[people/stevee/selinux-policy.git] / refpolicy / policy / modules / services / ssh.te


policy_module(ssh,1.0)

########################################
#
# Declarations
#

attribute ssh_server;

# Type for the ssh-agent executable.
type ssh_agent_exec_t;
files_file_type(ssh_agent_exec_t)

# ssh client executable.
type ssh_exec_t;
files_file_type(ssh_exec_t)

type ssh_keygen_t;
type ssh_keygen_exec_t;
init_daemon_domain(ssh_keygen_t,ssh_keygen_exec_t)
role system_r types ssh_keygen_t;

sshd_program_domain(sshd)

type sshd_exec_t;
files_file_type(sshd_exec_t)

sshd_program_domain(sshd_extern)

type sshd_key_t;
files_file_type(sshd_key_t)

type sshd_tmp_t;
files_tmp_file(sshd_tmp_t)

#################################
#
# sshd local policy
#
# sshd_t is the domain for the sshd program.
#

# so a tunnel can point to another ssh tunnel
allow sshd_t self:tcp_socket { acceptfrom connectto recvfrom };

allow sshd_t sshd_tmp_t:dir create_dir_perms;
allow sshd_t sshd_tmp_t:file create_file_perms;
allow sshd_t sshd_tmp_t:sock_file create_file_perms;
files_create_tmp_files(sshd_t, sshd_tmp_t, { dir file sock_file })

# for X forwarding
corenet_tcp_bind_xserver_port(sshd_t)

auth_exec_pam(sshd_t)

seutil_read_config(sshd_t)

# Allow checking users mail at login
mta_getattr_spool(sshd_t)

optional_policy(`inetd.te',`
	tunable_policy(`run_ssh_inetd',`
		inetd_service_domain(sshd_t,sshd_exec_t)
	',`
		init_daemon_domain(sshd_t,sshd_exec_t)
	')
',`
	# These rules should match the else block
	# of the run_ssh_inetd tunable directly above
	init_daemon_domain(sshd_t,sshd_exec_t)
')

ifdef(`TODO',`
tunable_policy(`ssh_sysadm_login',`
	userdom_spec_domtrans_all_users(sshd_t)
	userdom_signal_all_users(sshd_t)

	optional_policy(`xauth.te',`
		domain_trans(sshd_t, xauth_exec_t, userdomain)
	')
	# Relabel and access ptys created by sshd
	# ioctl is necessary for logout() processing for utmp entry and for w to
	# display the tty.
	# some versions of sshd on the new SE Linux require setattr
	allow sshd_t ptyfile:chr_file { relabelto read write getattr ioctl setattr };
	# inheriting stream sockets is needed for "ssh host command" as no pty
	# is allocated
	allow userdomain sshd_t:unix_stream_socket rw_stream_socket_perms;
',`
	userdom_spec_domtrans_unpriv_users(sshd_t)
	userdom_signal_unpriv_users(sshd_t)

	optional_policy(`xauth.te',`
		domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
	')
	# Relabel and access ptys created by sshd
	# ioctl is necessary for logout() processing for utmp entry and for w to
	# display the tty.
	# some versions of sshd on the new SE Linux require setattr
	allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr };
	# inheriting stream sockets is needed for "ssh host command" as no pty
	# is allocated
	allow userdomain sshd_t:unix_stream_socket rw_stream_socket_perms;
')

# this goes to inetd
tunable_policy(`run_ssh_inetd',`
	corenet_tcp_bind_ssh_port(inetd_t)
')

# for when the network connection breaks after running newrole -r sysadm_r
dontaudit sshd_t sysadm_devpts_t:chr_file setattr;

optional_policy(`rpm.te',`
allow sshd_t rpm_script_t:fd use;
')
') dnl endif TODO

#################################
#
# sshd_extern local policy
#
# sshd_extern_t is the domain for ssh from outside our network
#

ifdef(`TODO',`
domain_trans(sshd_extern_t, shell_exec_t, user_mini_domain)
# Signal the user domains.
allow sshd_extern_t user_mini_domain:process signal;

ifdef(`xauth.te', `
domain_trans(sshd_extern_t, xauth_exec_t, user_mini_domain)
')

# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
# display the tty.
# some versions of sshd on the new SE Linux require setattr
allow sshd_extern_t user_mini_domain:chr_file { relabelto read write getattr ioctl setattr };

# inheriting stream sockets is needed for "ssh host command" as no pty
# is allocated
allow user_mini_domain sshd_extern_t:unix_stream_socket rw_stream_socket_perms;

optional_policy(`inetd.te',`
	tunable_policy(`run_ssh_inetd',`
		domain_trans(inetd_t, sshd_exec_t, sshd_extern_t)
	',`
		domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
	')
',`
	# These rules should match the else block
	# of the run_ssh_inetd tunable directly above
	domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
')

ifdef(`direct_sysadm_daemon', `
# Direct execution by sysadm_r.
domain_auto_trans(sysadm_t, sshd_exec_t, sshd_t)
role_transition sysadm_r sshd_exec_t system_r;
')

# so a tunnel can point to another ssh tunnel...
allow sshd_t kernel_t:tcp_socket recvfrom;
allow sshd_t kernel_t:tcp_socket recvfrom;

# for port forwarding
allow userdomain sshd_t:tcp_socket { connectto recvfrom };
allow sshd_t userdomain:tcp_socket { acceptfrom recvfrom };
allow userdomain kernel_t:tcp_socket recvfrom;
allow sshd_t kernel_t:tcp_socket recvfrom;
') dnl endif TODO

########################################
#
# ssh_keygen local policy
#

# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t

dontaudit ssh_keygen_t self:capability sys_tty_config;
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };

allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;

allow ssh_keygen_t sshd_key_t:file create_file_perms;
files_create_etc_config(ssh_keygen_t,sshd_key_t,file)

kernel_read_kernel_sysctl(ssh_keygen_t)

fs_search_auto_mountpoints(ssh_keygen_t)

dev_read_sysfs(ssh_keygen_t)
dev_read_urand(ssh_keygen_t)

term_dontaudit_use_console(ssh_keygen_t)

domain_use_wide_inherit_fd(ssh_keygen_t)

files_read_generic_etc_files(ssh_keygen_t)

init_use_fd(ssh_keygen_t)
init_use_script_pty(ssh_keygen_t)

libs_use_ld_so(ssh_keygen_t)
libs_use_shared_libs(ssh_keygen_t)

logging_send_syslog_msg(ssh_keygen_t)

allow ssh_keygen_t proc_t:dir r_dir_perms;
allow ssh_keygen_t proc_t:lnk_file read;

userdom_use_sysadm_tty(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fd(ssh_keygen_t)

ifdef(`direct_sysadm_daemon',`
	userdom_dontaudit_use_sysadm_terms(ssh_keygen_t)
')

ifdef(`targeted_policy', `
	term_dontaudit_use_unallocated_tty(ssh_keygen_t)
	term_dontaudit_use_generic_pty(ssh_keygen_t)
	files_dontaudit_read_root_file(ssh_keygen_t)
')

optional_policy(`rhgb.te', `
	rhgb_domain(ssh_keygen_t)
')

optional_policy(`selinux.te',`
	seutil_newrole_sigchld(ssh_keygen_t)
')

optional_policy(`udev.te', `
	udev_read_db(ssh_keygen_t)
')
Commit	Line	Data
0404a390 CP	1
	2	policy_module(ssh,1.0)
	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
45239964	9	attribute ssh_server;
0404a390 CP	10
	11	# Type for the ssh-agent executable.
	12	type ssh_agent_exec_t;
	13	files_file_type(ssh_agent_exec_t)
	14
	15	# ssh client executable.
	16	type ssh_exec_t;
	17	files_file_type(ssh_exec_t)
	18
	19	type ssh_keygen_t;
	20	type ssh_keygen_exec_t;
	21	init_daemon_domain(ssh_keygen_t,ssh_keygen_exec_t)
	22	role system_r types ssh_keygen_t;
	23
9ccd96df CP	24	sshd_program_domain(sshd)
9ccd96df CP	25
0404a390 CP	26	type sshd_exec_t;
	27	files_file_type(sshd_exec_t)
	28
9ccd96df CP	29	sshd_program_domain(sshd_extern)
9ccd96df CP	30
0404a390 CP	31	type sshd_key_t;
	32	files_file_type(sshd_key_t)
	33
	34	type sshd_tmp_t;
	35	files_tmp_file(sshd_tmp_t)
	36
	37	#################################
	38	#
	39	# sshd local policy
	40	#
	41	# sshd_t is the domain for the sshd program.
	42	#
	43
9ccd96df CP	44	# so a tunnel can point to another ssh tunnel
9ccd96df CP	45	allow sshd_t self:tcp_socket { acceptfrom connectto recvfrom };
0404a390 CP	46
	47	allow sshd_t sshd_tmp_t:dir create_dir_perms;
	48	allow sshd_t sshd_tmp_t:file create_file_perms;
	49	allow sshd_t sshd_tmp_t:sock_file create_file_perms;
	50	files_create_tmp_files(sshd_t, sshd_tmp_t, { dir file sock_file })
	51
	52	# for X forwarding
	53	corenet_tcp_bind_xserver_port(sshd_t)
	54
	55	auth_exec_pam(sshd_t)
	56
	57	seutil_read_config(sshd_t)
	58
9ccd96df CP	59	# Allow checking users mail at login
	60	mta_getattr_spool(sshd_t)
	61
	62	optional_policy(`inetd.te',`
	63	tunable_policy(`run_ssh_inetd',`
	64	inetd_service_domain(sshd_t,sshd_exec_t)
	65	',`
	66	init_daemon_domain(sshd_t,sshd_exec_t)
	67	')
	68	',`
	69	# These rules should match the else block
	70	# of the run_ssh_inetd tunable directly above
	71	init_daemon_domain(sshd_t,sshd_exec_t)
	72	')
	73
0404a390	74	ifdef(`TODO',`
9ccd96df	75	tunable_policy(`ssh_sysadm_login',`
0404a390 CP	76	userdom_spec_domtrans_all_users(sshd_t)
	77	userdom_signal_all_users(sshd_t)
	78
9ccd96df	79	optional_policy(`xauth.te',`
0404a390 CP	80	domain_trans(sshd_t, xauth_exec_t, userdomain)
	81	')
	82	# Relabel and access ptys created by sshd
	83	# ioctl is necessary for logout() processing for utmp entry and for w to
	84	# display the tty.
	85	# some versions of sshd on the new SE Linux require setattr
	86	allow sshd_t ptyfile:chr_file { relabelto read write getattr ioctl setattr };
	87	# inheriting stream sockets is needed for "ssh host command" as no pty
	88	# is allocated
	89	allow userdomain sshd_t:unix_stream_socket rw_stream_socket_perms;
9ccd96df	90	',`
0404a390 CP	91	userdom_spec_domtrans_unpriv_users(sshd_t)
	92	userdom_signal_unpriv_users(sshd_t)
	93
9ccd96df	94	optional_policy(`xauth.te',`
0404a390 CP	95	domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
	96	')
	97	# Relabel and access ptys created by sshd
	98	# ioctl is necessary for logout() processing for utmp entry and for w to
	99	# display the tty.
	100	# some versions of sshd on the new SE Linux require setattr
	101	allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr };
	102	# inheriting stream sockets is needed for "ssh host command" as no pty
	103	# is allocated
	104	allow userdomain sshd_t:unix_stream_socket rw_stream_socket_perms;
9ccd96df CP	105	')
	106
	107	# this goes to inetd
	108	tunable_policy(`run_ssh_inetd',`
	109	corenet_tcp_bind_ssh_port(inetd_t)
	110	')
0404a390 CP	111
	112	# for when the network connection breaks after running newrole -r sysadm_r
	113	dontaudit sshd_t sysadm_devpts_t:chr_file setattr;
	114
ab940a4c CP	115	optional_policy(`rpm.te',`
	116	allow sshd_t rpm_script_t:fd use;
	117	')
0404a390 CP	118	') dnl endif TODO
	119
	120	#################################
	121	#
	122	# sshd_extern local policy
	123	#
	124	# sshd_extern_t is the domain for ssh from outside our network
	125	#
0404a390	126
9ccd96df	127	ifdef(`TODO',`
0404a390 CP	128	domain_trans(sshd_extern_t, shell_exec_t, user_mini_domain)
	129	# Signal the user domains.
	130	allow sshd_extern_t user_mini_domain:process signal;
	131
	132	ifdef(`xauth.te', `
	133	domain_trans(sshd_extern_t, xauth_exec_t, user_mini_domain)
	134	')
	135
	136	# Relabel and access ptys created by sshd
	137	# ioctl is necessary for logout() processing for utmp entry and for w to
	138	# display the tty.
	139	# some versions of sshd on the new SE Linux require setattr
	140	allow sshd_extern_t user_mini_domain:chr_file { relabelto read write getattr ioctl setattr };
	141
	142	# inheriting stream sockets is needed for "ssh host command" as no pty
	143	# is allocated
	144	allow user_mini_domain sshd_extern_t:unix_stream_socket rw_stream_socket_perms;
	145
	146	optional_policy(`inetd.te',`
9ccd96df	147	tunable_policy(`run_ssh_inetd',`
0404a390	148	domain_trans(inetd_t, sshd_exec_t, sshd_extern_t)
9ccd96df	149	',`
0404a390	150	domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
9ccd96df	151	')
0404a390 CP	152	',`
0404a390 CP	153	# These rules should match the else block
9ccd96df	154	# of the run_ssh_inetd tunable directly above
0404a390	155	domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
0404a390 CP	156	')
	157
	158	ifdef(`direct_sysadm_daemon', `
	159	# Direct execution by sysadm_r.
	160	domain_auto_trans(sysadm_t, sshd_exec_t, sshd_t)
	161	role_transition sysadm_r sshd_exec_t system_r;
	162	')
	163
	164	# so a tunnel can point to another ssh tunnel...
0404a390 CP	165	allow sshd_t kernel_t:tcp_socket recvfrom;
	166	allow sshd_t kernel_t:tcp_socket recvfrom;
	167
	168	# for port forwarding
	169	allow userdomain sshd_t:tcp_socket { connectto recvfrom };
	170	allow sshd_t userdomain:tcp_socket { acceptfrom recvfrom };
	171	allow userdomain kernel_t:tcp_socket recvfrom;
	172	allow sshd_t kernel_t:tcp_socket recvfrom;
	173	') dnl endif TODO
	174
	175	########################################
	176	#
	177	# ssh_keygen local policy
	178	#
	179
	180	# ssh_keygen_t is the type of the ssh-keygen program when run at install time
	181	# and by sysadm_t
	182
	183	dontaudit ssh_keygen_t self:capability sys_tty_config;
	184	allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
	185
	186	allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
	187
	188	allow ssh_keygen_t sshd_key_t:file create_file_perms;
	189	files_create_etc_config(ssh_keygen_t,sshd_key_t,file)
	190
	191	kernel_read_kernel_sysctl(ssh_keygen_t)
	192
ab940a4c CP	193	fs_search_auto_mountpoints(ssh_keygen_t)
ab940a4c CP	194
0404a390 CP	195	dev_read_sysfs(ssh_keygen_t)
	196	dev_read_urand(ssh_keygen_t)
	197
	198	term_dontaudit_use_console(ssh_keygen_t)
	199
	200	domain_use_wide_inherit_fd(ssh_keygen_t)
	201
	202	files_read_generic_etc_files(ssh_keygen_t)
	203
	204	init_use_fd(ssh_keygen_t)
	205	init_use_script_pty(ssh_keygen_t)
	206
	207	libs_use_ld_so(ssh_keygen_t)
	208	libs_use_shared_libs(ssh_keygen_t)
	209
	210	logging_send_syslog_msg(ssh_keygen_t)
	211
	212	allow ssh_keygen_t proc_t:dir r_dir_perms;
	213	allow ssh_keygen_t proc_t:lnk_file read;
	214
	215	userdom_use_sysadm_tty(ssh_keygen_t)
	216	userdom_dontaudit_use_unpriv_user_fd(ssh_keygen_t)
	217
	218	ifdef(`direct_sysadm_daemon',`
	219	userdom_dontaudit_use_sysadm_terms(ssh_keygen_t)
	220	')
	221
	222	ifdef(`targeted_policy', `
	223	term_dontaudit_use_unallocated_tty(ssh_keygen_t)
	224	term_dontaudit_use_generic_pty(ssh_keygen_t)
	225	files_dontaudit_read_root_file(ssh_keygen_t)
	226	')
	227
	228	optional_policy(`rhgb.te', `
	229	rhgb_domain(ssh_keygen_t)
	230	')
	231
	232	optional_policy(`selinux.te',`
	233	seutil_newrole_sigchld(ssh_keygen_t)
	234	')
	235
	236	optional_policy(`udev.te', `
	237	udev_read_db(ssh_keygen_t)
	238	')