[people/stevee/selinux-policy.git] / policy / modules / services / ssh.te

policy_module(ssh, 2.2.0)

########################################
#
# Declarations
#

## <desc>
##	<p>
##	allow host key based authentication
##	</p>
## </desc>
gen_tunable(allow_ssh_keysign, false)

## <desc>
##	<p>
##	Allow ssh logins as sysadm_r:sysadm_t
##	</p>
## </desc>
gen_tunable(ssh_sysadm_login, false)

## <desc>
##	<p>
##	allow sshd to forward port connections
##	</p>
## </desc>
gen_tunable(sshd_forward_ports, false)

## <desc>
## <p>
## Allow ssh with chroot env to read and write files 
## in the user home directories
## </p>
## </desc>
gen_tunable(ssh_chroot_rw_homedirs, false)

attribute ssh_dyntransition_domain;
attribute ssh_server;
attribute ssh_agent_type;

ssh_dyntransition_domain_template(chroot_user_t)
ssh_dyntransition_domain_template(sshd_sandbox_t)

type ssh_keygen_t;
type ssh_keygen_exec_t;
init_system_domain(ssh_keygen_t, ssh_keygen_exec_t)

type sshd_exec_t;
corecmd_executable_file(sshd_exec_t)

ssh_server_template(sshd)
init_daemon_domain(sshd_t, sshd_exec_t)

type sshd_initrc_exec_t;
init_script_file(sshd_initrc_exec_t)

type sshd_key_t;
files_type(sshd_key_t)

type ssh_t;
type ssh_exec_t;
typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t };
typealias ssh_t alias { auditadm_ssh_t secadm_ssh_t };
application_domain(ssh_t, ssh_exec_t)
ubac_constrained(ssh_t)

type ssh_agent_exec_t;
corecmd_executable_file(ssh_agent_exec_t)

type ssh_agent_tmp_t;
typealias ssh_agent_tmp_t alias { user_ssh_agent_tmp_t staff_ssh_agent_tmp_t sysadm_ssh_agent_tmp_t };
typealias ssh_agent_tmp_t alias { auditadm_ssh_agent_tmp_t secadm_ssh_agent_tmp_t };
files_tmp_file(ssh_agent_tmp_t)
ubac_constrained(ssh_agent_tmp_t)

type ssh_keysign_t;
type ssh_keysign_exec_t;
typealias ssh_keysign_t alias { user_ssh_keysign_t staff_ssh_keysign_t sysadm_ssh_keysign_t };
typealias ssh_keysign_t alias { auditadm_ssh_keysign_t secadm_ssh_keysign_t };
application_domain(ssh_keysign_t, ssh_keysign_exec_t)
ubac_constrained(ssh_keysign_t)

type ssh_tmpfs_t;
typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t };
typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t };
files_tmpfs_file(ssh_tmpfs_t)
ubac_constrained(ssh_tmpfs_t)

type ssh_home_t;
typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
userdom_user_home_content(ssh_home_t)
files_poly_parent(ssh_home_t)

ifdef(`enable_mcs',`
	init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
')

##############################
#
# SSH client local policy
#

allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow ssh_t self:fd use;
allow ssh_t self:fifo_file rw_fifo_file_perms;
allow ssh_t self:key read;
allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow ssh_t self:shm create_shm_perms;
allow ssh_t self:sem create_sem_perms;
allow ssh_t self:msgq create_msgq_perms;
allow ssh_t self:msg { send receive };
allow ssh_t self:tcp_socket create_stream_socket_perms;
can_exec(ssh_t, ssh_exec_t)

# Read the ssh key file.
allow ssh_t sshd_key_t:file read_file_perms;

manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_sock_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file })

manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
userdom_read_all_users_keys(ssh_t)
userdom_stream_connect(ssh_t)
userdom_search_admin_dir(sshd_t)
userdom_admin_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })

# Allow the ssh program to communicate with ssh-agent.
stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)

allow ssh_t sshd_t:unix_stream_socket connectto;
allow ssh_t sshd_t:peer recv;

# ssh client can manage the keys and config
manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t)

# ssh servers can read the user keys and config
manage_dirs_pattern(ssh_server, ssh_home_t, ssh_home_t)
manage_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
userdom_user_home_dir_filetrans(ssh_server, ssh_home_t, dir)
userdom_admin_home_dir_filetrans(ssh_server, ssh_home_t, dir)

kernel_read_kernel_sysctls(ssh_t)
kernel_read_system_state(ssh_t)

corenet_all_recvfrom_unlabeled(ssh_t)
corenet_all_recvfrom_netlabel(ssh_t)
corenet_tcp_sendrecv_generic_if(ssh_t)
corenet_tcp_sendrecv_generic_node(ssh_t)
corenet_tcp_sendrecv_all_ports(ssh_t)
corenet_tcp_connect_ssh_port(ssh_t)
corenet_sendrecv_ssh_client_packets(ssh_t)
corenet_tcp_bind_generic_node(ssh_t)
corenet_tcp_bind_all_unreserved_ports(ssh_t)
corenet_rw_tun_tap_dev(ssh_t)

dev_read_rand(ssh_t)
dev_read_urand(ssh_t)

fs_getattr_all_fs(ssh_t)
fs_search_auto_mountpoints(ssh_t)

# run helper programs - needed eg for x11-ssh-askpass
corecmd_exec_shell(ssh_t)
corecmd_exec_bin(ssh_t)

domain_use_interactive_fds(ssh_t)

files_list_home(ssh_t)
files_read_usr_files(ssh_t)
files_read_etc_runtime_files(ssh_t)
files_read_etc_files(ssh_t)
files_read_var_files(ssh_t)

logging_send_syslog_msg(ssh_t)
logging_read_generic_logs(ssh_t)

auth_use_nsswitch(ssh_t)

miscfiles_read_localization(ssh_t)
miscfiles_read_generic_certs(ssh_t)

seutil_read_config(ssh_t)

userdom_dontaudit_list_user_home_dirs(ssh_t)
userdom_search_user_home_dirs(ssh_t)
userdom_search_admin_dir(ssh_t)
# Write to the user domain tty.
userdom_use_inherited_user_terminals(ssh_t)
# needs to read krb/write tgt
userdom_read_user_tmp_files(ssh_t)
userdom_write_user_tmp_files(ssh_t)
userdom_read_user_home_content_symlinks(ssh_t)
userdom_read_home_certs(ssh_t)
userdom_home_manager(ssh_t)

tunable_policy(`allow_ssh_keysign',`
	domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
')

# for port forwarding
tunable_policy(`user_tcp_server',`
	corenet_tcp_bind_ssh_port(ssh_t)
	corenet_tcp_bind_generic_node(ssh_t)
')

optional_policy(`
	xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t)
	xserver_domtrans_xauth(ssh_t)
')


##############################
#
# ssh_keysign_t local policy
#

tunable_policy(`allow_ssh_keysign',`
	allow ssh_keysign_t self:capability { setgid setuid };
	allow ssh_keysign_t self:unix_stream_socket create_socket_perms;

	allow ssh_keysign_t sshd_key_t:file read_file_perms;

	dev_read_rand(ssh_keysign_t)
	dev_read_urand(ssh_keysign_t)

	files_read_etc_files(ssh_keysign_t)
')

#################################
#
# sshd local policy
#
# sshd_t is the domain for the sshd program.
#

# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
allow sshd_t self:process setcurrent;

kernel_search_key(sshd_t)
kernel_link_key(sshd_t)

term_use_all_ptys(sshd_t)
term_setattr_all_ptys(sshd_t)
term_setattr_all_ttys(sshd_t)
term_relabelto_all_ptys(sshd_t)
term_use_ptmx(sshd_t)

# for X forwarding
corenet_tcp_bind_xserver_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)

userdom_read_user_home_content_files(sshd_t)
userdom_read_user_home_content_symlinks(sshd_t)
userdom_manage_tmp_role(system_r, sshd_t)
userdom_spec_domtrans_unpriv_users(sshd_t)
userdom_signal_unpriv_users(sshd_t)
userdom_dyntransition_unpriv_users(sshd_t)

tunable_policy(`sshd_forward_ports',`
	corenet_tcp_bind_all_unreserved_ports(sshd_t)
	corenet_tcp_connect_all_ports(sshd_t)
')

tunable_policy(`ssh_sysadm_login',`
	# Relabel and access ptys created by sshd
	# ioctl is necessary for logout() processing for utmp entry and for w to
	# display the tty.
	# some versions of sshd on the new SE Linux require setattr
	userdom_signal_all_users(sshd_t)
	userdom_spec_domtrans_all_users(sshd_t)
')

optional_policy(`
	amanda_search_var_lib(sshd_t)
')

optional_policy(`
	daemontools_service_domain(sshd_t, sshd_exec_t)
')

optional_policy(`
	kerberos_keytab_template(sshd, sshd_t)
')

optional_policy(`
	ftp_dyntrans_sftpd(sshd_t)
	ftp_dyntrans_anon_sftpd(sshd_t)
')

optional_policy(`
	inetd_tcp_service_domain(sshd_t, sshd_exec_t)
')

optional_policy(`
	nx_read_home_files(sshd_t)
')

optional_policy(`
	rpm_use_script_fds(sshd_t)
')

optional_policy(`
	rssh_spec_domtrans(sshd_t)
	# For reading /home/user/.ssh
	rssh_read_ro_content(sshd_t)
')

optional_policy(`
	systemd_exec_systemctl(sshd_t)
')

optional_policy(`
	usermanage_domtrans_passwd(sshd_t)
	usermanage_read_crack_db(sshd_t)
')

optional_policy(`
	unconfined_shell_domtrans(sshd_t)
')

optional_policy(`
	xserver_domtrans_xauth(sshd_t)
')

ifdef(`TODO',`
	tunable_policy(`ssh_sysadm_login',`
		# Relabel and access ptys created by sshd
		# ioctl is necessary for logout() processing for utmp entry and for w to
		# display the tty.
		# some versions of sshd on the new SE Linux require setattr
		allow sshd_t ptyfile:chr_file relabelto;

			optional_policy(`
				domain_trans(sshd_t, xauth_exec_t, userdomain)
			')
	',`
		optional_policy(`
			domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
		')
		# Relabel and access ptys created by sshd
		# ioctl is necessary for logout() processing for utmp entry and for w to
		# display the tty.
		# some versions of sshd on the new SE Linux require setattr
		allow sshd_t userpty_type:chr_file { relabelto rw_inherited_chr_file_perms setattr_chr_file_perms };
	')
') dnl endif TODO

########################################
#
# ssh_keygen local policy
#

# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t

allow ssh_keygen_t self:capability dac_override;
dontaudit ssh_keygen_t self:capability sys_tty_config;
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;

allow ssh_keygen_t sshd_key_t:file manage_file_perms;
files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)

manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
userdom_user_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)

kernel_read_system_state(ssh_keygen_t)
kernel_read_kernel_sysctls(ssh_keygen_t)

fs_search_auto_mountpoints(ssh_keygen_t)

dev_read_sysfs(ssh_keygen_t)
dev_read_rand(ssh_keygen_t)
dev_read_urand(ssh_keygen_t)

term_dontaudit_use_console(ssh_keygen_t)

domain_use_interactive_fds(ssh_keygen_t)

files_read_etc_files(ssh_keygen_t)

init_use_fds(ssh_keygen_t)
init_use_script_ptys(ssh_keygen_t)

auth_use_nsswitch(ssh_keygen_t)

logging_send_syslog_msg(ssh_keygen_t)

userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
userdom_use_user_terminals(ssh_keygen_t)

optional_policy(`
	seutil_sigchld_newrole(ssh_keygen_t)
')

optional_policy(`
	udev_read_db(ssh_keygen_t)
')

####################################
#
# ssh_dyntransition domain local policy
#

allow ssh_dyntransition_domain self:capability { setuid sys_chroot setgid };

allow ssh_dyntransition_domain self:fifo_file rw_fifo_file_perms;

optional_policy(`
    ssh_rw_stream_sockets(ssh_dyntransition_domain)
    ssh_rw_tcp_sockets(ssh_dyntransition_domain)
')

#####################################
#
# ssh_sandbox local policy
#

allow sshd_t sshd_sandbox_t:process signal;

init_ioctl_stream_sockets(sshd_sandbox_t)

logging_send_audit_msgs(sshd_sandbox_t)

######################################
#
# chroot_user_t local policy
#


userdom_read_user_home_content_files(chroot_user_t)
userdom_read_inherited_user_home_content_files(chroot_user_t)
userdom_read_user_home_content_symlinks(chroot_user_t)
userdom_exec_user_home_content_files(chroot_user_t)

tunable_policy(`ssh_chroot_rw_homedirs',`
        files_list_home(chroot_user_t)
        userdom_read_user_home_content_files(chroot_user_t)
        userdom_manage_user_home_content(chroot_user_t)
', `

        userdom_user_home_dir_filetrans_pattern(chroot_user_t, { dir file lnk_file })
')

tunable_policy(`ssh_chroot_rw_homedirs && use_nfs_home_dirs',`
    fs_manage_nfs_dirs(chroot_user_t)
    fs_manage_nfs_files(chroot_user_t)
    fs_manage_nfs_symlinks(chroot_user_t)
')

tunable_policy(`ssh_chroot_rw_homedirs && use_samba_home_dirs',`
    fs_manage_cifs_dirs(chroot_user_t)
    fs_manage_cifs_files(chroot_user_t)
    fs_manage_cifs_symlinks(chroot_user_t)
')

tunable_policy(`ssh_chroot_rw_homedirs && use_fusefs_home_dirs',`
    fs_manage_fusefs_dirs(chroot_user_t)
    fs_manage_fusefs_files(chroot_user_t)
    fs_manage_fusefs_symlinks(chroot_user_t)
')

tunable_policy(`use_samba_home_dirs',`
    fs_read_cifs_files(chroot_user_t)
    fs_read_cifs_symlinks(chroot_user_t)
')

userdom_home_manager(chroot_user_t)

optional_policy(`
    ssh_rw_dgram_sockets(chroot_user_t)
')
Commit	Line	Data
29af4c13	1	policy_module(ssh, 2.2.0)
0404a390 CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
56e1b3d2	8	## <desc>
1e2abee1 DG	9	## <p>
	10	## allow host key based authentication
	11	## </p>
56e1b3d2	12	## </desc>
0bfccda4	13	gen_tunable(allow_ssh_keysign, false)
56e1b3d2 CP	14
56e1b3d2 CP	15	## <desc>
1e2abee1 DG	16	## <p>
	17	## Allow ssh logins as sysadm_r:sysadm_t
	18	## </p>
56e1b3d2	19	## </desc>
0bfccda4	20	gen_tunable(ssh_sysadm_login, false)
56e1b3d2	21
3eaa9939	22	## <desc>
1e2abee1 DG	23	## <p>
	24	## allow sshd to forward port connections
	25	## </p>
3eaa9939 DW	26	## </desc>
	27	gen_tunable(sshd_forward_ports, false)
	28
919775fe MG	29	## <desc>
	30	## <p>
	31	## Allow ssh with chroot env to read and write files
	32	## in the user home directories
	33	## </p>
	34	## </desc>
	35	gen_tunable(ssh_chroot_rw_homedirs, false)
	36
f5dce57b	37	attribute ssh_dyntransition_domain;
45239964	38	attribute ssh_server;
296273a7	39	attribute ssh_agent_type;
0404a390	40
4c3a6f86 MG	41	ssh_dyntransition_domain_template(chroot_user_t)
	42	ssh_dyntransition_domain_template(sshd_sandbox_t)
	43
75beb950	44	type ssh_keygen_t;
0404a390	45	type ssh_keygen_exec_t;
0bfccda4	46	init_system_domain(ssh_keygen_t, ssh_keygen_exec_t)
0404a390	47
e070dd2d	48	type sshd_exec_t;
fb63d0b5	49	corecmd_executable_file(sshd_exec_t)
c3812748	50
6b19be33	51	ssh_server_template(sshd)
0bfccda4	52	init_daemon_domain(sshd_t, sshd_exec_t)
6b19be33	53
3eaa9939 DW	54	type sshd_initrc_exec_t;
	55	init_script_file(sshd_initrc_exec_t)
	56
375c2415 CP	57	type sshd_key_t;
375c2415 CP	58	files_type(sshd_key_t)
9ccd96df	59
296273a7 CP	60	type ssh_t;
	61	type ssh_exec_t;
	62	typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t };
	63	typealias ssh_t alias { auditadm_ssh_t secadm_ssh_t };
	64	application_domain(ssh_t, ssh_exec_t)
	65	ubac_constrained(ssh_t)
	66
	67	type ssh_agent_exec_t;
	68	corecmd_executable_file(ssh_agent_exec_t)
	69
	70	type ssh_agent_tmp_t;
	71	typealias ssh_agent_tmp_t alias { user_ssh_agent_tmp_t staff_ssh_agent_tmp_t sysadm_ssh_agent_tmp_t };
	72	typealias ssh_agent_tmp_t alias { auditadm_ssh_agent_tmp_t secadm_ssh_agent_tmp_t };
	73	files_tmp_file(ssh_agent_tmp_t)
	74	ubac_constrained(ssh_agent_tmp_t)
	75
	76	type ssh_keysign_t;
	77	type ssh_keysign_exec_t;
	78	typealias ssh_keysign_t alias { user_ssh_keysign_t staff_ssh_keysign_t sysadm_ssh_keysign_t };
	79	typealias ssh_keysign_t alias { auditadm_ssh_keysign_t secadm_ssh_keysign_t };
	80	application_domain(ssh_keysign_t, ssh_keysign_exec_t)
	81	ubac_constrained(ssh_keysign_t)
	82
	83	type ssh_tmpfs_t;
	84	typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t };
	85	typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t };
	86	files_tmpfs_file(ssh_tmpfs_t)
	87	ubac_constrained(ssh_tmpfs_t)
	88
cde15072 CP	89	type ssh_home_t;
	90	typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
	91	typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
cde15072	92	userdom_user_home_content(ssh_home_t)
8ba1f41a	93	files_poly_parent(ssh_home_t)
296273a7	94
4781493e DG	95	ifdef(`enable_mcs',`
	96	init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
	97	')
	98
296273a7 CP	99	##############################
	100	#
	101	# SSH client local policy
	102	#
	103
	104	allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
	105	allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
	106	allow ssh_t self:fd use;
	107	allow ssh_t self:fifo_file rw_fifo_file_perms;
8f471092	108	allow ssh_t self:key read;
296273a7 CP	109	allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
	110	allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
	111	allow ssh_t self:shm create_shm_perms;
	112	allow ssh_t self:sem create_sem_perms;
	113	allow ssh_t self:msgq create_msgq_perms;
	114	allow ssh_t self:msg { send receive };
cde15072	115	allow ssh_t self:tcp_socket create_stream_socket_perms;
64607462	116	can_exec(ssh_t, ssh_exec_t)
296273a7 CP	117
	118	# Read the ssh key file.
	119	allow ssh_t sshd_key_t:file read_file_perms;
	120
296273a7 CP	121	manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
	122	manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
	123	manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
	124	manage_sock_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
cde15072	125	fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file })
296273a7	126
edc2f7de CP	127	manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
	128	manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
	129	userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
8f471092	130	userdom_read_all_users_keys(ssh_t)
3eaa9939	131	userdom_stream_connect(ssh_t)
726d3fd9	132	userdom_search_admin_dir(sshd_t)
70be862b	133	userdom_admin_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
296273a7 CP	134
	135	# Allow the ssh program to communicate with ssh-agent.
	136	stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
	137
	138	allow ssh_t sshd_t:unix_stream_socket connectto;
5dd938af	139	allow ssh_t sshd_t:peer recv;
296273a7 CP	140
296273a7 CP	141	# ssh client can manage the keys and config
edc2f7de CP	142	manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
edc2f7de CP	143	read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
296273a7 CP	144
296273a7 CP	145	# ssh servers can read the user keys and config
3eaa9939 DW	146	manage_dirs_pattern(ssh_server, ssh_home_t, ssh_home_t)
	147	manage_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
	148	userdom_user_home_dir_filetrans(ssh_server, ssh_home_t, dir)
	149	userdom_admin_home_dir_filetrans(ssh_server, ssh_home_t, dir)
296273a7 CP	150
296273a7 CP	151	kernel_read_kernel_sysctls(ssh_t)
cde15072	152	kernel_read_system_state(ssh_t)
296273a7 CP	153
	154	corenet_all_recvfrom_unlabeled(ssh_t)
	155	corenet_all_recvfrom_netlabel(ssh_t)
668b3093	156	corenet_tcp_sendrecv_generic_if(ssh_t)
c1262146	157	corenet_tcp_sendrecv_generic_node(ssh_t)
296273a7 CP	158	corenet_tcp_sendrecv_all_ports(ssh_t)
	159	corenet_tcp_connect_ssh_port(ssh_t)
	160	corenet_sendrecv_ssh_client_packets(ssh_t)
3eaa9939 DW	161	corenet_tcp_bind_generic_node(ssh_t)
3eaa9939 DW	162	corenet_tcp_bind_all_unreserved_ports(ssh_t)
2e52e8cf	163	corenet_rw_tun_tap_dev(ssh_t)
296273a7	164
8fd700fe	165	dev_read_rand(ssh_t)
296273a7 CP	166	dev_read_urand(ssh_t)
	167
	168	fs_getattr_all_fs(ssh_t)
	169	fs_search_auto_mountpoints(ssh_t)
	170
	171	# run helper programs - needed eg for x11-ssh-askpass
	172	corecmd_exec_shell(ssh_t)
	173	corecmd_exec_bin(ssh_t)
	174
	175	domain_use_interactive_fds(ssh_t)
	176
	177	files_list_home(ssh_t)
	178	files_read_usr_files(ssh_t)
	179	files_read_etc_runtime_files(ssh_t)
	180	files_read_etc_files(ssh_t)
	181	files_read_var_files(ssh_t)
	182
	183	logging_send_syslog_msg(ssh_t)
	184	logging_read_generic_logs(ssh_t)
	185
cde15072 CP	186	auth_use_nsswitch(ssh_t)
cde15072 CP	187
296273a7	188	miscfiles_read_localization(ssh_t)
442a14fe	189	miscfiles_read_generic_certs(ssh_t)
296273a7 CP	190
	191	seutil_read_config(ssh_t)
	192
296273a7 CP	193	userdom_dontaudit_list_user_home_dirs(ssh_t)
296273a7 CP	194	userdom_search_user_home_dirs(ssh_t)
bebaa6a2	195	userdom_search_admin_dir(ssh_t)
296273a7	196	# Write to the user domain tty.
af2d8802	197	userdom_use_inherited_user_terminals(ssh_t)
3eaa9939	198	# needs to read krb/write tgt
296273a7	199	userdom_read_user_tmp_files(ssh_t)
3eaa9939 DW	200	userdom_write_user_tmp_files(ssh_t)
3eaa9939 DW	201	userdom_read_user_home_content_symlinks(ssh_t)
ded9692e	202	userdom_read_home_certs(ssh_t)
ed2ac112	203	userdom_home_manager(ssh_t)
296273a7 CP	204
296273a7 CP	205	tunable_policy(`allow_ssh_keysign',`
3c4ffa32	206	domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
296273a7 CP	207	')
296273a7 CP	208
296273a7 CP	209	# for port forwarding
	210	tunable_policy(`user_tcp_server',`
	211	corenet_tcp_bind_ssh_port(ssh_t)
cde15072	212	corenet_tcp_bind_generic_node(ssh_t)
296273a7 CP	213	')
	214
	215	optional_policy(`
	216	xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t)
	217	xserver_domtrans_xauth(ssh_t)
	218	')
	219
3eaa9939	220
296273a7 CP	221	##############################
	222	#
	223	# ssh_keysign_t local policy
	224	#
	225
	226	tunable_policy(`allow_ssh_keysign',`
	227	allow ssh_keysign_t self:capability { setgid setuid };
	228	allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
	229
7d1f5642	230	allow ssh_keysign_t sshd_key_t:file read_file_perms;
296273a7	231
8fd700fe	232	dev_read_rand(ssh_keysign_t)
296273a7 CP	233	dev_read_urand(ssh_keysign_t)
	234
	235	files_read_etc_files(ssh_keysign_t)
	236	')
	237
0404a390 CP	238	#################################
	239	#
	240	# sshd local policy
	241	#
	242	# sshd_t is the domain for the sshd program.
	243	#
	244
6b19be33 CP	245	# so a tunnel can point to another ssh tunnel
	246	allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
	247	allow sshd_t self:key { search link write };
3eaa9939	248	allow sshd_t self:process setcurrent;
44d5d93f	249
6b19be33 CP	250	kernel_search_key(sshd_t)
	251	kernel_link_key(sshd_t)
	252
c3c753f7 CP	253	term_use_all_ptys(sshd_t)
c3c753f7 CP	254	term_setattr_all_ptys(sshd_t)
3eaa9939	255	term_setattr_all_ttys(sshd_t)
c3c753f7	256	term_relabelto_all_ptys(sshd_t)
3eaa9939	257	term_use_ptmx(sshd_t)
296273a7	258
6b19be33 CP	259	# for X forwarding
	260	corenet_tcp_bind_xserver_port(sshd_t)
	261	corenet_sendrecv_xserver_server_packets(sshd_t)
	262
3eaa9939 DW	263	userdom_read_user_home_content_files(sshd_t)
3eaa9939 DW	264	userdom_read_user_home_content_symlinks(sshd_t)
3eaa9939	265	userdom_manage_tmp_role(system_r, sshd_t)
4781493e DG	266	userdom_spec_domtrans_unpriv_users(sshd_t)
4781493e DG	267	userdom_signal_unpriv_users(sshd_t)
919775fe	268	userdom_dyntransition_unpriv_users(sshd_t)
4781493e DG	269
	270	tunable_policy(`sshd_forward_ports',`
	271	corenet_tcp_bind_all_unreserved_ports(sshd_t)
	272	corenet_tcp_connect_all_ports(sshd_t)
	273	')
3eaa9939	274
6b19be33 CP	275	tunable_policy(`ssh_sysadm_login',`
	276	# Relabel and access ptys created by sshd
	277	# ioctl is necessary for logout() processing for utmp entry and for w to
	278	# display the tty.
	279	# some versions of sshd on the new SE Linux require setattr
6b19be33	280	userdom_signal_all_users(sshd_t)
f39ff1fa	281	userdom_spec_domtrans_all_users(sshd_t)
6b19be33 CP	282	')
6b19be33 CP	283
57ce3836	284	optional_policy(`
5a1cc7f0	285	amanda_search_var_lib(sshd_t)
57ce3836 DW	286	')
57ce3836 DW	287
cde15072	288	optional_policy(`
088b65e5	289	daemontools_service_domain(sshd_t, sshd_exec_t)
cde15072 CP	290	')
cde15072 CP	291
3eaa9939 DW	292	optional_policy(`
	293	kerberos_keytab_template(sshd, sshd_t)
	294	')
	295
	296	optional_policy(`
	297	ftp_dyntrans_sftpd(sshd_t)
	298	ftp_dyntrans_anon_sftpd(sshd_t)
	299	')
	300
6b19be33	301	optional_policy(`
088b65e5	302	inetd_tcp_service_domain(sshd_t, sshd_exec_t)
6b19be33 CP	303	')
	304
	305	optional_policy(`
3eaa9939	306	nx_read_home_files(sshd_t)
6b19be33 CP	307	')
	308
	309	optional_policy(`
	310	rpm_use_script_fds(sshd_t)
	311	')
	312
	313	optional_policy(`
296273a7	314	rssh_spec_domtrans(sshd_t)
6b19be33	315	# For reading /home/user/.ssh
296273a7	316	rssh_read_ro_content(sshd_t)
6b19be33 CP	317	')
6b19be33 CP	318
151056b0 MG	319	optional_policy(`
	320	systemd_exec_systemctl(sshd_t)
	321	')
	322
3eaa9939 DW	323	optional_policy(`
	324	usermanage_domtrans_passwd(sshd_t)
	325	usermanage_read_crack_db(sshd_t)
	326	')
	327
350b6ab7	328	optional_policy(`
350b6ab7 CP	329	unconfined_shell_domtrans(sshd_t)
	330	')
	331
088b65e5 CP	332	optional_policy(`
	333	xserver_domtrans_xauth(sshd_t)
	334	')
	335
6b19be33	336	ifdef(`TODO',`
1e2abee1 DG	337	tunable_policy(`ssh_sysadm_login',`
	338	# Relabel and access ptys created by sshd
	339	# ioctl is necessary for logout() processing for utmp entry and for w to
	340	# display the tty.
	341	# some versions of sshd on the new SE Linux require setattr
	342	allow sshd_t ptyfile:chr_file relabelto;
	343
	344	optional_policy(`
	345	domain_trans(sshd_t, xauth_exec_t, userdomain)
	346	')
	347	',`
	348	optional_policy(`
	349	domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
	350	')
	351	# Relabel and access ptys created by sshd
	352	# ioctl is necessary for logout() processing for utmp entry and for w to
	353	# display the tty.
	354	# some versions of sshd on the new SE Linux require setattr
7d1f5642	355	allow sshd_t userpty_type:chr_file { relabelto rw_inherited_chr_file_perms setattr_chr_file_perms };
5540e76a	356	')
6b19be33	357	') dnl endif TODO
0404a390	358
0404a390 CP	359	########################################
	360	#
	361	# ssh_keygen local policy
	362	#
	363
75beb950 CP	364	# ssh_keygen_t is the type of the ssh-keygen program when run at install time
75beb950 CP	365	# and by sysadm_t
0404a390	366
3e23c54b	367	allow ssh_keygen_t self:capability dac_override;
75beb950 CP	368	dontaudit ssh_keygen_t self:capability sys_tty_config;
75beb950 CP	369	allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
75beb950	370	allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
0404a390	371
c0868a7a	372	allow ssh_keygen_t sshd_key_t:file manage_file_perms;
0bfccda4	373	files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
0404a390	374
58c3d0e9 MG	375	manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
	376	manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
	377	userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
092a35ee	378	userdom_user_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
58c3d0e9	379
c1a9a532	380	kernel_read_system_state(ssh_keygen_t)
75beb950	381	kernel_read_kernel_sysctls(ssh_keygen_t)
0404a390	382
75beb950	383	fs_search_auto_mountpoints(ssh_keygen_t)
ab940a4c	384
75beb950	385	dev_read_sysfs(ssh_keygen_t)
b76a6a16	386	dev_read_rand(ssh_keygen_t)
75beb950	387	dev_read_urand(ssh_keygen_t)
0404a390	388
75beb950	389	term_dontaudit_use_console(ssh_keygen_t)
0404a390	390
75beb950	391	domain_use_interactive_fds(ssh_keygen_t)
0404a390	392
75beb950	393	files_read_etc_files(ssh_keygen_t)
0404a390	394
75beb950 CP	395	init_use_fds(ssh_keygen_t)
75beb950 CP	396	init_use_script_ptys(ssh_keygen_t)
0404a390	397
cde15072 CP	398	auth_use_nsswitch(ssh_keygen_t)
cde15072 CP	399
75beb950	400	logging_send_syslog_msg(ssh_keygen_t)
0404a390	401
75beb950	402	userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
0b0d648a	403	userdom_use_user_terminals(ssh_keygen_t)
0404a390	404
75beb950 CP	405	optional_policy(`
	406	seutil_sigchld_newrole(ssh_keygen_t)
	407	')
	408
	409	optional_policy(`
	410	udev_read_db(ssh_keygen_t)
c0d1566a	411	')
919775fe	412
4c3a6f86 MG	413	####################################
	414	#
	415	# ssh_dyntransition domain local policy
	416	#
	417
	418	allow ssh_dyntransition_domain self:capability { setuid sys_chroot setgid };
	419
	420	allow ssh_dyntransition_domain self:fifo_file rw_fifo_file_perms;
	421
	422	optional_policy(`
	423	ssh_rw_stream_sockets(ssh_dyntransition_domain)
	424	ssh_rw_tcp_sockets(ssh_dyntransition_domain)
	425	')
	426
	427	#####################################
	428	#
	429	# ssh_sandbox local policy
	430	#
	431
	432	allow sshd_t sshd_sandbox_t:process signal;
	433
	434	init_ioctl_stream_sockets(sshd_sandbox_t)
	435
	436	logging_send_audit_msgs(sshd_sandbox_t)
	437
919775fe MG	438	######################################
	439	#
	440	# chroot_user_t local policy
	441	#
	442
919775fe MG	443
	444	userdom_read_user_home_content_files(chroot_user_t)
	445	userdom_read_inherited_user_home_content_files(chroot_user_t)
	446	userdom_read_user_home_content_symlinks(chroot_user_t)
	447	userdom_exec_user_home_content_files(chroot_user_t)
	448
	449	tunable_policy(`ssh_chroot_rw_homedirs',`
	450	files_list_home(chroot_user_t)
	451	userdom_read_user_home_content_files(chroot_user_t)
	452	userdom_manage_user_home_content(chroot_user_t)
	453	', `
	454
	455	userdom_user_home_dir_filetrans_pattern(chroot_user_t, { dir file lnk_file })
	456	')
	457
	458	tunable_policy(`ssh_chroot_rw_homedirs && use_nfs_home_dirs',`
	459	fs_manage_nfs_dirs(chroot_user_t)
	460	fs_manage_nfs_files(chroot_user_t)
	461	fs_manage_nfs_symlinks(chroot_user_t)
	462	')
	463
	464	tunable_policy(`ssh_chroot_rw_homedirs && use_samba_home_dirs',`
	465	fs_manage_cifs_dirs(chroot_user_t)
	466	fs_manage_cifs_files(chroot_user_t)
	467	fs_manage_cifs_symlinks(chroot_user_t)
	468	')
	469
8b6c8e05	470	tunable_policy(`ssh_chroot_rw_homedirs && use_fusefs_home_dirs',`
fbf13449	471	fs_manage_fusefs_dirs(chroot_user_t)
8b6c8e05	472	fs_manage_fusefs_files(chroot_user_t)
fbf13449	473	fs_manage_fusefs_symlinks(chroot_user_t)
8b6c8e05 MG	474	')
8b6c8e05 MG	475
919775fe MG	476	tunable_policy(`use_samba_home_dirs',`
	477	fs_read_cifs_files(chroot_user_t)
	478	fs_read_cifs_symlinks(chroot_user_t)
	479	')
	480
ed2ac112	481	userdom_home_manager(chroot_user_t)
8b6c8e05	482
919775fe	483	optional_policy(`
919775fe MG	484	ssh_rw_dgram_sockets(chroot_user_t)
919775fe MG	485	')