]> git.ipfire.org Git - people/stevee/selinux-policy.git/blob - policy/modules/services/ssh.if
projects / people / stevee / selinux-policy.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Allow sshd_t to getattr on all file systems in order to generate avc on nfs_t
[people/stevee/selinux-policy.git] / policy / modules / services / ssh.if
1 ## <summary>Secure shell client and server policy.</summary>
2
3 #######################################
4 ## <summary>
5 ## Basic SSH client template.
6 ## </summary>
7 ## <desc>
8 ## <p>
9 ## This template creates a derived domains which are used
10 ## for ssh client sessions. A derived
11 ## type is also created to protect the user ssh keys.
12 ## </p>
13 ## <p>
14 ## This template was added for NX.
15 ## </p>
16 ## </desc>
17 ## <param name="userdomain_prefix">
18 ## <summary>
19 ## The prefix of the domain (e.g., user
20 ## is the prefix for user_t).
21 ## </summary>
22 ## </param>
23 ## <param name="user_domain">
24 ## <summary>
25 ## The type of the domain.
26 ## </summary>
27 ## </param>
28 ## <param name="user_role">
29 ## <summary>
30 ## The role associated with the user domain.
31 ## </summary>
32 ## </param>
33 #
34 template(`ssh_basic_client_template',`
35 gen_require(`
36 attribute ssh_server;
37 type ssh_exec_t, sshd_key_t, sshd_tmp_t;
38 type ssh_home_t;
39 ')
40
41 ##############################
42 #
43 # Declarations
44 #
45
46 type $1_ssh_t;
47 application_domain($1_ssh_t, ssh_exec_t)
48 role $3 types $1_ssh_t;
49
50 ##############################
51 #
52 # Client local policy
53 #
54
55 allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };
56 allow $1_ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
57 allow $1_ssh_t self:fd use;
58 allow $1_ssh_t self:fifo_file rw_fifo_file_perms;
59 allow $1_ssh_t self:unix_dgram_socket { create_socket_perms sendto };
60 allow $1_ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
61 allow $1_ssh_t self:shm create_shm_perms;
62 allow $1_ssh_t self:sem create_sem_perms;
63 allow $1_ssh_t self:msgq create_msgq_perms;
64 allow $1_ssh_t self:msg { send receive };
65 allow $1_ssh_t self:tcp_socket create_stream_socket_perms;
66
67 # for rsync
68 allow $1_ssh_t $2:unix_stream_socket rw_socket_perms;
69 allow $1_ssh_t $2:unix_stream_socket connectto;
70
71 # Read the ssh key file.
72 allow $1_ssh_t sshd_key_t:file read_file_perms;
73
74 # Access the ssh temporary files.
75 allow $1_ssh_t sshd_tmp_t:dir manage_dir_perms;
76 allow $1_ssh_t sshd_tmp_t:file manage_file_perms;
77 files_tmp_filetrans($1_ssh_t, sshd_tmp_t, { file dir })
78
79 # Transition from the domain to the derived domain.
80 domtrans_pattern($2, ssh_exec_t, $1_ssh_t)
81
82 # inheriting stream sockets is needed for "ssh host command" as no pty
83 # is allocated
84 # cjp: should probably fix target to be an attribute for ssh servers
85 # or "regular" (not special like sshd_extern_t) servers
86 allow $2 ssh_server:unix_stream_socket rw_stream_socket_perms;
87
88 # allow ps to show ssh
89 ps_process_pattern($2, $1_ssh_t)
90
91 # user can manage the keys and config
92 manage_files_pattern($2, ssh_home_t, ssh_home_t)
93 manage_lnk_files_pattern($2, ssh_home_t, ssh_home_t)
94 manage_sock_files_pattern($2, ssh_home_t, ssh_home_t)
95
96 # ssh client can manage the keys and config
97 manage_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t)
98 read_lnk_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t)
99
100 # ssh servers can read the user keys and config
101 allow ssh_server ssh_home_t:dir list_dir_perms;
102 read_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
103 read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
104
105 kernel_read_kernel_sysctls($1_ssh_t)
106 kernel_read_system_state($1_ssh_t)
107
108 corenet_all_recvfrom_unlabeled($1_ssh_t)
109 corenet_all_recvfrom_netlabel($1_ssh_t)
110 corenet_tcp_sendrecv_generic_if($1_ssh_t)
111 corenet_tcp_sendrecv_generic_node($1_ssh_t)
112 corenet_tcp_sendrecv_all_ports($1_ssh_t)
113 corenet_tcp_connect_ssh_port($1_ssh_t)
114 corenet_sendrecv_ssh_client_packets($1_ssh_t)
115 corenet_tcp_bind_generic_node($1_ssh_t)
116 corenet_tcp_bind_all_unreserved_ports($1_ssh_t)
117
118 dev_read_urand($1_ssh_t)
119
120 fs_getattr_all_fs($1_ssh_t)
121 fs_search_auto_mountpoints($1_ssh_t)
122
123 # run helper programs - needed eg for x11-ssh-askpass
124 corecmd_exec_shell($1_ssh_t)
125 corecmd_exec_bin($1_ssh_t)
126
127 domain_use_interactive_fds($1_ssh_t)
128
129 files_list_home($1_ssh_t)
130 files_read_usr_files($1_ssh_t)
131 files_read_etc_runtime_files($1_ssh_t)
132 files_read_etc_files($1_ssh_t)
133 files_read_var_files($1_ssh_t)
134
135 auth_use_nsswitch($1_ssh_t)
136
137 logging_send_syslog_msg($1_ssh_t)
138 logging_read_generic_logs($1_ssh_t)
139
140 miscfiles_read_localization($1_ssh_t)
141
142 seutil_read_config($1_ssh_t)
143
144 optional_policy(`
145 kerberos_use($1_ssh_t)
146 ')
147 ')
148
149 ######################################
150 ## <summary>
151 ## The template to define a domain to which sshd dyntransition.
152 ## </summary>
153 ## <param name="domain">
154 ## <summary>
155 ## The prefix of the dyntransition domain
156 ## </summary>
157 ## </param>
158 #
159 template(`ssh_dyntransition_domain_template',`
160 gen_require(`
161 attribute ssh_dyntransition_domain;
162 ')
163
164 type $1, ssh_dyntransition_domain;
165 domain_type($1)
166 role system_r types $1;
167
168 optional_policy(`
169 ssh_dyntransition_to($1)
170 ')
171 ')
172 #######################################
173 ## <summary>
174 ## The template to define a ssh server.
175 ## </summary>
176 ## <desc>
177 ## <p>
178 ## This template creates a domains to be used for
179 ## creating a ssh server. This is typically done
180 ## to have multiple ssh servers of different sensitivities,
181 ## such as for an internal network-facing ssh server, and
182 ## a external network-facing ssh server.
183 ## </p>
184 ## </desc>
185 ## <param name="userdomain_prefix">
186 ## <summary>
187 ## The prefix of the server domain (e.g., sshd
188 ## is the prefix for sshd_t).
189 ## </summary>
190 ## </param>
191 #
192 template(`ssh_server_template',`
193 type $1_t, ssh_server;
194 auth_login_pgm_domain($1_t)
195
196 type $1_devpts_t;
197 term_login_pty($1_devpts_t)
198
199 type $1_tmpfs_t;
200 files_tmpfs_file($1_tmpfs_t)
201
202 type $1_var_run_t;
203 files_pid_file($1_var_run_t)
204
205 allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
206 allow $1_t self:fifo_file rw_fifo_file_perms;
207 allow $1_t self:process { getcap signal getsched setsched setrlimit setexec };
208 allow $1_t self:process { signal getcap getsched setsched setrlimit setexec };
209 allow $1_t self:tcp_socket create_stream_socket_perms;
210 allow $1_t self:udp_socket create_socket_perms;
211 allow $1_t self:tun_socket { create_socket_perms relabelfrom relabelto };
212 # ssh agent connections:
213 allow $1_t self:unix_stream_socket create_stream_socket_perms;
214 allow $1_t self:shm create_shm_perms;
215
216 allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom };
217 term_create_pty($1_t, $1_devpts_t)
218
219 manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
220 fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file)
221
222 allow $1_t $1_var_run_t:file manage_file_perms;
223 files_pid_filetrans($1_t, $1_var_run_t, file)
224
225 can_exec($1_t, sshd_exec_t)
226
227 # Access key files
228 allow $1_t sshd_key_t:file read_file_perms;
229
230 kernel_read_kernel_sysctls($1_t)
231 kernel_read_network_state($1_t)
232 kernel_request_load_module($1_t)
233
234 corenet_all_recvfrom_unlabeled($1_t)
235 corenet_all_recvfrom_netlabel($1_t)
236 corenet_tcp_sendrecv_generic_if($1_t)
237 corenet_udp_sendrecv_generic_if($1_t)
238 corenet_raw_sendrecv_generic_if($1_t)
239 corenet_tcp_sendrecv_generic_node($1_t)
240 corenet_udp_sendrecv_generic_node($1_t)
241 corenet_raw_sendrecv_generic_node($1_t)
242 corenet_udp_sendrecv_all_ports($1_t)
243 corenet_tcp_sendrecv_all_ports($1_t)
244 corenet_tcp_bind_generic_node($1_t)
245 corenet_udp_bind_generic_node($1_t)
246 corenet_tcp_bind_ssh_port($1_t)
247 corenet_sendrecv_ssh_server_packets($1_t)
248 # -R qualifier
249 corenet_sendrecv_ssh_server_packets($1_t)
250 # tunnel feature and -w (net_admin capability also)
251 corenet_rw_tun_tap_dev($1_t)
252
253 fs_getattr_all_fs($1_t)
254
255 auth_rw_login_records($1_t)
256 auth_rw_faillog($1_t)
257
258 corecmd_read_bin_symlinks($1_t)
259 corecmd_getattr_bin_files($1_t)
260 # for sshd subsystems, such as sftp-server.
261 corecmd_getattr_bin_files($1_t)
262
263 domain_interactive_fd($1_t)
264 domain_dyntrans_type($1_t)
265
266 files_read_etc_files($1_t)
267 files_read_etc_runtime_files($1_t)
268 files_read_usr_files($1_t)
269
270 logging_search_logs($1_t)
271
272 miscfiles_read_localization($1_t)
273
274 userdom_dontaudit_relabelfrom_user_ptys($1_t)
275 userdom_read_user_home_content_files($1_t)
276
277 # Allow checking users mail at login
278 mta_getattr_spool($1_t)
279
280 userdom_home_manager($1_t)
281
282 optional_policy(`
283 kerberos_use($1_t)
284 kerberos_manage_host_rcache($1_t)
285 ')
286
287 optional_policy(`
288 files_read_var_lib_symlinks($1_t)
289 nx_spec_domtrans_server($1_t)
290 ')
291
292 optional_policy(`
293 rlogin_read_home_content($1_t)
294 ')
295
296 optional_policy(`
297 shutdown_getattr_exec_files($1_t)
298 ')
299 ')
300
301 ########################################
302 ## <summary>
303 ## Role access for ssh
304 ## </summary>
305 ## <param name="role_prefix">
306 ## <summary>
307 ## The prefix of the role (e.g., user
308 ## is the prefix for user_r).
309 ## </summary>
310 ## </param>
311 ## <param name="role">
312 ## <summary>
313 ## Role allowed access
314 ## </summary>
315 ## </param>
316 ## <param name="domain">
317 ## <summary>
318 ## User domain for the role
319 ## </summary>
320 ## </param>
321 ## <rolecap/>
322 #
323 template(`ssh_role_template',`
324 gen_require(`
325 attribute ssh_server, ssh_agent_type;
326 type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t;
327 type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t;
328 type ssh_agent_tmp_t;
329 ')
330
331 ##############################
332 #
333 # Declarations
334 #
335
336 role $2 types ssh_t;
337
338 type $1_ssh_agent_t, ssh_agent_type;
339 application_domain($1_ssh_agent_t, ssh_agent_exec_t)
340 domain_interactive_fd($1_ssh_agent_t)
341 ubac_constrained($1_ssh_agent_t)
342 role $2 types $1_ssh_agent_t;
343
344 ##############################
345 #
346 # Local policy
347 #
348
349 # Transition from the domain to the derived domain.
350 domtrans_pattern($3, ssh_exec_t, ssh_t)
351
352 # inheriting stream sockets is needed for "ssh host command" as no pty
353 # is allocated
354 allow $3 ssh_server:unix_stream_socket rw_stream_socket_perms;
355
356 # allow ps to show ssh
357 ps_process_pattern($3, ssh_t)
358 allow $3 ssh_t:process signal_perms;
359
360 # for rsync
361 allow ssh_t $3:unix_stream_socket rw_socket_perms;
362 allow ssh_t $3:unix_stream_socket connectto;
363 allow ssh_t $3:key manage_key_perms;
364 allow $3 ssh_t:key read;
365
366 # user can manage the keys and config
367 manage_files_pattern($3, ssh_home_t, ssh_home_t)
368 manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t)
369 manage_sock_files_pattern($3, ssh_home_t, ssh_home_t)
370 userdom_search_user_home_dirs($1_t)
371 userdom_manage_tmp_role($2, ssh_t)
372
373 ##############################
374 #
375 # SSH agent local policy
376 #
377
378 allow $1_ssh_agent_t self:process setrlimit;
379 allow $1_ssh_agent_t self:capability setgid;
380
381 allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull;
382
383 allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
384
385 manage_dirs_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t)
386 manage_sock_files_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t)
387 files_tmp_filetrans($1_ssh_agent_t, ssh_agent_tmp_t, { dir sock_file })
388
389 # for ssh-add
390 stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
391
392 # Allow the user shell to signal the ssh program.
393 allow $3 $1_ssh_agent_t:process signal_perms;
394
395 # allow ps to show ssh
396 ps_process_pattern($3, $1_ssh_agent_t)
397
398 domtrans_pattern($3, ssh_agent_exec_t, $1_ssh_agent_t)
399
400 kernel_read_kernel_sysctls($1_ssh_agent_t)
401
402 dev_read_urand($1_ssh_agent_t)
403 dev_read_rand($1_ssh_agent_t)
404
405 fs_search_auto_mountpoints($1_ssh_agent_t)
406
407 # transition back to normal privs upon exec
408 corecmd_shell_domtrans($1_ssh_agent_t, $3)
409 corecmd_bin_domtrans($1_ssh_agent_t, $3)
410
411 domain_use_interactive_fds($1_ssh_agent_t)
412
413 files_read_etc_files($1_ssh_agent_t)
414 files_read_etc_runtime_files($1_ssh_agent_t)
415
416 libs_read_lib_files($1_ssh_agent_t)
417
418 logging_send_syslog_msg($1_ssh_agent_t)
419
420 miscfiles_read_localization($1_ssh_agent_t)
421 miscfiles_read_generic_certs($1_ssh_agent_t)
422
423 seutil_dontaudit_read_config($1_ssh_agent_t)
424
425 # Write to the user domain tty.
426 userdom_use_inherited_user_terminals($1_ssh_agent_t)
427
428 # for the transition back to normal privs upon exec
429 userdom_search_user_home_content($1_ssh_agent_t)
430 userdom_user_home_domtrans($1_ssh_agent_t, $3)
431
432 ssh_exec_keygen($3)
433
434 userdom_home_manager($1_ssh_agent_t)
435
436 optional_policy(`
437 nis_use_ypbind($1_ssh_agent_t)
438 ')
439
440 optional_policy(`
441 xserver_use_xdm_fds($1_ssh_agent_t)
442 xserver_rw_xdm_pipes($1_ssh_agent_t)
443 ')
444 ')
445
446 ########################################
447 ## <summary>
448 ## Send a SIGCHLD signal to the ssh server.
449 ## </summary>
450 ## <param name="domain">
451 ## <summary>
452 ## Domain allowed access.
453 ## </summary>
454 ## </param>
455 #
456 interface(`ssh_sigchld',`
457 gen_require(`
458 type sshd_t;
459 ')
460
461 allow $1 sshd_t:process sigchld;
462 ')
463
464 ########################################
465 ## <summary>
466 ## Send a generic signal to the ssh server.
467 ## </summary>
468 ## <param name="domain">
469 ## <summary>
470 ## Domain allowed access.
471 ## </summary>
472 ## </param>
473 #
474 interface(`ssh_signal',`
475 gen_require(`
476 type sshd_t;
477 ')
478
479 allow $1 sshd_t:process signal;
480 ')
481
482 ########################################
483 ## <summary>
484 ## Read a ssh server unnamed pipe.
485 ## </summary>
486 ## <param name="domain">
487 ## <summary>
488 ## Domain allowed access.
489 ## </summary>
490 ## </param>
491 #
492 interface(`ssh_read_pipes',`
493 gen_require(`
494 type sshd_t;
495 ')
496
497 allow $1 sshd_t:fifo_file read_fifo_file_perms;
498 ')
499
500 ######################################
501 ## <summary>
502 ## Read and write ssh server unix dgram sockets.
503 ## </summary>
504 ## <param name="domain">
505 ## <summary>
506 ## Domain allowed access.
507 ## </summary>
508 ## </param>
509 #
510 interface(`ssh_rw_dgram_sockets',`
511 gen_require(`
512 type sshd_t;
513 ')
514
515 allow $1 sshd_t:unix_dgram_socket rw_stream_socket_perms;
516 ')
517
518 ########################################
519 ## <summary>
520 ## Read and write a ssh server unnamed pipe.
521 ## </summary>
522 ## <param name="domain">
523 ## <summary>
524 ## Domain allowed access.
525 ## </summary>
526 ## </param>
527 #
528 interface(`ssh_rw_pipes',`
529 gen_require(`
530 type sshd_t;
531 ')
532
533 allow $1 sshd_t:fifo_file rw_inherited_fifo_file_perms;
534 ')
535
536 ########################################
537 ## <summary>
538 ## Read and write ssh server unix domain stream sockets.
539 ## </summary>
540 ## <param name="domain">
541 ## <summary>
542 ## Domain allowed access.
543 ## </summary>
544 ## </param>
545 #
546 interface(`ssh_rw_stream_sockets',`
547 gen_require(`
548 type sshd_t;
549 ')
550
551 allow $1 sshd_t:unix_stream_socket rw_stream_socket_perms;
552 ')
553
554 ########################################
555 ## <summary>
556 ## Read and write ssh server TCP sockets.
557 ## </summary>
558 ## <param name="domain">
559 ## <summary>
560 ## Domain allowed access.
561 ## </summary>
562 ## </param>
563 #
564 interface(`ssh_rw_tcp_sockets',`
565 gen_require(`
566 type sshd_t;
567 ')
568
569 allow $1 sshd_t:tcp_socket rw_stream_socket_perms;
570 ')
571
572 ########################################
573 ## <summary>
574 ## Do not audit attempts to read and write
575 ## ssh server TCP sockets.
576 ## </summary>
577 ## <param name="domain">
578 ## <summary>
579 ## Domain to not audit.
580 ## </summary>
581 ## </param>
582 #
583 interface(`ssh_dontaudit_rw_tcp_sockets',`
584 gen_require(`
585 type sshd_t;
586 ')
587
588 dontaudit $1 sshd_t:tcp_socket { read write };
589 ')
590
591 ########################################
592 ## <summary>
593 ## Connect to SSH daemons over TCP sockets. (Deprecated)
594 ## </summary>
595 ## <param name="domain">
596 ## <summary>
597 ## Domain allowed access.
598 ## </summary>
599 ## </param>
600 #
601 interface(`ssh_tcp_connect',`
602 refpolicywarn(`$0($*) has been deprecated.')
603 ')
604
605 ########################################
606 ## <summary>
607 ## Execute the ssh daemon sshd domain.
608 ## </summary>
609 ## <param name="domain">
610 ## <summary>
611 ## Domain allowed to transition.
612 ## </summary>
613 ## </param>
614 #
615 interface(`ssh_domtrans',`
616 gen_require(`
617 type sshd_t, sshd_exec_t;
618 ')
619
620 domtrans_pattern($1, sshd_exec_t, sshd_t)
621 ')
622
623 ########################################
624 ## <summary>
625 ## Execute sshd server in the sshd domain.
626 ## </summary>
627 ## <param name="domain">
628 ## <summary>
629 ## Domain allowed access.
630 ## </summary>
631 ## </param>
632 #
633 interface(`ssh_initrc_domtrans',`
634 gen_require(`
635 type sshd_initrc_exec_t;
636 ')
637
638 init_labeled_script_domtrans($1, sshd_initrc_exec_t)
639 ')
640
641 ########################################
642 ## <summary>
643 ## Execute the ssh client in the caller domain.
644 ## </summary>
645 ## <param name="domain">
646 ## <summary>
647 ## Domain allowed access.
648 ## </summary>
649 ## </param>
650 #
651 interface(`ssh_exec',`
652 gen_require(`
653 type ssh_exec_t;
654 ')
655
656 corecmd_search_bin($1)
657 can_exec($1, ssh_exec_t)
658 ')
659
660 ########################################
661 ## <summary>
662 ## Set the attributes of sshd key files.
663 ## </summary>
664 ## <param name="domain">
665 ## <summary>
666 ## Domain allowed access.
667 ## </summary>
668 ## </param>
669 #
670 interface(`ssh_setattr_key_files',`
671 gen_require(`
672 type sshd_key_t;
673 ')
674
675 allow $1 sshd_key_t:file setattr_file_perms;
676 files_search_pids($1)
677 ')
678
679 ########################################
680 ## <summary>
681 ## Execute the ssh agent client in the caller domain.
682 ## </summary>
683 ## <param name="domain">
684 ## <summary>
685 ## Domain allowed access.
686 ## </summary>
687 ## </param>
688 #
689 interface(`ssh_agent_exec',`
690 gen_require(`
691 type ssh_agent_exec_t;
692 ')
693
694 corecmd_search_bin($1)
695 can_exec($1, ssh_agent_exec_t)
696 ')
697
698 ########################################
699 ## <summary>
700 ## Getattr ssh home directory
701 ## </summary>
702 ## <param name="domain">
703 ## <summary>
704 ## Domain allowed access.
705 ## </summary>
706 ## </param>
707 #
708 interface(`ssh_getattr_user_home_dir',`
709 gen_require(`
710 type ssh_home_t;
711 ')
712
713 allow $1 ssh_home_t:dir getattr;
714 ')
715
716 ########################################
717 ## <summary>
718 ## Dontaudit search ssh home directory
719 ## </summary>
720 ## <param name="domain">
721 ## <summary>
722 ## Domain allowed access.
723 ## </summary>
724 ## </param>
725 #
726 interface(`ssh_dontaudit_search_user_home_dir',`
727 gen_require(`
728 type ssh_home_t;
729 ')
730
731 dontaudit $1 ssh_home_t:dir search_dir_perms;
732 ')
733
734 ########################################
735 ## <summary>
736 ## Read ssh home directory content
737 ## </summary>
738 ## <param name="domain">
739 ## <summary>
740 ## Domain allowed access.
741 ## </summary>
742 ## </param>
743 #
744 interface(`ssh_read_user_home_files',`
745 gen_require(`
746 type ssh_home_t;
747 ')
748
749 allow $1 ssh_home_t:dir list_dir_perms;
750 read_files_pattern($1, ssh_home_t, ssh_home_t)
751 read_lnk_files_pattern($1, ssh_home_t, ssh_home_t)
752 userdom_search_user_home_dirs($1)
753 ')
754
755 ########################################
756 ## <summary>
757 ## Execute the ssh key generator in the ssh keygen domain.
758 ## </summary>
759 ## <param name="domain">
760 ## <summary>
761 ## Domain allowed to transition.
762 ## </summary>
763 ## </param>
764 #
765 interface(`ssh_domtrans_keygen',`
766 gen_require(`
767 type ssh_keygen_t, ssh_keygen_exec_t;
768 ')
769
770 domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
771 ')
772
773 ########################################
774 ## <summary>
775 ## Execute the ssh key generator in the caller domain.
776 ## </summary>
777 ## <param name="domain">
778 ## <summary>
779 ## Domain allowed to transition.
780 ## </summary>
781 ## </param>
782 #
783 interface(`ssh_exec_keygen',`
784 gen_require(`
785 type ssh_keygen_exec_t;
786 ')
787
788 can_exec($1, ssh_keygen_exec_t)
789 ')
790
791 #######################################
792 ## <summary>
793 ## Execute ssh-keygen in the iptables domain, and
794 ## allow the specified role the ssh-keygen domain.
795 ## </summary>
796 ## <param name="domain">
797 ## <summary>
798 ## Domain allowed to transition.
799 ## </summary>
800 ## </param>
801 ## <param name="role">
802 ## <summary>
803 ## Role allowed access.
804 ## </summary>
805 ## </param>
806 ## <rolecap/>
807 #
808 interface(`ssh_run_keygen',`
809 gen_require(`
810 type ssh_keygen_t;
811 ')
812
813 role $2 types ssh_keygen_t;
814 ssh_domtrans_keygen($1)
815 ')
816
817 ########################################
818 ## <summary>
819 ## Read ssh server keys
820 ## </summary>
821 ## <param name="domain">
822 ## <summary>
823 ## Domain to not audit.
824 ## </summary>
825 ## </param>
826 #
827 interface(`ssh_dontaudit_read_server_keys',`
828 gen_require(`
829 type sshd_key_t;
830 ')
831
832 dontaudit $1 sshd_key_t:file read_file_perms;
833 ')
834
835 ######################################
836 ## <summary>
837 ## Manage ssh home directory content
838 ## </summary>
839 ## <param name="domain">
840 ## <summary>
841 ## Domain allowed access.
842 ## </summary>
843 ## </param>
844 #
845 interface(`ssh_manage_home_files',`
846 gen_require(`
847 type ssh_home_t;
848 ')
849
850 manage_files_pattern($1, ssh_home_t, ssh_home_t)
851 userdom_search_user_home_dirs($1)
852 ')
853
854 #######################################
855 ## <summary>
856 ## Delete from the ssh temp files.
857 ## </summary>
858 ## <param name="domain">
859 ## <summary>
860 ## Domain allowed access.
861 ## </summary>
862 ## </param>
863 #
864 interface(`ssh_delete_tmp',`
865 gen_require(`
866 type sshd_tmp_t;
867 ')
868
869 files_search_tmp($1)
870 delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
871 ')
872
873 ########################################
874 ## <summary>
875 ## Send a null signal to sshd processes.
876 ## </summary>
877 ## <param name="domain">
878 ## <summary>
879 ## Domain allowed access.
880 ## </summary>
881 ## </param>
882 #
883 interface(`ssh_signull',`
884 gen_require(`
885 type sshd_t;
886 ')
887
888 allow $1 sshd_t:process signull;
889 ')
890
891 #####################################
892 ## <summary>
893 ## Allow domain dyntransition to chroot_user_t domain.
894 ## </summary>
895 ## <param name="domain">
896 ## <summary>
897 ## Domain allowed access.
898 ## </summary>
899 ## </param>
900 #
901 interface(`ssh_dyntransition_to',`
902 gen_require(`
903 type sshd_t;
904 ')
905
906 allow sshd_t $1:process dyntransition;
907 allow $1 sshd_t:process sigchld;
908 ')
909
910 ########################################
911 ## <summary>
912 ## Create .ssh directory in the /root directory
913 ## with an correct label.
914 ## </summary>
915 ## <param name="domain">
916 ## <summary>
917 ## Domain allowed access.
918 ## </summary>
919 ## </param>
920 #
921 interface(`ssh_filetrans_admin_home_content',`
922 gen_require(`
923 type ssh_home_t;
924 ')
925
926 userdom_admin_home_dir_filetrans($1, ssh_home_t, dir, ".ssh")
927 userdom_admin_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
928 ')
929
930 ########################################
931 ## <summary>
932 ## Create .ssh directory in the user home directory
933 ## with an correct label.
934 ## </summary>
935 ## <param name="domain">
936 ## <summary>
937 ## Domain allowed access.
938 ## </summary>
939 ## </param>
940 #
941 interface(`ssh_filetrans_home_content',`
942
943 gen_require(`
944 type ssh_home_t;
945 ')
946
947 userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".ssh")
948 userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
949 ')
The IPFire selinux policy.