |
96 | term_use_all_user_ptys(sshd_t) | |
97 | term_setattr_all_user_ptys(sshd_t) | |
98 | term_relabelto_all_user_ptys(sshd_t) | |
99 | ||
100 | userdom_spec_domtrans_all_users(sshd_t) | |
101 | userdom_signal_all_users(sshd_t) | |
102 | ',` | |
103 | userdom_spec_domtrans_unpriv_users(sshd_t) | |
104 | userdom_signal_unpriv_users(sshd_t) | |
f6abfdb8 | 105 | |
15722ec9 CP |
106 | userdom_setattr_unpriv_users_ptys(sshd_t) |
107 | userdom_relabelto_unpriv_users_ptys(sshd_t) | |
1815bad1 | 108 | userdom_use_unpriv_users_ptys(sshd_t) |
375c2415 | 109 | ') |
bbdbdb9e | 110 | |
bb7170f6 | 111 | optional_policy(` |
44d5d93f CP |
112 | daemontools_service_domain(sshd_t, sshd_exec_t) |
113 | ') | |
114 | ||
bb7170f6 | 115 | optional_policy(` |
15722ec9 | 116 | rpm_use_script_fds(sshd_t) |
0404a390 | 117 | ') |
375c2415 | 118 | |
5540e76a CP |
119 | optional_policy(` |
120 | rssh_spec_domtrans_all_users(sshd_t) | |
121 | # For reading /home/user/.ssh | |
122 | rssh_read_all_users_ro_content(sshd_t) | |
123 | ') | |
124 | ||
375c2415 CP |
125 | ifdef(`TODO',` |
126 | tunable_policy(`ssh_sysadm_login',` | |
127 | # Relabel and access ptys created by sshd | |
128 | # ioctl is necessary for logout() processing for utmp entry and for w to | |
129 | # display the tty. | |
130 | # some versions of sshd on the new SE Linux require setattr | |
131 | allow sshd_t ptyfile:chr_file relabelto; | |
132 | ||
bb7170f6 | 133 | optional_policy(` |
375c2415 CP |
134 | domain_trans(sshd_t, xauth_exec_t, userdomain) |
135 | ') | |
136 | ',` | |
bb7170f6 | 137 | optional_policy(` |
375c2415 CP |
138 | domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain) |
139 | ') | |
140 | # Relabel and access ptys created by sshd | |
141 | # ioctl is necessary for logout() processing for utmp entry and for w to | |
142 | # display the tty. | |
143 | # some versions of sshd on the new SE Linux require setattr | |
144 | allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr }; | |
0404a390 | 145 | ') |
375c2415 | 146 | ') dnl endif TODO |
9ccd96df | 147 | ') |
0404a390 CP |
148 | |
149 | ################################# | |
150 | # | |
151 | # sshd_extern local policy | |
152 | # | |
153 | # sshd_extern_t is the domain for ssh from outside our network | |
154 | # | |
0404a390 | 155 | |
5540e76a | 156 | ifdef(`strict_policy',` |
375c2415 CP |
157 | ifdef(`TODO',` |
158 | domain_trans(sshd_extern_t, shell_exec_t, user_mini_domain) | |
159 | # Signal the user domains. | |
160 | allow sshd_extern_t user_mini_domain:process signal; | |
0404a390 | 161 | |
375c2415 CP |
162 | ifdef(`xauth.te', ` |
163 | domain_trans(sshd_extern_t, xauth_exec_t, user_mini_domain) | |
164 | ') | |
0404a390 | 165 | |
375c2415 CP |
166 | # Relabel and access ptys created by sshd |
167 | # ioctl is necessary for logout() processing for utmp entry and for w to | |
168 | # display the tty. | |
169 | # some versions of sshd on the new SE Linux require setattr | |
170 | allow sshd_extern_t user_mini_domain:chr_file { relabelto read write getattr ioctl setattr }; | |
171 | ||
172 | # inheriting stream sockets is needed for "ssh host command" as no pty | |
173 | # is allocated | |
174 | allow user_mini_domain sshd_extern_t:unix_stream_socket rw_stream_socket_perms; | |
175 | ||
bb7170f6 | 176 | optional_policy(` |
375c2415 CP |
177 | tunable_policy(`run_ssh_inetd',` |
178 | domain_trans(inetd_t, sshd_exec_t, sshd_extern_t) | |
179 | ',` | |
180 | domain_trans(initrc_t, sshd_exec_t, sshd_extern_t) | |
181 | ') | |
9ccd96df | 182 | ',` |
375c2415 CP |
183 | # These rules should match the else block |
184 | # of the run_ssh_inetd tunable directly above | |
0404a390 | 185 | domain_trans(initrc_t, sshd_exec_t, sshd_extern_t) |
9ccd96df | 186 | ') |
0404a390 | 187 | |
375c2415 CP |
188 | ifdef(`direct_sysadm_daemon', ` |
189 | # Direct execution by sysadm_r. | |
190 | domain_auto_trans(sysadm_t, sshd_exec_t, sshd_t) | |
191 | role_transition sysadm_r sshd_exec_t system_r; | |
192 | ') | |
375c2415 CP |
193 | ') dnl endif TODO |
194 | ') | |
0404a390 CP |
195 | |
196 | ######################################## | |
197 | # | |
198 | # ssh_keygen local policy | |
199 | # | |
200 | ||
75beb950 CP |
201 | # ssh_keygen_t is the type of the ssh-keygen program when run at install time |
202 | # and by sysadm_t | |
0404a390 | 203 | |
75beb950 CP |
204 | dontaudit ssh_keygen_t self:capability sys_tty_config; |
205 | allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; | |
0404a390 | 206 | |
75beb950 | 207 | allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; |
0404a390 | 208 | |
c0868a7a | 209 | allow ssh_keygen_t sshd_key_t:file manage_file_perms; |
75beb950 | 210 | files_etc_filetrans(ssh_keygen_t,sshd_key_t,file) |
0404a390 | 211 | |
75beb950 | 212 | kernel_read_kernel_sysctls(ssh_keygen_t) |
0404a390 | 213 | |
75beb950 | 214 | fs_search_auto_mountpoints(ssh_keygen_t) |
ab940a4c | 215 | |
75beb950 CP |
216 | dev_read_sysfs(ssh_keygen_t) |
217 | dev_read_urand(ssh_keygen_t) | |
0404a390 | 218 | |
75beb950 | 219 | term_dontaudit_use_console(ssh_keygen_t) |
0404a390 | 220 | |
75beb950 | 221 | domain_use_interactive_fds(ssh_keygen_t) |
0404a390 | 222 | |
75beb950 | 223 | files_read_etc_files(ssh_keygen_t) |
0404a390 | 224 | |
75beb950 CP |
225 | init_use_fds(ssh_keygen_t) |
226 | init_use_script_ptys(ssh_keygen_t) | |
0404a390 | 227 | |
75beb950 CP |
228 | libs_use_ld_so(ssh_keygen_t) |
229 | libs_use_shared_libs(ssh_keygen_t) | |
0404a390 | 230 | |
75beb950 | 231 | logging_send_syslog_msg(ssh_keygen_t) |
0404a390 | 232 | |
75beb950 CP |
233 | allow ssh_keygen_t proc_t:dir r_dir_perms; |
234 | allow ssh_keygen_t proc_t:lnk_file read; | |
0404a390 | 235 | |
75beb950 CP |
236 | userdom_use_sysadm_ttys(ssh_keygen_t) |
237 | userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) | |
0404a390 | 238 | |
75beb950 CP |
239 | # cjp: with the old daemon_(base_)domain being broken up into |
240 | # a daemon and system interface, this probably is not needed: | |
241 | ifdef(`direct_sysadm_daemon',` | |
242 | userdom_dontaudit_use_sysadm_terms(ssh_keygen_t) | |
243 | ') | |
0404a390 | 244 | |
75beb950 CP |
245 | ifdef(`targeted_policy',` |
246 | term_dontaudit_use_unallocated_ttys(ssh_keygen_t) | |
247 | term_dontaudit_use_generic_ptys(ssh_keygen_t) | |
248 | files_dontaudit_read_root_files(ssh_keygen_t) | |
249 | ') | |
0404a390 | 250 | |
75beb950 CP |
251 | optional_policy(` |
252 | nscd_socket_use(ssh_keygen_t) | |
253 | ') | |
0404a390 | 254 | |
75beb950 CP |
255 | optional_policy(` |
256 | seutil_sigchld_newrole(ssh_keygen_t) | |
257 | ') | |
258 | ||
259 | optional_policy(` | |
260 | udev_read_db(ssh_keygen_t) | |
c0d1566a | 261 | ') |