1 ## <summary>Secure shell client and server policy.</summary>
3 #######################################
5 ## Basic SSH client template.
9 ## This template creates a derived domains which are used
10 ## for ssh client sessions. A derived
11 ## type is also created to protect the user ssh keys.
14 ## This template was added for NX.
17 ## <param name="userdomain_prefix">
19 ## The prefix of the domain (e.g., user
20 ## is the prefix for user_t).
23 ## <param name="user_domain">
25 ## The type of the domain.
28 ## <param name="user_role">
30 ## The role associated with the user domain.
34 template(`ssh_basic_client_template',`
37 type ssh_exec_t, sshd_key_t, sshd_tmp_t;
41 ##############################
47 application_domain($1_ssh_t, ssh_exec_t)
48 role $3 types $1_ssh_t;
50 ##############################
55 allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };
56 allow $1_ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
57 allow $1_ssh_t self:fd use;
58 allow $1_ssh_t self:fifo_file rw_fifo_file_perms;
59 allow $1_ssh_t self:unix_dgram_socket { create_socket_perms sendto };
60 allow $1_ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
61 allow $1_ssh_t self:shm create_shm_perms;
62 allow $1_ssh_t self:sem create_sem_perms;
63 allow $1_ssh_t self:msgq create_msgq_perms;
64 allow $1_ssh_t self:msg { send receive };
65 allow $1_ssh_t self:tcp_socket create_stream_socket_perms;
68 allow $1_ssh_t $2:unix_stream_socket rw_socket_perms;
69 allow $1_ssh_t $2:unix_stream_socket connectto;
71 # Read the ssh key file.
72 allow $1_ssh_t sshd_key_t:file read_file_perms;
74 # Access the ssh temporary files.
75 allow $1_ssh_t sshd_tmp_t:dir manage_dir_perms;
76 allow $1_ssh_t sshd_tmp_t:file manage_file_perms;
77 files_tmp_filetrans($1_ssh_t, sshd_tmp_t, { file dir })
79 # Transition from the domain to the derived domain.
80 domtrans_pattern($2, ssh_exec_t, $1_ssh_t)
82 # inheriting stream sockets is needed for "ssh host command" as no pty
84 # cjp: should probably fix target to be an attribute for ssh servers
85 # or "regular" (not special like sshd_extern_t) servers
86 allow $2 ssh_server:unix_stream_socket rw_stream_socket_perms;
88 # allow ps to show ssh
89 ps_process_pattern($2, $1_ssh_t)
91 # user can manage the keys and config
92 manage_files_pattern($2, ssh_home_t, ssh_home_t)
93 manage_lnk_files_pattern($2, ssh_home_t, ssh_home_t)
94 manage_sock_files_pattern($2, ssh_home_t, ssh_home_t)
96 # ssh client can manage the keys and config
97 manage_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t)
98 read_lnk_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t)
100 # ssh servers can read the user keys and config
101 allow ssh_server ssh_home_t:dir list_dir_perms;
102 read_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
103 read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
105 kernel_read_kernel_sysctls($1_ssh_t)
106 kernel_read_system_state($1_ssh_t)
108 corenet_all_recvfrom_unlabeled($1_ssh_t)
109 corenet_all_recvfrom_netlabel($1_ssh_t)
110 corenet_tcp_sendrecv_generic_if($1_ssh_t)
111 corenet_tcp_sendrecv_generic_node($1_ssh_t)
112 corenet_tcp_sendrecv_all_ports($1_ssh_t)
113 corenet_tcp_connect_ssh_port($1_ssh_t)
114 corenet_sendrecv_ssh_client_packets($1_ssh_t)
115 corenet_tcp_bind_generic_node($1_ssh_t)
116 corenet_tcp_bind_all_unreserved_ports($1_ssh_t)
118 dev_read_urand($1_ssh_t)
120 fs_getattr_all_fs($1_ssh_t)
121 fs_search_auto_mountpoints($1_ssh_t)
123 # run helper programs - needed eg for x11-ssh-askpass
124 corecmd_exec_shell($1_ssh_t)
125 corecmd_exec_bin($1_ssh_t)
127 domain_use_interactive_fds($1_ssh_t)
129 files_list_home($1_ssh_t)
130 files_read_usr_files($1_ssh_t)
131 files_read_etc_runtime_files($1_ssh_t)
132 files_read_etc_files($1_ssh_t)
133 files_read_var_files($1_ssh_t)
135 auth_use_nsswitch($1_ssh_t)
137 logging_send_syslog_msg($1_ssh_t)
138 logging_read_generic_logs($1_ssh_t)
140 miscfiles_read_localization($1_ssh_t)
142 seutil_read_config($1_ssh_t)
145 kerberos_use($1_ssh_t)
149 ######################################
151 ## The template to define a domain to which sshd dyntransition.
153 ## <param name="domain">
155 ## The prefix of the dyntransition domain
159 template(`ssh_dyntransition_domain_template',`
161 attribute ssh_dyntransition_domain;
164 type $1, ssh_dyntransition_domain;
166 role system_r types $1;
169 ssh_dyntransition_to($1)
172 #######################################
174 ## The template to define a ssh server.
178 ## This template creates a domains to be used for
179 ## creating a ssh server. This is typically done
180 ## to have multiple ssh servers of different sensitivities,
181 ## such as for an internal network-facing ssh server, and
182 ## a external network-facing ssh server.
185 ## <param name="userdomain_prefix">
187 ## The prefix of the server domain (e.g., sshd
188 ## is the prefix for sshd_t).
192 template(`ssh_server_template',`
193 type $1_t, ssh_server;
194 auth_login_pgm_domain($1_t)
197 term_login_pty($1_devpts_t)
200 files_tmpfs_file($1_tmpfs_t)
203 files_pid_file($1_var_run_t)
205 allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
206 allow $1_t self:fifo_file rw_fifo_file_perms;
207 allow $1_t self:process { getcap signal getsched setsched setrlimit setexec };
208 allow $1_t self:process { signal getcap getsched setsched setrlimit setexec };
209 allow $1_t self:tcp_socket create_stream_socket_perms;
210 allow $1_t self:udp_socket create_socket_perms;
211 allow $1_t self:tun_socket { create_socket_perms relabelfrom relabelto };
212 # ssh agent connections:
213 allow $1_t self:unix_stream_socket create_stream_socket_perms;
214 allow $1_t self:shm create_shm_perms;
216 allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom };
217 term_create_pty($1_t, $1_devpts_t)
219 manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
220 fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file)
222 allow $1_t $1_var_run_t:file manage_file_perms;
223 files_pid_filetrans($1_t, $1_var_run_t, file)
225 can_exec($1_t, sshd_exec_t)
228 allow $1_t sshd_key_t:file read_file_perms;
230 kernel_read_kernel_sysctls($1_t)
231 kernel_read_network_state($1_t)
232 kernel_request_load_module($1_t)
234 corenet_all_recvfrom_unlabeled($1_t)
235 corenet_all_recvfrom_netlabel($1_t)
236 corenet_tcp_sendrecv_generic_if($1_t)
237 corenet_udp_sendrecv_generic_if($1_t)
238 corenet_raw_sendrecv_generic_if($1_t)
239 corenet_tcp_sendrecv_generic_node($1_t)
240 corenet_udp_sendrecv_generic_node($1_t)
241 corenet_raw_sendrecv_generic_node($1_t)
242 corenet_udp_sendrecv_all_ports($1_t)
243 corenet_tcp_sendrecv_all_ports($1_t)
244 corenet_tcp_bind_generic_node($1_t)
245 corenet_udp_bind_generic_node($1_t)
246 corenet_tcp_bind_ssh_port($1_t)
247 corenet_sendrecv_ssh_server_packets($1_t)
249 corenet_sendrecv_ssh_server_packets($1_t)
250 # tunnel feature and -w (net_admin capability also)
251 corenet_rw_tun_tap_dev($1_t)
253 fs_getattr_all_fs($1_t)
255 auth_rw_login_records($1_t)
256 auth_rw_faillog($1_t)
258 corecmd_read_bin_symlinks($1_t)
259 corecmd_getattr_bin_files($1_t)
260 # for sshd subsystems, such as sftp-server.
261 corecmd_getattr_bin_files($1_t)
263 domain_interactive_fd($1_t)
264 domain_dyntrans_type($1_t)
266 files_read_etc_files($1_t)
267 files_read_etc_runtime_files($1_t)
268 files_read_usr_files($1_t)
270 logging_search_logs($1_t)
272 miscfiles_read_localization($1_t)
274 userdom_dontaudit_relabelfrom_user_ptys($1_t)
275 userdom_read_user_home_content_files($1_t)
277 # Allow checking users mail at login
278 mta_getattr_spool($1_t)
280 userdom_home_manager($1_t)
284 kerberos_manage_host_rcache($1_t)
288 files_read_var_lib_symlinks($1_t)
289 nx_spec_domtrans_server($1_t)
293 rlogin_read_home_content($1_t)
297 shutdown_getattr_exec_files($1_t)
301 ########################################
303 ## Role access for ssh
305 ## <param name="role_prefix">
307 ## The prefix of the role (e.g., user
308 ## is the prefix for user_r).
311 ## <param name="role">
313 ## Role allowed access
316 ## <param name="domain">
318 ## User domain for the role
323 template(`ssh_role_template',`
325 attribute ssh_server, ssh_agent_type;
326 type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t;
327 type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t;
328 type ssh_agent_tmp_t;
331 ##############################
338 type $1_ssh_agent_t, ssh_agent_type;
339 application_domain($1_ssh_agent_t, ssh_agent_exec_t)
340 domain_interactive_fd($1_ssh_agent_t)
341 ubac_constrained($1_ssh_agent_t)
342 role $2 types $1_ssh_agent_t;
344 ##############################
349 # Transition from the domain to the derived domain.
350 domtrans_pattern($3, ssh_exec_t, ssh_t)
352 # inheriting stream sockets is needed for "ssh host command" as no pty
354 allow $3 ssh_server:unix_stream_socket rw_stream_socket_perms;
356 # allow ps to show ssh
357 ps_process_pattern($3, ssh_t)
358 allow $3 ssh_t:process signal_perms;
361 allow ssh_t $3:unix_stream_socket rw_socket_perms;
362 allow ssh_t $3:unix_stream_socket connectto;
363 allow ssh_t $3:key manage_key_perms;
364 allow $3 ssh_t:key read;
366 # user can manage the keys and config
367 manage_files_pattern($3, ssh_home_t, ssh_home_t)
368 manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t)
369 manage_sock_files_pattern($3, ssh_home_t, ssh_home_t)
370 userdom_search_user_home_dirs($1_t)
371 userdom_manage_tmp_role($2, ssh_t)
373 ##############################
375 # SSH agent local policy
378 allow $1_ssh_agent_t self:process setrlimit;
379 allow $1_ssh_agent_t self:capability setgid;
381 allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull;
383 allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
385 manage_dirs_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t)
386 manage_sock_files_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t)
387 files_tmp_filetrans($1_ssh_agent_t, ssh_agent_tmp_t, { dir sock_file })
390 stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
392 # Allow the user shell to signal the ssh program.
393 allow $3 $1_ssh_agent_t:process signal_perms;
395 # allow ps to show ssh
396 ps_process_pattern($3, $1_ssh_agent_t)
398 domtrans_pattern($3, ssh_agent_exec_t, $1_ssh_agent_t)
400 kernel_read_kernel_sysctls($1_ssh_agent_t)
402 dev_read_urand($1_ssh_agent_t)
403 dev_read_rand($1_ssh_agent_t)
405 fs_search_auto_mountpoints($1_ssh_agent_t)
407 # transition back to normal privs upon exec
408 corecmd_shell_domtrans($1_ssh_agent_t, $3)
409 corecmd_bin_domtrans($1_ssh_agent_t, $3)
411 domain_use_interactive_fds($1_ssh_agent_t)
413 files_read_etc_files($1_ssh_agent_t)
414 files_read_etc_runtime_files($1_ssh_agent_t)
416 libs_read_lib_files($1_ssh_agent_t)
418 logging_send_syslog_msg($1_ssh_agent_t)
420 miscfiles_read_localization($1_ssh_agent_t)
421 miscfiles_read_generic_certs($1_ssh_agent_t)
423 seutil_dontaudit_read_config($1_ssh_agent_t)
425 # Write to the user domain tty.
426 userdom_use_inherited_user_terminals($1_ssh_agent_t)
428 # for the transition back to normal privs upon exec
429 userdom_search_user_home_content($1_ssh_agent_t)
430 userdom_user_home_domtrans($1_ssh_agent_t, $3)
434 userdom_home_manager($1_ssh_agent_t)
437 nis_use_ypbind($1_ssh_agent_t)
441 xserver_use_xdm_fds($1_ssh_agent_t)
442 xserver_rw_xdm_pipes($1_ssh_agent_t)
446 ########################################
448 ## Send a SIGCHLD signal to the ssh server.
450 ## <param name="domain">
452 ## Domain allowed access.
456 interface(`ssh_sigchld',`
461 allow $1 sshd_t:process sigchld;
464 ########################################
466 ## Send a generic signal to the ssh server.
468 ## <param name="domain">
470 ## Domain allowed access.
474 interface(`ssh_signal',`
479 allow $1 sshd_t:process signal;
482 ########################################
484 ## Read a ssh server unnamed pipe.
486 ## <param name="domain">
488 ## Domain allowed access.
492 interface(`ssh_read_pipes',`
497 allow $1 sshd_t:fifo_file read_fifo_file_perms;
500 ######################################
502 ## Read and write ssh server unix dgram sockets.
504 ## <param name="domain">
506 ## Domain allowed access.
510 interface(`ssh_rw_dgram_sockets',`
515 allow $1 sshd_t:unix_dgram_socket rw_stream_socket_perms;
518 ########################################
520 ## Read and write a ssh server unnamed pipe.
522 ## <param name="domain">
524 ## Domain allowed access.
528 interface(`ssh_rw_pipes',`
533 allow $1 sshd_t:fifo_file rw_inherited_fifo_file_perms;
536 ########################################
538 ## Read and write ssh server unix domain stream sockets.
540 ## <param name="domain">
542 ## Domain allowed access.
546 interface(`ssh_rw_stream_sockets',`
551 allow $1 sshd_t:unix_stream_socket rw_stream_socket_perms;
554 ########################################
556 ## Read and write ssh server TCP sockets.
558 ## <param name="domain">
560 ## Domain allowed access.
564 interface(`ssh_rw_tcp_sockets',`
569 allow $1 sshd_t:tcp_socket rw_stream_socket_perms;
572 ########################################
574 ## Do not audit attempts to read and write
575 ## ssh server TCP sockets.
577 ## <param name="domain">
579 ## Domain to not audit.
583 interface(`ssh_dontaudit_rw_tcp_sockets',`
588 dontaudit $1 sshd_t:tcp_socket { read write };
591 ########################################
593 ## Connect to SSH daemons over TCP sockets. (Deprecated)
595 ## <param name="domain">
597 ## Domain allowed access.
601 interface(`ssh_tcp_connect',`
602 refpolicywarn(`$0($*) has been deprecated.')
605 ########################################
607 ## Execute the ssh daemon sshd domain.
609 ## <param name="domain">
611 ## Domain allowed to transition.
615 interface(`ssh_domtrans',`
617 type sshd_t, sshd_exec_t;
620 domtrans_pattern($1, sshd_exec_t, sshd_t)
623 ########################################
625 ## Execute sshd server in the sshd domain.
627 ## <param name="domain">
629 ## Domain allowed access.
633 interface(`ssh_initrc_domtrans',`
635 type sshd_initrc_exec_t;
638 init_labeled_script_domtrans($1, sshd_initrc_exec_t)
641 ########################################
643 ## Execute the ssh client in the caller domain.
645 ## <param name="domain">
647 ## Domain allowed access.
651 interface(`ssh_exec',`
656 corecmd_search_bin($1)
657 can_exec($1, ssh_exec_t)
660 ########################################
662 ## Set the attributes of sshd key files.
664 ## <param name="domain">
666 ## Domain allowed access.
670 interface(`ssh_setattr_key_files',`
675 allow $1 sshd_key_t:file setattr_file_perms;
676 files_search_pids($1)
679 ########################################
681 ## Execute the ssh agent client in the caller domain.
683 ## <param name="domain">
685 ## Domain allowed access.
689 interface(`ssh_agent_exec',`
691 type ssh_agent_exec_t;
694 corecmd_search_bin($1)
695 can_exec($1, ssh_agent_exec_t)
698 ########################################
700 ## Getattr ssh home directory
702 ## <param name="domain">
704 ## Domain allowed access.
708 interface(`ssh_getattr_user_home_dir',`
713 allow $1 ssh_home_t:dir getattr;
716 ########################################
718 ## Dontaudit search ssh home directory
720 ## <param name="domain">
722 ## Domain allowed access.
726 interface(`ssh_dontaudit_search_user_home_dir',`
731 dontaudit $1 ssh_home_t:dir search_dir_perms;
734 ########################################
736 ## Read ssh home directory content
738 ## <param name="domain">
740 ## Domain allowed access.
744 interface(`ssh_read_user_home_files',`
749 allow $1 ssh_home_t:dir list_dir_perms;
750 read_files_pattern($1, ssh_home_t, ssh_home_t)
751 read_lnk_files_pattern($1, ssh_home_t, ssh_home_t)
752 userdom_search_user_home_dirs($1)
755 ########################################
757 ## Execute the ssh key generator in the ssh keygen domain.
759 ## <param name="domain">
761 ## Domain allowed to transition.
765 interface(`ssh_domtrans_keygen',`
767 type ssh_keygen_t, ssh_keygen_exec_t;
770 domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
773 ########################################
775 ## Execute the ssh key generator in the caller domain.
777 ## <param name="domain">
779 ## Domain allowed to transition.
783 interface(`ssh_exec_keygen',`
785 type ssh_keygen_exec_t;
788 can_exec($1, ssh_keygen_exec_t)
791 #######################################
793 ## Execute ssh-keygen in the iptables domain, and
794 ## allow the specified role the ssh-keygen domain.
796 ## <param name="domain">
798 ## Domain allowed to transition.
801 ## <param name="role">
803 ## Role allowed access.
808 interface(`ssh_run_keygen',`
813 role $2 types ssh_keygen_t;
814 ssh_domtrans_keygen($1)
817 ########################################
819 ## Read ssh server keys
821 ## <param name="domain">
823 ## Domain to not audit.
827 interface(`ssh_dontaudit_read_server_keys',`
832 dontaudit $1 sshd_key_t:file read_file_perms;
835 ######################################
837 ## Manage ssh home directory content
839 ## <param name="domain">
841 ## Domain allowed access.
845 interface(`ssh_manage_home_files',`
850 manage_files_pattern($1, ssh_home_t, ssh_home_t)
851 userdom_search_user_home_dirs($1)
854 #######################################
856 ## Delete from the ssh temp files.
858 ## <param name="domain">
860 ## Domain allowed access.
864 interface(`ssh_delete_tmp',`
870 delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
873 ########################################
875 ## Send a null signal to sshd processes.
877 ## <param name="domain">
879 ## Domain allowed access.
883 interface(`ssh_signull',`
888 allow $1 sshd_t:process signull;
891 #####################################
893 ## Allow domain dyntransition to chroot_user_t domain.
895 ## <param name="domain">
897 ## Domain allowed access.
901 interface(`ssh_dyntransition_to',`
906 allow sshd_t $1:process dyntransition;
907 allow $1 sshd_t:process sigchld;
910 ########################################
912 ## Create .ssh directory in the /root directory
913 ## with an correct label.
915 ## <param name="domain">
917 ## Domain allowed access.
921 interface(`ssh_filetrans_admin_home_content',`
926 userdom_admin_home_dir_filetrans($1, ssh_home_t, dir, ".ssh")
927 userdom_admin_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
930 ########################################
932 ## Create .ssh directory in the user home directory
933 ## with an correct label.
935 ## <param name="domain">
937 ## Domain allowed access.
941 interface(`ssh_filetrans_home_content',`
947 userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".ssh")
948 userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")