[people/stevee/selinux-policy.git] / refpolicy / policy / modules / services / ssh.te


policy_module(ssh,1.0)

########################################
#
# Declarations
#

# Allow ssh logins as sysadm_r:sysadm_t
bool ssh_sysadm_login false;

# Allow ssh to run from inetd instead of as a daemon.
bool run_ssh_inetd false;

# Type for the ssh-agent executable.
type ssh_agent_exec_t;
files_file_type(ssh_agent_exec_t)

# ssh client executable.
type ssh_exec_t;
files_file_type(ssh_exec_t)

type ssh_keygen_t;
type ssh_keygen_exec_t;
init_daemon_domain(ssh_keygen_t,ssh_keygen_exec_t)
role system_r types ssh_keygen_t;

# ssh server executable
type sshd_exec_t;
files_file_type(sshd_exec_t)

type sshd_key_t;
files_file_type(sshd_key_t)

type sshd_tmp_t;
files_tmp_file(sshd_tmp_t)

#################################
#
# sshd local policy
#
# sshd_t is the domain for the sshd program.
#

sshd_program_domain(sshd)

allow sshd_t sshd_tmp_t:dir create_dir_perms;
allow sshd_t sshd_tmp_t:file create_file_perms;
allow sshd_t sshd_tmp_t:sock_file create_file_perms;
files_create_tmp_files(sshd_t, sshd_tmp_t, { dir file sock_file })

# for X forwarding
corenet_tcp_bind_xserver_port(sshd_t)

auth_exec_pam(sshd_t)

seutil_read_config(sshd_t)

ifdef(`TODO',`
if (ssh_sysadm_login) {
	userdom_spec_domtrans_all_users(sshd_t)
	userdom_signal_all_users(sshd_t)

	ifdef(`xauth.te',`
		domain_trans(sshd_t, xauth_exec_t, userdomain)
	')
	# Relabel and access ptys created by sshd
	# ioctl is necessary for logout() processing for utmp entry and for w to
	# display the tty.
	# some versions of sshd on the new SE Linux require setattr
	allow sshd_t ptyfile:chr_file { relabelto read write getattr ioctl setattr };
	# inheriting stream sockets is needed for "ssh host command" as no pty
	# is allocated
	allow userdomain sshd_t:unix_stream_socket rw_stream_socket_perms;
} else {
	userdom_spec_domtrans_unpriv_users(sshd_t)
	userdom_signal_unpriv_users(sshd_t)

	ifdef(`xauth.te',`
		domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
	')
	# Relabel and access ptys created by sshd
	# ioctl is necessary for logout() processing for utmp entry and for w to
	# display the tty.
	# some versions of sshd on the new SE Linux require setattr
	allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr };
	# inheriting stream sockets is needed for "ssh host command" as no pty
	# is allocated
	allow userdomain sshd_t:unix_stream_socket rw_stream_socket_perms;
}

# for when the network connection breaks after running newrole -r sysadm_r
dontaudit sshd_t sysadm_devpts_t:chr_file setattr;

# Allow checking users mail at login
allow sshd_t { var_spool_t mail_spool_t }:dir search;
allow sshd_t mail_spool_t:lnk_file read;
allow sshd_t mail_spool_t:file getattr;
') dnl endif TODO

#################################
#
# sshd_extern local policy
#
# sshd_extern_t is the domain for ssh from outside our network
#
ifdef(`TODO',`
sshd_program_domain(sshd_extern)

domain_trans(sshd_extern_t, shell_exec_t, user_mini_domain)
# Signal the user domains.
allow sshd_extern_t user_mini_domain:process signal;

ifdef(`xauth.te', `
domain_trans(sshd_extern_t, xauth_exec_t, user_mini_domain)
')

# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
# display the tty.
# some versions of sshd on the new SE Linux require setattr
allow sshd_extern_t user_mini_domain:chr_file { relabelto read write getattr ioctl setattr };

# inheriting stream sockets is needed for "ssh host command" as no pty
# is allocated
allow user_mini_domain sshd_extern_t:unix_stream_socket rw_stream_socket_perms;

optional_policy(`inetd.te',`
	if (run_ssh_inetd) {
		allow inetd_t ssh_port_t:tcp_socket name_bind;
		domain_auto_trans(inetd_t, sshd_exec_t, sshd_t)
		domain_trans(inetd_t, sshd_exec_t, sshd_extern_t)
	} else {
		domain_auto_trans(initrc_t, sshd_exec_t, sshd_t)
		domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
		dontaudit initrc_t sshd_key_t:file { getattr read };
	}
',`
	# These rules should match the else block
	# of the run_ssh_inetd conditional directly above
	domain_auto_trans(initrc_t, sshd_exec_t, sshd_t)
	domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
	dontaudit initrc_t sshd_key_t:file { getattr read };
')

ifdef(`direct_sysadm_daemon', `
# Direct execution by sysadm_r.
domain_auto_trans(sysadm_t, sshd_exec_t, sshd_t)
role_transition sysadm_r sshd_exec_t system_r;
')

# so a tunnel can point to another ssh tunnel...
allow sshd_t self:tcp_socket { acceptfrom connectto recvfrom };
allow sshd_t kernel_t:tcp_socket recvfrom;
allow sshd_t kernel_t:tcp_socket recvfrom;

# for port forwarding
allow userdomain sshd_t:tcp_socket { connectto recvfrom };
allow sshd_t userdomain:tcp_socket { acceptfrom recvfrom };
allow userdomain kernel_t:tcp_socket recvfrom;
allow sshd_t kernel_t:tcp_socket recvfrom;
') dnl endif TODO

########################################
#
# ssh_keygen local policy
#

# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t

dontaudit ssh_keygen_t self:capability sys_tty_config;
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };

allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;

allow ssh_keygen_t sshd_key_t:file create_file_perms;
files_create_etc_config(ssh_keygen_t,sshd_key_t,file)

kernel_read_kernel_sysctl(ssh_keygen_t)

dev_read_sysfs(ssh_keygen_t)
dev_read_urand(ssh_keygen_t)

term_dontaudit_use_console(ssh_keygen_t)

domain_use_wide_inherit_fd(ssh_keygen_t)

files_read_generic_etc_files(ssh_keygen_t)

init_use_fd(ssh_keygen_t)
init_use_script_pty(ssh_keygen_t)

libs_use_ld_so(ssh_keygen_t)
libs_use_shared_libs(ssh_keygen_t)

logging_send_syslog_msg(ssh_keygen_t)

allow ssh_keygen_t proc_t:dir r_dir_perms;
allow ssh_keygen_t proc_t:lnk_file read;

userdom_use_sysadm_tty(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fd(ssh_keygen_t)

ifdef(`direct_sysadm_daemon',`
	userdom_dontaudit_use_sysadm_terms(ssh_keygen_t)
')

ifdef(`targeted_policy', `
	term_dontaudit_use_unallocated_tty(ssh_keygen_t)
	term_dontaudit_use_generic_pty(ssh_keygen_t)
	files_dontaudit_read_root_file(ssh_keygen_t)
')

optional_policy(`rhgb.te', `
	rhgb_domain(ssh_keygen_t)
')

optional_policy(`selinux.te',`
	seutil_newrole_sigchld(ssh_keygen_t)
')

optional_policy(`udev.te', `
	udev_read_db(ssh_keygen_t)
')

ifdef(`TODO',`
allow ssh_keygen_t autofs_t:dir { search getattr };
')
Commit	Line	Data
0404a390 CP	1
	2	policy_module(ssh,1.0)
	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	# Allow ssh logins as sysadm_r:sysadm_t
	10	bool ssh_sysadm_login false;
	11
	12	# Allow ssh to run from inetd instead of as a daemon.
	13	bool run_ssh_inetd false;
	14
	15	# Type for the ssh-agent executable.
	16	type ssh_agent_exec_t;
	17	files_file_type(ssh_agent_exec_t)
	18
	19	# ssh client executable.
	20	type ssh_exec_t;
	21	files_file_type(ssh_exec_t)
	22
	23	type ssh_keygen_t;
	24	type ssh_keygen_exec_t;
	25	init_daemon_domain(ssh_keygen_t,ssh_keygen_exec_t)
	26	role system_r types ssh_keygen_t;
	27
	28	# ssh server executable
	29	type sshd_exec_t;
	30	files_file_type(sshd_exec_t)
	31
	32	type sshd_key_t;
	33	files_file_type(sshd_key_t)
	34
	35	type sshd_tmp_t;
	36	files_tmp_file(sshd_tmp_t)
	37
	38	#################################
	39	#
	40	# sshd local policy
	41	#
	42	# sshd_t is the domain for the sshd program.
	43	#
	44
	45	sshd_program_domain(sshd)
	46
	47	allow sshd_t sshd_tmp_t:dir create_dir_perms;
	48	allow sshd_t sshd_tmp_t:file create_file_perms;
	49	allow sshd_t sshd_tmp_t:sock_file create_file_perms;
	50	files_create_tmp_files(sshd_t, sshd_tmp_t, { dir file sock_file })
	51
	52	# for X forwarding
	53	corenet_tcp_bind_xserver_port(sshd_t)
	54
	55	auth_exec_pam(sshd_t)
	56
	57	seutil_read_config(sshd_t)
	58
	59	ifdef(`TODO',`
	60	if (ssh_sysadm_login) {
	61	userdom_spec_domtrans_all_users(sshd_t)
	62	userdom_signal_all_users(sshd_t)
	63
	64	ifdef(`xauth.te',`
65	domain_trans(sshd_t, xauth_exec_t, userdomain)
66	')
67	# Relabel and access ptys created by sshd
68	# ioctl is necessary for logout() processing for utmp entry and for w to
69	# display the tty.
70	# some versions of sshd on the new SE Linux require setattr
71	allow sshd_t ptyfile:chr_file { relabelto read write getattr ioctl setattr };
72	# inheriting stream sockets is needed for "ssh host command" as no pty
73	# is allocated
74	allow userdomain sshd_t:unix_stream_socket rw_stream_socket_perms;
75	} else {
76	userdom_spec_domtrans_unpriv_users(sshd_t)
77	userdom_signal_unpriv_users(sshd_t)
78
79	ifdef(`xauth.te',`
80	domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
81	')
82	# Relabel and access ptys created by sshd
83	# ioctl is necessary for logout() processing for utmp entry and for w to
84	# display the tty.
85	# some versions of sshd on the new SE Linux require setattr
86	allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr };
87	# inheriting stream sockets is needed for "ssh host command" as no pty
88	# is allocated
89	allow userdomain sshd_t:unix_stream_socket rw_stream_socket_perms;
90	}
91
92	# for when the network connection breaks after running newrole -r sysadm_r
93	dontaudit sshd_t sysadm_devpts_t:chr_file setattr;
94
95	# Allow checking users mail at login
96	allow sshd_t { var_spool_t mail_spool_t }:dir search;
97	allow sshd_t mail_spool_t:lnk_file read;
98	allow sshd_t mail_spool_t:file getattr;
99	') dnl endif TODO
100
101	#################################
102	#
103	# sshd_extern local policy
104	#
105	# sshd_extern_t is the domain for ssh from outside our network
106	#
107	ifdef(`TODO',`
108	sshd_program_domain(sshd_extern)
109
110	domain_trans(sshd_extern_t, shell_exec_t, user_mini_domain)
111	# Signal the user domains.
112	allow sshd_extern_t user_mini_domain:process signal;
113
114	ifdef(`xauth.te', `
115	domain_trans(sshd_extern_t, xauth_exec_t, user_mini_domain)
116	')
117
118	# Relabel and access ptys created by sshd
119	# ioctl is necessary for logout() processing for utmp entry and for w to
120	# display the tty.
121	# some versions of sshd on the new SE Linux require setattr
122	allow sshd_extern_t user_mini_domain:chr_file { relabelto read write getattr ioctl setattr };
123
124	# inheriting stream sockets is needed for "ssh host command" as no pty
125	# is allocated
126	allow user_mini_domain sshd_extern_t:unix_stream_socket rw_stream_socket_perms;
127
128	optional_policy(`inetd.te',`
129	if (run_ssh_inetd) {
130	allow inetd_t ssh_port_t:tcp_socket name_bind;
131	domain_auto_trans(inetd_t, sshd_exec_t, sshd_t)
132	domain_trans(inetd_t, sshd_exec_t, sshd_extern_t)
133	} else {
134	domain_auto_trans(initrc_t, sshd_exec_t, sshd_t)
135	domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
136	dontaudit initrc_t sshd_key_t:file { getattr read };
137	}
138	',`
139	# These rules should match the else block
140	# of the run_ssh_inetd conditional directly above
141	domain_auto_trans(initrc_t, sshd_exec_t, sshd_t)
142	domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
143	dontaudit initrc_t sshd_key_t:file { getattr read };
144	')
145
146	ifdef(`direct_sysadm_daemon', `
147	# Direct execution by sysadm_r.
148	domain_auto_trans(sysadm_t, sshd_exec_t, sshd_t)
149	role_transition sysadm_r sshd_exec_t system_r;
150	')
151
152	# so a tunnel can point to another ssh tunnel...
153	allow sshd_t self:tcp_socket { acceptfrom connectto recvfrom };
154	allow sshd_t kernel_t:tcp_socket recvfrom;
155	allow sshd_t kernel_t:tcp_socket recvfrom;
156
157	# for port forwarding
158	allow userdomain sshd_t:tcp_socket { connectto recvfrom };
159	allow sshd_t userdomain:tcp_socket { acceptfrom recvfrom };
160	allow userdomain kernel_t:tcp_socket recvfrom;
161	allow sshd_t kernel_t:tcp_socket recvfrom;
162	') dnl endif TODO
163
164	########################################
165	#
166	# ssh_keygen local policy
167	#
168
169	# ssh_keygen_t is the type of the ssh-keygen program when run at install time
170	# and by sysadm_t
171
172	dontaudit ssh_keygen_t self:capability sys_tty_config;
173	allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
174
175	allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
176
177	allow ssh_keygen_t sshd_key_t:file create_file_perms;
178	files_create_etc_config(ssh_keygen_t,sshd_key_t,file)
179
180	kernel_read_kernel_sysctl(ssh_keygen_t)
181
182	dev_read_sysfs(ssh_keygen_t)
183	dev_read_urand(ssh_keygen_t)
184
185	term_dontaudit_use_console(ssh_keygen_t)
186
187	domain_use_wide_inherit_fd(ssh_keygen_t)
188
189	files_read_generic_etc_files(ssh_keygen_t)
190
191	init_use_fd(ssh_keygen_t)
192	init_use_script_pty(ssh_keygen_t)
193
194	libs_use_ld_so(ssh_keygen_t)
195	libs_use_shared_libs(ssh_keygen_t)
196
197	logging_send_syslog_msg(ssh_keygen_t)
198
199	allow ssh_keygen_t proc_t:dir r_dir_perms;
200	allow ssh_keygen_t proc_t:lnk_file read;
201
202	userdom_use_sysadm_tty(ssh_keygen_t)
203	userdom_dontaudit_use_unpriv_user_fd(ssh_keygen_t)
204
205	ifdef(`direct_sysadm_daemon',`
206	userdom_dontaudit_use_sysadm_terms(ssh_keygen_t)
207	')
208
209	ifdef(`targeted_policy', `
210	term_dontaudit_use_unallocated_tty(ssh_keygen_t)
211	term_dontaudit_use_generic_pty(ssh_keygen_t)
212	files_dontaudit_read_root_file(ssh_keygen_t)
213	')
214
215	optional_policy(`rhgb.te', `
216	rhgb_domain(ssh_keygen_t)
217	')
218
219	optional_policy(`selinux.te',`
220	seutil_newrole_sigchld(ssh_keygen_t)
221	')
222
223	optional_policy(`udev.te', `
224	udev_read_db(ssh_keygen_t)
225	')
226
227	ifdef(`TODO',`
228	allow ssh_keygen_t autofs_t:dir { search getattr };
229	')