')
')
+######################################
+## <summary>
+## The template to define a domain to which sshd dyntransition.
+## </summary>
+## <param name="domain">
+## <summary>
+## The prefix of the dyntransition domain
+## </summary>
+## </param>
+#
+template(`ssh_dyntransition_domain_template',`
+ gen_require(`
+ attribute ssh_dyntransition_domain;
+ ')
+
+ type $1, dyntransition_domain;
+ domain_type($1)
+ role system_r types $1;
+
+ optional_policy(`
+ ssh_dyntransition_to($1)
+ ')
+')
#######################################
## <summary>
## The template to define a ssh server.
## </summary>
## </param>
#
-interface(`ssh_dyntransition_chroot_user',`
+interface(`ssh_dyntransition_to',`
gen_require(`
- type chroot_user_t;
+ type sshd_t;
')
- allow $1 chroot_user_t:process dyntransition;
- allow chroot_user_t $1:process sigchld;
+ allow sshd_t $1:process dyntransition;
+ allow $1 sshd_t:process sigchld;
')
########################################
## </desc>
gen_tunable(ssh_chroot_rw_homedirs, false)
+attribute ssh_dyntrasition_domain;
attribute ssh_server;
attribute ssh_agent_type;
+ssh_dyntransition_domain_template(chroot_user_t)
+ssh_dyntransition_domain_template(sshd_sandbox_t)
+
type chroot_user_t;
domain_type(chroot_user_t)
role system_r types chroot_user_t;
rssh_read_ro_content(sshd_t)
')
-optional_policy(`
- ssh_dyntransition_chroot_user(sshd_t)
-')
-
optional_policy(`
systemd_exec_systemctl(sshd_t)
')
udev_read_db(ssh_keygen_t)
')
+####################################
+#
+# ssh_dyntransition domain local policy
+#
+
+allow ssh_dyntransition_domain self:capability { setuid sys_chroot setgid };
+
+allow ssh_dyntransition_domain self:fifo_file rw_fifo_file_perms;
+
+optional_policy(`
+ ssh_rw_stream_sockets(ssh_dyntransition_domain)
+ ssh_rw_tcp_sockets(ssh_dyntransition_domain)
+')
+
+#####################################
+#
+# ssh_sandbox local policy
+#
+
+allow sshd_t sshd_sandbox_t:process signal;
+
+init_ioctl_stream_sockets(sshd_sandbox_t)
+
+logging_send_audit_msgs(sshd_sandbox_t)
+
######################################
#
# chroot_user_t local policy
#
-allow chroot_user_t self:capability { setuid sys_chroot setgid };
-
-allow chroot_user_t self:fifo_file rw_fifo_file_perms;
userdom_read_user_home_content_files(chroot_user_t)
userdom_read_inherited_user_home_content_files(chroot_user_t)
')
optional_policy(`
- ssh_rw_stream_sockets(chroot_user_t)
- ssh_rw_tcp_sockets(chroot_user_t)
ssh_rw_dgram_sockets(chroot_user_t)
')
init_dontaudit_use_script_fds($1)
')
+#######################################
+## <summary>
+## Allow the specified domain to ioctl an
+## init with a unix domain stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_ioctl_stream_sockets',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:unix_stream_socket ioctl;
+')
+
########################################
## <summary>
## Allow the specified domain to read/write to