policy/modules/services/ssh.te

   1
   2 policy_module(ssh,1.3.6)
   3
   4 ########################################
   5 #
   6 # Declarations
   7 #
   8
   9 attribute ssh_server;
  10
  11 # ssh client executable.
  12 type ssh_exec_t;
  13 corecmd_executable_file(ssh_exec_t)
  14
  15 type ssh_keygen_exec_t;
  16 corecmd_executable_file(ssh_keygen_exec_t)
  17
  18 type ssh_keysign_exec_t;
  19 corecmd_executable_file(ssh_keysign_exec_t)
  20
  21 # real declaration moved to mls until
  22 # range_transition works in loadable modules
  23 gen_require(`
  24         type sshd_exec_t;
  25 ')
  26 corecmd_executable_file(sshd_exec_t)
  27
  28 type sshd_key_t;
  29 files_type(sshd_key_t)
  30
  31 ifdef(`targeted_policy',`
  32         unconfined_alias_domain(sshd_t)
  33         init_system_domain(sshd_t,sshd_exec_t)
  34
  35         type sshd_var_run_t;
  36         files_type(sshd_var_run_t)
  37 ',`
  38         # Type for the ssh-agent executable.
  39         type ssh_agent_exec_t;
  40         files_type(ssh_agent_exec_t)
  41
  42         type ssh_keygen_t;
  43         init_system_domain(ssh_keygen_t,ssh_keygen_exec_t)
  44         role system_r types ssh_keygen_t;
  45
  46         ssh_server_template(sshd)
  47         ssh_server_template(sshd_extern)
  48
  49         # cjp: commenting this out until typeattribute works in a conditional
  50 #       optional_policy(`
  51 #               tunable_policy(`run_ssh_inetd',`
  52 #                       inetd_tcp_service_domain(sshd_t,sshd_exec_t)
  53 #               ',`
  54 #                       init_daemon_domain(sshd_t,sshd_exec_t)
  55 #               ')
  56 #       ',`
  57                 # These rules should match the else block
  58                 # of the run_ssh_inetd tunable directly above
  59                 init_daemon_domain(sshd_t,sshd_exec_t)
  60 #       ')
  61
  62         type sshd_tmp_t;
  63         files_tmp_file(sshd_tmp_t)
  64 ')
  65
  66 #################################
  67 #
  68 # sshd local policy
  69 #
  70 # sshd_t is the domain for the sshd program.
  71 #
  72
  73 ifdef(`strict_policy',`
  74         # so a tunnel can point to another ssh tunnel
  75         allow sshd_t self:tcp_socket { acceptfrom connectto recvfrom };
  76         allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
  77
  78         allow sshd_t sshd_tmp_t:dir create_dir_perms;
  79         allow sshd_t sshd_tmp_t:file create_file_perms;
  80         allow sshd_t sshd_tmp_t:sock_file create_file_perms;
  81         files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
  82
  83         # for X forwarding
  84         corenet_tcp_bind_xserver_port(sshd_t)
  85         corenet_sendrecv_xserver_server_packets(sshd_t)
  86
  87         mls_file_read_up(sshd_t)
  88         mls_file_write_down(sshd_t)
  89         mls_file_upgrade(sshd_t)
  90         mls_file_downgrade(sshd_t)
  91         mls_process_set_level(sshd_t)
  92
  93         auth_exec_pam(sshd_t)
  94
  95         seutil_read_config(sshd_t)
  96
  97         tunable_policy(`ssh_sysadm_login',`
  98                 # Relabel and access ptys created by sshd
  99                 # ioctl is necessary for logout() processing for utmp entry and for w to
 100                 # display the tty.
 101                 # some versions of sshd on the new SE Linux require setattr
 102                 term_use_all_user_ptys(sshd_t)
 103                 term_setattr_all_user_ptys(sshd_t)
 104                 term_relabelto_all_user_ptys(sshd_t)
 105
 106                 userdom_spec_domtrans_all_users(sshd_t)
 107                 userdom_signal_all_users(sshd_t)
 108         ',`
 109                 userdom_spec_domtrans_unpriv_users(sshd_t)
 110                 userdom_signal_unpriv_users(sshd_t)
 111
 112                 userdom_setattr_unpriv_users_ptys(sshd_t)
 113                 userdom_relabelto_unpriv_users_ptys(sshd_t)
 114                 userdom_use_unpriv_users_ptys(sshd_t)
 115         ')
 116
 117         optional_policy(`
 118                 daemontools_service_domain(sshd_t, sshd_exec_t)
 119         ')
 120
 121         optional_policy(`
 122                 rpm_use_script_fds(sshd_t)
 123         ')
 124
 125         optional_policy(`
 126                 rssh_spec_domtrans_all_users(sshd_t)
 127                 # For reading /home/user/.ssh
 128                 rssh_read_all_users_ro_content(sshd_t)
 129         ')
 130
 131         ifdef(`TODO',`
 132         tunable_policy(`ssh_sysadm_login',`
 133                 # Relabel and access ptys created by sshd
 134                 # ioctl is necessary for logout() processing for utmp entry and for w to
 135                 # display the tty.
 136                 # some versions of sshd on the new SE Linux require setattr
 137                 allow sshd_t ptyfile:chr_file relabelto;
 138
 139                 optional_policy(`
 140                         domain_trans(sshd_t, xauth_exec_t, userdomain)
 141                 ')
 142         ',`
 143                 optional_policy(`
 144                         domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
 145                 ')
 146                 # Relabel and access ptys created by sshd
 147                 # ioctl is necessary for logout() processing for utmp entry and for w to
 148                 # display the tty.
 149                 # some versions of sshd on the new SE Linux require setattr
 150                 allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr };
 151         ')
 152         ') dnl endif TODO
 153 ')
 154
 155 #################################
 156 #
 157 # sshd_extern local policy
 158 #
 159 # sshd_extern_t is the domain for ssh from outside our network
 160 #
 161
 162 ifdef(`strict_policy',`
 163         ifdef(`TODO',`
 164         domain_trans(sshd_extern_t, shell_exec_t, user_mini_domain)
 165         # Signal the user domains.
 166         allow sshd_extern_t user_mini_domain:process signal;
 167
 168         ifdef(`xauth.te', `
 169         domain_trans(sshd_extern_t, xauth_exec_t, user_mini_domain)
 170         ')
 171
 172         # Relabel and access ptys created by sshd
 173         # ioctl is necessary for logout() processing for utmp entry and for w to
 174         # display the tty.
 175         # some versions of sshd on the new SE Linux require setattr
 176         allow sshd_extern_t user_mini_domain:chr_file { relabelto read write getattr ioctl setattr };
 177
 178         # inheriting stream sockets is needed for "ssh host command" as no pty
 179         # is allocated
 180         allow user_mini_domain sshd_extern_t:unix_stream_socket rw_stream_socket_perms;
 181
 182         optional_policy(`
 183                 tunable_policy(`run_ssh_inetd',`
 184                         domain_trans(inetd_t, sshd_exec_t, sshd_extern_t)
 185                 ',`
 186                         domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
 187                 ')
 188         ',`
 189                 # These rules should match the else block
 190                 # of the run_ssh_inetd tunable directly above
 191                 domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
 192         ')
 193
 194         ifdef(`direct_sysadm_daemon', `
 195         # Direct execution by sysadm_r.
 196         domain_auto_trans(sysadm_t, sshd_exec_t, sshd_t)
 197         role_transition sysadm_r sshd_exec_t system_r;
 198         ')
 199
 200         # for port forwarding
 201         allow userdomain sshd_t:tcp_socket { connectto recvfrom };
 202         allow sshd_t userdomain:tcp_socket { acceptfrom recvfrom };
 203         allow userdomain kernel_t:tcp_socket recvfrom;
 204         allow sshd_t kernel_t:tcp_socket recvfrom;
 205         ') dnl endif TODO
 206 ')
 207
 208 ########################################
 209 #
 210 # ssh_keygen local policy
 211 #
 212
 213 ifdef(`targeted_policy',`',`
 214         # ssh_keygen_t is the type of the ssh-keygen program when run at install time
 215         # and by sysadm_t
 216
 217         dontaudit ssh_keygen_t self:capability sys_tty_config;
 218         allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
 219
 220         allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
 221
 222         allow ssh_keygen_t sshd_key_t:file create_file_perms;
 223         files_etc_filetrans(ssh_keygen_t,sshd_key_t,file)
 224
 225         kernel_read_kernel_sysctls(ssh_keygen_t)
 226
 227         fs_search_auto_mountpoints(ssh_keygen_t)
 228
 229         dev_read_sysfs(ssh_keygen_t)
 230         dev_read_urand(ssh_keygen_t)
 231
 232         term_dontaudit_use_console(ssh_keygen_t)
 233
 234         domain_use_interactive_fds(ssh_keygen_t)
 235
 236         files_read_etc_files(ssh_keygen_t)
 237
 238         init_use_fds(ssh_keygen_t)
 239         init_use_script_ptys(ssh_keygen_t)
 240
 241         libs_use_ld_so(ssh_keygen_t)
 242         libs_use_shared_libs(ssh_keygen_t)
 243
 244         logging_send_syslog_msg(ssh_keygen_t)
 245
 246         allow ssh_keygen_t proc_t:dir r_dir_perms;
 247         allow ssh_keygen_t proc_t:lnk_file read;
 248
 249         userdom_use_sysadm_ttys(ssh_keygen_t)
 250         userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
 251
 252         # cjp: with the old daemon_(base_)domain being broken up into
 253         # a daemon and system interface, this probably is not needed:
 254         ifdef(`direct_sysadm_daemon',`
 255                 userdom_dontaudit_use_sysadm_terms(ssh_keygen_t)
 256         ')
 257
 258         ifdef(`targeted_policy', `
 259                 term_dontaudit_use_unallocated_ttys(ssh_keygen_t)
 260                 term_dontaudit_use_generic_ptys(ssh_keygen_t)
 261                 files_dontaudit_read_root_files(ssh_keygen_t)
 262         ')
 263
 264         optional_policy(`
 265                 seutil_sigchld_newrole(ssh_keygen_t)
 266         ')
 267
 268         optional_policy(`
 269                 udev_read_db(ssh_keygen_t)
 270         ')
 271 ')