]>
Commit | Line | Data |
---|---|---|
29af4c13 | 1 | policy_module(ssh, 2.2.0) |
0404a390 CP |
2 | |
3 | ######################################## | |
4 | # | |
5 | # Declarations | |
6 | # | |
7 | ||
56e1b3d2 | 8 | ## <desc> |
1e2abee1 DG |
9 | ## <p> |
10 | ## allow host key based authentication | |
11 | ## </p> | |
56e1b3d2 | 12 | ## </desc> |
0bfccda4 | 13 | gen_tunable(allow_ssh_keysign, false) |
56e1b3d2 CP |
14 | |
15 | ## <desc> | |
1e2abee1 DG |
16 | ## <p> |
17 | ## Allow ssh logins as sysadm_r:sysadm_t | |
18 | ## </p> | |
56e1b3d2 | 19 | ## </desc> |
0bfccda4 | 20 | gen_tunable(ssh_sysadm_login, false) |
56e1b3d2 | 21 | |
3eaa9939 | 22 | ## <desc> |
1e2abee1 DG |
23 | ## <p> |
24 | ## allow sshd to forward port connections | |
25 | ## </p> | |
3eaa9939 DW |
26 | ## </desc> |
27 | gen_tunable(sshd_forward_ports, false) | |
28 | ||
919775fe MG |
29 | ## <desc> |
30 | ## <p> | |
31 | ## Allow ssh with chroot env to read and write files | |
32 | ## in the user home directories | |
33 | ## </p> | |
34 | ## </desc> | |
35 | gen_tunable(ssh_chroot_rw_homedirs, false) | |
36 | ||
f5dce57b | 37 | attribute ssh_dyntransition_domain; |
45239964 | 38 | attribute ssh_server; |
296273a7 | 39 | attribute ssh_agent_type; |
0404a390 | 40 | |
4c3a6f86 MG |
41 | ssh_dyntransition_domain_template(chroot_user_t) |
42 | ssh_dyntransition_domain_template(sshd_sandbox_t) | |
43 | ||
75beb950 | 44 | type ssh_keygen_t; |
0404a390 | 45 | type ssh_keygen_exec_t; |
0bfccda4 | 46 | init_system_domain(ssh_keygen_t, ssh_keygen_exec_t) |
0404a390 | 47 | |
e070dd2d | 48 | type sshd_exec_t; |
fb63d0b5 | 49 | corecmd_executable_file(sshd_exec_t) |
c3812748 | 50 | |
6b19be33 | 51 | ssh_server_template(sshd) |
0bfccda4 | 52 | init_daemon_domain(sshd_t, sshd_exec_t) |
6b19be33 | 53 | |
3eaa9939 DW |
54 | type sshd_initrc_exec_t; |
55 | init_script_file(sshd_initrc_exec_t) | |
56 | ||
375c2415 CP |
57 | type sshd_key_t; |
58 | files_type(sshd_key_t) | |
9ccd96df | 59 | |
296273a7 CP |
60 | type ssh_t; |
61 | type ssh_exec_t; | |
62 | typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t }; | |
63 | typealias ssh_t alias { auditadm_ssh_t secadm_ssh_t }; | |
64 | application_domain(ssh_t, ssh_exec_t) | |
65 | ubac_constrained(ssh_t) | |
66 | ||
67 | type ssh_agent_exec_t; | |
68 | corecmd_executable_file(ssh_agent_exec_t) | |
69 | ||
70 | type ssh_agent_tmp_t; | |
71 | typealias ssh_agent_tmp_t alias { user_ssh_agent_tmp_t staff_ssh_agent_tmp_t sysadm_ssh_agent_tmp_t }; | |
72 | typealias ssh_agent_tmp_t alias { auditadm_ssh_agent_tmp_t secadm_ssh_agent_tmp_t }; | |
73 | files_tmp_file(ssh_agent_tmp_t) | |
74 | ubac_constrained(ssh_agent_tmp_t) | |
75 | ||
76 | type ssh_keysign_t; | |
77 | type ssh_keysign_exec_t; | |
78 | typealias ssh_keysign_t alias { user_ssh_keysign_t staff_ssh_keysign_t sysadm_ssh_keysign_t }; | |
79 | typealias ssh_keysign_t alias { auditadm_ssh_keysign_t secadm_ssh_keysign_t }; | |
80 | application_domain(ssh_keysign_t, ssh_keysign_exec_t) | |
81 | ubac_constrained(ssh_keysign_t) | |
82 | ||
83 | type ssh_tmpfs_t; | |
84 | typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t }; | |
85 | typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t }; | |
86 | files_tmpfs_file(ssh_tmpfs_t) | |
87 | ubac_constrained(ssh_tmpfs_t) | |
88 | ||
cde15072 CP |
89 | type ssh_home_t; |
90 | typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t }; | |
91 | typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t }; | |
cde15072 | 92 | userdom_user_home_content(ssh_home_t) |
8ba1f41a | 93 | files_poly_parent(ssh_home_t) |
296273a7 | 94 | |
4781493e DG |
95 | ifdef(`enable_mcs',` |
96 | init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh) | |
97 | ') | |
98 | ||
296273a7 CP |
99 | ############################## |
100 | # | |
101 | # SSH client local policy | |
102 | # | |
103 | ||
104 | allow ssh_t self:capability { setuid setgid dac_override dac_read_search }; | |
105 | allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; | |
106 | allow ssh_t self:fd use; | |
107 | allow ssh_t self:fifo_file rw_fifo_file_perms; | |
8f471092 | 108 | allow ssh_t self:key read; |
296273a7 CP |
109 | allow ssh_t self:unix_dgram_socket { create_socket_perms sendto }; |
110 | allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto }; | |
111 | allow ssh_t self:shm create_shm_perms; | |
112 | allow ssh_t self:sem create_sem_perms; | |
113 | allow ssh_t self:msgq create_msgq_perms; | |
114 | allow ssh_t self:msg { send receive }; | |
cde15072 | 115 | allow ssh_t self:tcp_socket create_stream_socket_perms; |
64607462 | 116 | can_exec(ssh_t, ssh_exec_t) |
296273a7 CP |
117 | |
118 | # Read the ssh key file. | |
119 | allow ssh_t sshd_key_t:file read_file_perms; | |
120 | ||
296273a7 CP |
121 | manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) |
122 | manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) | |
123 | manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) | |
124 | manage_sock_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) | |
cde15072 | 125 | fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }) |
296273a7 | 126 | |
edc2f7de CP |
127 | manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) |
128 | manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) | |
129 | userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file }) | |
8f471092 | 130 | userdom_read_all_users_keys(ssh_t) |
3eaa9939 | 131 | userdom_stream_connect(ssh_t) |
726d3fd9 | 132 | userdom_search_admin_dir(sshd_t) |
70be862b | 133 | userdom_admin_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file }) |
296273a7 CP |
134 | |
135 | # Allow the ssh program to communicate with ssh-agent. | |
136 | stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type) | |
137 | ||
138 | allow ssh_t sshd_t:unix_stream_socket connectto; | |
5dd938af | 139 | allow ssh_t sshd_t:peer recv; |
296273a7 CP |
140 | |
141 | # ssh client can manage the keys and config | |
edc2f7de CP |
142 | manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t) |
143 | read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t) | |
296273a7 CP |
144 | |
145 | # ssh servers can read the user keys and config | |
3eaa9939 DW |
146 | manage_dirs_pattern(ssh_server, ssh_home_t, ssh_home_t) |
147 | manage_files_pattern(ssh_server, ssh_home_t, ssh_home_t) | |
148 | userdom_user_home_dir_filetrans(ssh_server, ssh_home_t, dir) | |
149 | userdom_admin_home_dir_filetrans(ssh_server, ssh_home_t, dir) | |
296273a7 CP |
150 | |
151 | kernel_read_kernel_sysctls(ssh_t) | |
cde15072 | 152 | kernel_read_system_state(ssh_t) |
296273a7 CP |
153 | |
154 | corenet_all_recvfrom_unlabeled(ssh_t) | |
155 | corenet_all_recvfrom_netlabel(ssh_t) | |
668b3093 | 156 | corenet_tcp_sendrecv_generic_if(ssh_t) |
c1262146 | 157 | corenet_tcp_sendrecv_generic_node(ssh_t) |
296273a7 CP |
158 | corenet_tcp_sendrecv_all_ports(ssh_t) |
159 | corenet_tcp_connect_ssh_port(ssh_t) | |
160 | corenet_sendrecv_ssh_client_packets(ssh_t) | |
3eaa9939 DW |
161 | corenet_tcp_bind_generic_node(ssh_t) |
162 | corenet_tcp_bind_all_unreserved_ports(ssh_t) | |
2e52e8cf | 163 | corenet_rw_tun_tap_dev(ssh_t) |
296273a7 | 164 | |
8fd700fe | 165 | dev_read_rand(ssh_t) |
296273a7 CP |
166 | dev_read_urand(ssh_t) |
167 | ||
168 | fs_getattr_all_fs(ssh_t) | |
169 | fs_search_auto_mountpoints(ssh_t) | |
170 | ||
171 | # run helper programs - needed eg for x11-ssh-askpass | |
172 | corecmd_exec_shell(ssh_t) | |
173 | corecmd_exec_bin(ssh_t) | |
174 | ||
175 | domain_use_interactive_fds(ssh_t) | |
176 | ||
177 | files_list_home(ssh_t) | |
178 | files_read_usr_files(ssh_t) | |
179 | files_read_etc_runtime_files(ssh_t) | |
180 | files_read_etc_files(ssh_t) | |
181 | files_read_var_files(ssh_t) | |
182 | ||
183 | logging_send_syslog_msg(ssh_t) | |
184 | logging_read_generic_logs(ssh_t) | |
185 | ||
cde15072 CP |
186 | auth_use_nsswitch(ssh_t) |
187 | ||
296273a7 | 188 | miscfiles_read_localization(ssh_t) |
442a14fe | 189 | miscfiles_read_generic_certs(ssh_t) |
296273a7 CP |
190 | |
191 | seutil_read_config(ssh_t) | |
192 | ||
296273a7 CP |
193 | userdom_dontaudit_list_user_home_dirs(ssh_t) |
194 | userdom_search_user_home_dirs(ssh_t) | |
bebaa6a2 | 195 | userdom_search_admin_dir(ssh_t) |
296273a7 | 196 | # Write to the user domain tty. |
af2d8802 | 197 | userdom_use_inherited_user_terminals(ssh_t) |
3eaa9939 | 198 | # needs to read krb/write tgt |
296273a7 | 199 | userdom_read_user_tmp_files(ssh_t) |
3eaa9939 DW |
200 | userdom_write_user_tmp_files(ssh_t) |
201 | userdom_read_user_home_content_symlinks(ssh_t) | |
ded9692e | 202 | userdom_read_home_certs(ssh_t) |
ed2ac112 | 203 | userdom_home_manager(ssh_t) |
296273a7 CP |
204 | |
205 | tunable_policy(`allow_ssh_keysign',` | |
3c4ffa32 | 206 | domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) |
296273a7 CP |
207 | ') |
208 | ||
296273a7 CP |
209 | # for port forwarding |
210 | tunable_policy(`user_tcp_server',` | |
211 | corenet_tcp_bind_ssh_port(ssh_t) | |
cde15072 | 212 | corenet_tcp_bind_generic_node(ssh_t) |
296273a7 CP |
213 | ') |
214 | ||
215 | optional_policy(` | |
216 | xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t) | |
217 | xserver_domtrans_xauth(ssh_t) | |
218 | ') | |
219 | ||
3eaa9939 | 220 | |
296273a7 CP |
221 | ############################## |
222 | # | |
223 | # ssh_keysign_t local policy | |
224 | # | |
225 | ||
226 | tunable_policy(`allow_ssh_keysign',` | |
227 | allow ssh_keysign_t self:capability { setgid setuid }; | |
228 | allow ssh_keysign_t self:unix_stream_socket create_socket_perms; | |
229 | ||
7d1f5642 | 230 | allow ssh_keysign_t sshd_key_t:file read_file_perms; |
296273a7 | 231 | |
8fd700fe | 232 | dev_read_rand(ssh_keysign_t) |
296273a7 CP |
233 | dev_read_urand(ssh_keysign_t) |
234 | ||
235 | files_read_etc_files(ssh_keysign_t) | |
236 | ') | |
237 | ||
0404a390 CP |
238 | ################################# |
239 | # | |
240 | # sshd local policy | |
241 | # | |
242 | # sshd_t is the domain for the sshd program. | |
243 | # | |
244 | ||
6b19be33 CP |
245 | # so a tunnel can point to another ssh tunnel |
246 | allow sshd_t self:netlink_route_socket r_netlink_socket_perms; | |
247 | allow sshd_t self:key { search link write }; | |
3eaa9939 | 248 | allow sshd_t self:process setcurrent; |
44d5d93f | 249 | |
6b19be33 CP |
250 | kernel_search_key(sshd_t) |
251 | kernel_link_key(sshd_t) | |
252 | ||
c3c753f7 CP |
253 | term_use_all_ptys(sshd_t) |
254 | term_setattr_all_ptys(sshd_t) | |
3eaa9939 | 255 | term_setattr_all_ttys(sshd_t) |
c3c753f7 | 256 | term_relabelto_all_ptys(sshd_t) |
3eaa9939 | 257 | term_use_ptmx(sshd_t) |
296273a7 | 258 | |
6b19be33 CP |
259 | # for X forwarding |
260 | corenet_tcp_bind_xserver_port(sshd_t) | |
261 | corenet_sendrecv_xserver_server_packets(sshd_t) | |
262 | ||
3eaa9939 DW |
263 | userdom_read_user_home_content_files(sshd_t) |
264 | userdom_read_user_home_content_symlinks(sshd_t) | |
3eaa9939 | 265 | userdom_manage_tmp_role(system_r, sshd_t) |
4781493e DG |
266 | userdom_spec_domtrans_unpriv_users(sshd_t) |
267 | userdom_signal_unpriv_users(sshd_t) | |
919775fe | 268 | userdom_dyntransition_unpriv_users(sshd_t) |
4781493e DG |
269 | |
270 | tunable_policy(`sshd_forward_ports',` | |
271 | corenet_tcp_bind_all_unreserved_ports(sshd_t) | |
272 | corenet_tcp_connect_all_ports(sshd_t) | |
273 | ') | |
3eaa9939 | 274 | |
6b19be33 CP |
275 | tunable_policy(`ssh_sysadm_login',` |
276 | # Relabel and access ptys created by sshd | |
277 | # ioctl is necessary for logout() processing for utmp entry and for w to | |
278 | # display the tty. | |
279 | # some versions of sshd on the new SE Linux require setattr | |
6b19be33 | 280 | userdom_signal_all_users(sshd_t) |
f39ff1fa | 281 | userdom_spec_domtrans_all_users(sshd_t) |
6b19be33 CP |
282 | ') |
283 | ||
57ce3836 | 284 | optional_policy(` |
5a1cc7f0 | 285 | amanda_search_var_lib(sshd_t) |
57ce3836 DW |
286 | ') |
287 | ||
cde15072 | 288 | optional_policy(` |
088b65e5 | 289 | daemontools_service_domain(sshd_t, sshd_exec_t) |
cde15072 CP |
290 | ') |
291 | ||
3eaa9939 DW |
292 | optional_policy(` |
293 | kerberos_keytab_template(sshd, sshd_t) | |
294 | ') | |
295 | ||
296 | optional_policy(` | |
297 | ftp_dyntrans_sftpd(sshd_t) | |
298 | ftp_dyntrans_anon_sftpd(sshd_t) | |
299 | ') | |
300 | ||
6b19be33 | 301 | optional_policy(` |
088b65e5 | 302 | inetd_tcp_service_domain(sshd_t, sshd_exec_t) |
6b19be33 CP |
303 | ') |
304 | ||
305 | optional_policy(` | |
3eaa9939 | 306 | nx_read_home_files(sshd_t) |
6b19be33 CP |
307 | ') |
308 | ||
309 | optional_policy(` | |
310 | rpm_use_script_fds(sshd_t) | |
311 | ') | |
312 | ||
313 | optional_policy(` | |
296273a7 | 314 | rssh_spec_domtrans(sshd_t) |
6b19be33 | 315 | # For reading /home/user/.ssh |
296273a7 | 316 | rssh_read_ro_content(sshd_t) |
6b19be33 CP |
317 | ') |
318 | ||
151056b0 MG |
319 | optional_policy(` |
320 | systemd_exec_systemctl(sshd_t) | |
321 | ') | |
322 | ||
3eaa9939 DW |
323 | optional_policy(` |
324 | usermanage_domtrans_passwd(sshd_t) | |
325 | usermanage_read_crack_db(sshd_t) | |
326 | ') | |
327 | ||
350b6ab7 | 328 | optional_policy(` |
350b6ab7 CP |
329 | unconfined_shell_domtrans(sshd_t) |
330 | ') | |
331 | ||
088b65e5 CP |
332 | optional_policy(` |
333 | xserver_domtrans_xauth(sshd_t) | |
334 | ') | |
335 | ||
6b19be33 | 336 | ifdef(`TODO',` |
1e2abee1 DG |
337 | tunable_policy(`ssh_sysadm_login',` |
338 | # Relabel and access ptys created by sshd | |
339 | # ioctl is necessary for logout() processing for utmp entry and for w to | |
340 | # display the tty. | |
341 | # some versions of sshd on the new SE Linux require setattr | |
342 | allow sshd_t ptyfile:chr_file relabelto; | |
343 | ||
344 | optional_policy(` | |
345 | domain_trans(sshd_t, xauth_exec_t, userdomain) | |
346 | ') | |
347 | ',` | |
348 | optional_policy(` | |
349 | domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain) | |
350 | ') | |
351 | # Relabel and access ptys created by sshd | |
352 | # ioctl is necessary for logout() processing for utmp entry and for w to | |
353 | # display the tty. | |
354 | # some versions of sshd on the new SE Linux require setattr | |
7d1f5642 | 355 | allow sshd_t userpty_type:chr_file { relabelto rw_inherited_chr_file_perms setattr_chr_file_perms }; |
5540e76a | 356 | ') |
6b19be33 | 357 | ') dnl endif TODO |
0404a390 | 358 | |
0404a390 CP |
359 | ######################################## |
360 | # | |
361 | # ssh_keygen local policy | |
362 | # | |
363 | ||
75beb950 CP |
364 | # ssh_keygen_t is the type of the ssh-keygen program when run at install time |
365 | # and by sysadm_t | |
0404a390 | 366 | |
3e23c54b | 367 | allow ssh_keygen_t self:capability dac_override; |
75beb950 CP |
368 | dontaudit ssh_keygen_t self:capability sys_tty_config; |
369 | allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; | |
75beb950 | 370 | allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; |
0404a390 | 371 | |
c0868a7a | 372 | allow ssh_keygen_t sshd_key_t:file manage_file_perms; |
0bfccda4 | 373 | files_etc_filetrans(ssh_keygen_t, sshd_key_t, file) |
0404a390 | 374 | |
58c3d0e9 MG |
375 | manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t) |
376 | manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t) | |
377 | userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir) | |
092a35ee | 378 | userdom_user_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir) |
58c3d0e9 | 379 | |
c1a9a532 | 380 | kernel_read_system_state(ssh_keygen_t) |
75beb950 | 381 | kernel_read_kernel_sysctls(ssh_keygen_t) |
0404a390 | 382 | |
75beb950 | 383 | fs_search_auto_mountpoints(ssh_keygen_t) |
ab940a4c | 384 | |
75beb950 | 385 | dev_read_sysfs(ssh_keygen_t) |
b76a6a16 | 386 | dev_read_rand(ssh_keygen_t) |
75beb950 | 387 | dev_read_urand(ssh_keygen_t) |
0404a390 | 388 | |
75beb950 | 389 | term_dontaudit_use_console(ssh_keygen_t) |
0404a390 | 390 | |
75beb950 | 391 | domain_use_interactive_fds(ssh_keygen_t) |
0404a390 | 392 | |
75beb950 | 393 | files_read_etc_files(ssh_keygen_t) |
0404a390 | 394 | |
75beb950 CP |
395 | init_use_fds(ssh_keygen_t) |
396 | init_use_script_ptys(ssh_keygen_t) | |
0404a390 | 397 | |
cde15072 CP |
398 | auth_use_nsswitch(ssh_keygen_t) |
399 | ||
75beb950 | 400 | logging_send_syslog_msg(ssh_keygen_t) |
0404a390 | 401 | |
75beb950 | 402 | userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) |
0b0d648a | 403 | userdom_use_user_terminals(ssh_keygen_t) |
0404a390 | 404 | |
75beb950 CP |
405 | optional_policy(` |
406 | seutil_sigchld_newrole(ssh_keygen_t) | |
407 | ') | |
408 | ||
409 | optional_policy(` | |
410 | udev_read_db(ssh_keygen_t) | |
c0d1566a | 411 | ') |
919775fe | 412 | |
4c3a6f86 MG |
413 | #################################### |
414 | # | |
415 | # ssh_dyntransition domain local policy | |
416 | # | |
417 | ||
418 | allow ssh_dyntransition_domain self:capability { setuid sys_chroot setgid }; | |
419 | ||
420 | allow ssh_dyntransition_domain self:fifo_file rw_fifo_file_perms; | |
421 | ||
422 | optional_policy(` | |
423 | ssh_rw_stream_sockets(ssh_dyntransition_domain) | |
424 | ssh_rw_tcp_sockets(ssh_dyntransition_domain) | |
425 | ') | |
426 | ||
427 | ##################################### | |
428 | # | |
429 | # ssh_sandbox local policy | |
430 | # | |
431 | ||
432 | allow sshd_t sshd_sandbox_t:process signal; | |
433 | ||
434 | init_ioctl_stream_sockets(sshd_sandbox_t) | |
435 | ||
436 | logging_send_audit_msgs(sshd_sandbox_t) | |
437 | ||
919775fe MG |
438 | ###################################### |
439 | # | |
440 | # chroot_user_t local policy | |
441 | # | |
442 | ||
919775fe MG |
443 | |
444 | userdom_read_user_home_content_files(chroot_user_t) | |
445 | userdom_read_inherited_user_home_content_files(chroot_user_t) | |
446 | userdom_read_user_home_content_symlinks(chroot_user_t) | |
447 | userdom_exec_user_home_content_files(chroot_user_t) | |
448 | ||
449 | tunable_policy(`ssh_chroot_rw_homedirs',` | |
450 | files_list_home(chroot_user_t) | |
451 | userdom_read_user_home_content_files(chroot_user_t) | |
452 | userdom_manage_user_home_content(chroot_user_t) | |
453 | ', ` | |
454 | ||
455 | userdom_user_home_dir_filetrans_pattern(chroot_user_t, { dir file lnk_file }) | |
456 | ') | |
457 | ||
458 | tunable_policy(`ssh_chroot_rw_homedirs && use_nfs_home_dirs',` | |
459 | fs_manage_nfs_dirs(chroot_user_t) | |
460 | fs_manage_nfs_files(chroot_user_t) | |
461 | fs_manage_nfs_symlinks(chroot_user_t) | |
462 | ') | |
463 | ||
464 | tunable_policy(`ssh_chroot_rw_homedirs && use_samba_home_dirs',` | |
465 | fs_manage_cifs_dirs(chroot_user_t) | |
466 | fs_manage_cifs_files(chroot_user_t) | |
467 | fs_manage_cifs_symlinks(chroot_user_t) | |
468 | ') | |
469 | ||
8b6c8e05 | 470 | tunable_policy(`ssh_chroot_rw_homedirs && use_fusefs_home_dirs',` |
fbf13449 | 471 | fs_manage_fusefs_dirs(chroot_user_t) |
8b6c8e05 | 472 | fs_manage_fusefs_files(chroot_user_t) |
fbf13449 | 473 | fs_manage_fusefs_symlinks(chroot_user_t) |
8b6c8e05 MG |
474 | ') |
475 | ||
919775fe MG |
476 | tunable_policy(`use_samba_home_dirs',` |
477 | fs_read_cifs_files(chroot_user_t) | |
478 | fs_read_cifs_symlinks(chroot_user_t) | |
479 | ') | |
480 | ||
ed2ac112 | 481 | userdom_home_manager(chroot_user_t) |
8b6c8e05 | 482 | |
919775fe | 483 | optional_policy(` |
919775fe MG |
484 | ssh_rw_dgram_sockets(chroot_user_t) |
485 | ') |