2 policy_module(ssh,1.2.0)
4 ########################################
11 # ssh client executable.
13 files_type(ssh_exec_t)
15 type ssh_keygen_exec_t;
16 files_type(ssh_keygen_exec_t)
18 type ssh_keysign_exec_t;
19 files_type(ssh_keysign_exec_t)
21 # real declaration moved to mls until
22 # range_transition works in loadable modules
26 files_type(sshd_exec_t)
29 files_type(sshd_key_t)
31 ifdef(`targeted_policy',`
32 unconfined_alias_domain(sshd_t)
33 init_system_domain(sshd_t,sshd_exec_t)
36 files_type(sshd_var_run_t)
39 typeattribute ssh_exec_t entry_type;
40 typeattribute ssh_keygen_exec_t entry_type;
41 typeattribute ssh_keysign_exec_t entry_type;
43 # Type for the ssh-agent executable.
44 type ssh_agent_exec_t;
45 files_type(ssh_agent_exec_t)
48 init_system_domain(ssh_keygen_t,ssh_keygen_exec_t)
49 role system_r types ssh_keygen_t;
51 ssh_server_template(sshd)
52 ssh_server_template(sshd_extern)
54 # cjp: commenting this out until typeattribute works in a conditional
55 # optional_policy(`inetd',`
56 # tunable_policy(`run_ssh_inetd',`
57 # inetd_tcp_service_domain(sshd_t,sshd_exec_t)
59 # init_daemon_domain(sshd_t,sshd_exec_t)
62 # These rules should match the else block
63 # of the run_ssh_inetd tunable directly above
64 init_daemon_domain(sshd_t,sshd_exec_t)
68 files_tmp_file(sshd_tmp_t)
71 #################################
75 # sshd_t is the domain for the sshd program.
78 ifdef(`targeted_policy',`',`
79 # so a tunnel can point to another ssh tunnel
80 allow sshd_t self:tcp_socket { acceptfrom connectto recvfrom };
82 allow sshd_t sshd_tmp_t:dir create_dir_perms;
83 allow sshd_t sshd_tmp_t:file create_file_perms;
84 allow sshd_t sshd_tmp_t:sock_file create_file_perms;
85 files_filetrans_tmp(sshd_t, sshd_tmp_t, { dir file sock_file })
88 corenet_tcp_bind_xserver_port(sshd_t)
90 mls_file_read_up(sshd_t)
91 mls_file_write_down(sshd_t)
92 mls_file_upgrade(sshd_t)
93 mls_file_downgrade(sshd_t)
94 mls_process_set_level(sshd_t)
98 seutil_read_config(sshd_t)
100 tunable_policy(`ssh_sysadm_login',`
101 # Relabel and access ptys created by sshd
102 # ioctl is necessary for logout() processing for utmp entry and for w to
104 # some versions of sshd on the new SE Linux require setattr
105 term_use_all_user_ptys(sshd_t)
106 term_setattr_all_user_ptys(sshd_t)
107 term_relabelto_all_user_ptys(sshd_t)
109 userdom_spec_domtrans_all_users(sshd_t)
110 userdom_signal_all_users(sshd_t)
112 userdom_spec_domtrans_unpriv_users(sshd_t)
113 userdom_signal_unpriv_users(sshd_t)
115 userdom_setattr_unpriv_user_pty(sshd_t)
116 userdom_relabelto_unpriv_user_pty(sshd_t)
117 userdom_use_unpriv_user_pty(sshd_t)
120 optional_policy(`daemontools',`
121 daemontools_service_domain(sshd_t, sshd_exec_t)
124 optional_policy(`rpm',`
125 rpm_use_script_fd(sshd_t)
129 tunable_policy(`ssh_sysadm_login',`
130 # Relabel and access ptys created by sshd
131 # ioctl is necessary for logout() processing for utmp entry and for w to
133 # some versions of sshd on the new SE Linux require setattr
134 allow sshd_t ptyfile:chr_file relabelto;
136 optional_policy(`xauth',`
137 domain_trans(sshd_t, xauth_exec_t, userdomain)
140 optional_policy(`xauth',`
141 domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
143 # Relabel and access ptys created by sshd
144 # ioctl is necessary for logout() processing for utmp entry and for w to
146 # some versions of sshd on the new SE Linux require setattr
147 allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr };
152 #################################
154 # sshd_extern local policy
156 # sshd_extern_t is the domain for ssh from outside our network
159 ifdef(`targeted_policy',`',`
161 domain_trans(sshd_extern_t, shell_exec_t, user_mini_domain)
162 # Signal the user domains.
163 allow sshd_extern_t user_mini_domain:process signal;
166 domain_trans(sshd_extern_t, xauth_exec_t, user_mini_domain)
169 # Relabel and access ptys created by sshd
170 # ioctl is necessary for logout() processing for utmp entry and for w to
172 # some versions of sshd on the new SE Linux require setattr
173 allow sshd_extern_t user_mini_domain:chr_file { relabelto read write getattr ioctl setattr };
175 # inheriting stream sockets is needed for "ssh host command" as no pty
177 allow user_mini_domain sshd_extern_t:unix_stream_socket rw_stream_socket_perms;
179 optional_policy(`inetd',`
180 tunable_policy(`run_ssh_inetd',`
181 domain_trans(inetd_t, sshd_exec_t, sshd_extern_t)
183 domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
186 # These rules should match the else block
187 # of the run_ssh_inetd tunable directly above
188 domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
191 ifdef(`direct_sysadm_daemon', `
192 # Direct execution by sysadm_r.
193 domain_auto_trans(sysadm_t, sshd_exec_t, sshd_t)
194 role_transition sysadm_r sshd_exec_t system_r;
197 # for port forwarding
198 allow userdomain sshd_t:tcp_socket { connectto recvfrom };
199 allow sshd_t userdomain:tcp_socket { acceptfrom recvfrom };
200 allow userdomain kernel_t:tcp_socket recvfrom;
201 allow sshd_t kernel_t:tcp_socket recvfrom;
205 ########################################
207 # ssh_keygen local policy
210 ifdef(`targeted_policy',`',`
211 # ssh_keygen_t is the type of the ssh-keygen program when run at install time
214 dontaudit ssh_keygen_t self:capability sys_tty_config;
215 allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
217 allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
219 allow ssh_keygen_t sshd_key_t:file create_file_perms;
220 files_filetrans_etc(ssh_keygen_t,sshd_key_t,file)
222 kernel_read_kernel_sysctls(ssh_keygen_t)
224 fs_search_auto_mountpoints(ssh_keygen_t)
226 dev_read_sysfs(ssh_keygen_t)
227 dev_read_urand(ssh_keygen_t)
229 term_dontaudit_use_console(ssh_keygen_t)
231 domain_use_wide_inherit_fd(ssh_keygen_t)
233 files_read_etc_files(ssh_keygen_t)
235 init_use_fd(ssh_keygen_t)
236 init_use_script_pty(ssh_keygen_t)
238 libs_use_ld_so(ssh_keygen_t)
239 libs_use_shared_libs(ssh_keygen_t)
241 logging_send_syslog_msg(ssh_keygen_t)
243 allow ssh_keygen_t proc_t:dir r_dir_perms;
244 allow ssh_keygen_t proc_t:lnk_file read;
246 userdom_use_sysadm_tty(ssh_keygen_t)
247 userdom_dontaudit_use_unpriv_user_fd(ssh_keygen_t)
249 # cjp: with the old daemon_(base_)domain being broken up into
250 # a daemon and system interface, this probably is not needed:
251 ifdef(`direct_sysadm_daemon',`
252 userdom_dontaudit_use_sysadm_terms(ssh_keygen_t)
255 ifdef(`targeted_policy', `
256 term_dontaudit_use_unallocated_tty(ssh_keygen_t)
257 term_dontaudit_use_generic_pty(ssh_keygen_t)
258 files_dontaudit_read_root_files(ssh_keygen_t)
261 optional_policy(`selinuxutil',`
262 seutil_sigchld_newrole(ssh_keygen_t)
265 optional_policy(`udev',`
266 udev_read_db(ssh_keygen_t)