2005-06-24 13:36:57 +00:00
|
|
|
## <summary>Secure shell client and server policy.</summary>
|
|
|
|
|
2005-06-24 20:37:09 +00:00
|
|
|
#######################################
|
|
|
|
## <summary>
|
2006-05-09 15:12:17 +00:00
|
|
|
## Basic SSH client template.
|
2005-06-24 20:37:09 +00:00
|
|
|
## </summary>
|
|
|
|
## <desc>
|
|
|
|
## <p>
|
|
|
|
## This template creates a derived domains which are used
|
2006-05-09 15:12:17 +00:00
|
|
|
## for ssh client sessions. A derived
|
2005-06-24 20:37:09 +00:00
|
|
|
## type is also created to protect the user ssh keys.
|
|
|
|
## </p>
|
|
|
|
## <p>
|
2006-05-09 15:12:17 +00:00
|
|
|
## This template was added for NX.
|
2005-06-24 20:37:09 +00:00
|
|
|
## </p>
|
|
|
|
## </desc>
|
|
|
|
## <param name="userdomain_prefix">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-09 15:12:17 +00:00
|
|
|
## The prefix of the domain (e.g., user
|
2005-06-24 20:37:09 +00:00
|
|
|
## is the prefix for user_t).
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-24 20:37:09 +00:00
|
|
|
## </param>
|
2005-08-30 15:48:57 +00:00
|
|
|
## <param name="user_domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-09 15:12:17 +00:00
|
|
|
## The type of the domain.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-08-30 15:48:57 +00:00
|
|
|
## </param>
|
|
|
|
## <param name="user_role">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-08-30 15:48:57 +00:00
|
|
|
## The role associated with the user domain.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-08-30 15:48:57 +00:00
|
|
|
## </param>
|
2005-06-24 20:37:09 +00:00
|
|
|
#
|
2006-05-09 15:12:17 +00:00
|
|
|
template(`ssh_basic_client_template',`
|
2005-10-18 18:25:33 +00:00
|
|
|
gen_require(`
|
2005-10-19 14:36:04 +00:00
|
|
|
attribute ssh_server;
|
2007-02-16 23:01:42 +00:00
|
|
|
type ssh_exec_t, sshd_key_t, sshd_tmp_t;
|
2010-08-26 13:41:21 +00:00
|
|
|
type ssh_home_t;
|
2005-10-18 18:25:33 +00:00
|
|
|
')
|
|
|
|
|
2005-06-22 21:14:48 +00:00
|
|
|
##############################
|
|
|
|
#
|
|
|
|
# Declarations
|
|
|
|
#
|
2005-06-21 21:07:46 +00:00
|
|
|
|
2005-07-13 20:48:51 +00:00
|
|
|
type $1_ssh_t;
|
2008-07-23 21:38:39 +00:00
|
|
|
application_domain($1_ssh_t, ssh_exec_t)
|
2006-05-09 15:12:17 +00:00
|
|
|
role $3 types $1_ssh_t;
|
2005-06-22 21:14:48 +00:00
|
|
|
|
|
|
|
##############################
|
|
|
|
#
|
2006-05-09 15:12:17 +00:00
|
|
|
# Client local policy
|
2005-06-22 21:14:48 +00:00
|
|
|
#
|
2006-05-09 15:12:17 +00:00
|
|
|
|
2005-06-22 21:14:48 +00:00
|
|
|
allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };
|
2005-09-01 20:13:42 +00:00
|
|
|
allow $1_ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
2005-06-22 21:14:48 +00:00
|
|
|
allow $1_ssh_t self:fd use;
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1_ssh_t self:fifo_file rw_fifo_file_perms;
|
2006-05-09 15:12:17 +00:00
|
|
|
allow $1_ssh_t self:unix_dgram_socket { create_socket_perms sendto };
|
|
|
|
allow $1_ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
|
|
allow $1_ssh_t self:shm create_shm_perms;
|
|
|
|
allow $1_ssh_t self:sem create_sem_perms;
|
|
|
|
allow $1_ssh_t self:msgq create_msgq_perms;
|
2005-06-22 21:14:48 +00:00
|
|
|
allow $1_ssh_t self:msg { send receive };
|
2010-01-15 20:28:27 +00:00
|
|
|
allow $1_ssh_t self:tcp_socket create_stream_socket_perms;
|
2005-06-22 21:14:48 +00:00
|
|
|
|
2006-05-09 15:12:17 +00:00
|
|
|
# for rsync
|
|
|
|
allow $1_ssh_t $2:unix_stream_socket rw_socket_perms;
|
|
|
|
allow $1_ssh_t $2:unix_stream_socket connectto;
|
2006-02-15 16:42:51 +00:00
|
|
|
|
2006-05-09 15:12:17 +00:00
|
|
|
# Read the ssh key file.
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1_ssh_t sshd_key_t:file read_file_perms;
|
2006-05-09 15:12:17 +00:00
|
|
|
|
2007-02-16 23:01:42 +00:00
|
|
|
# Access the ssh temporary files.
|
|
|
|
allow $1_ssh_t sshd_tmp_t:dir manage_dir_perms;
|
|
|
|
allow $1_ssh_t sshd_tmp_t:file manage_file_perms;
|
|
|
|
files_tmp_filetrans($1_ssh_t, sshd_tmp_t, { file dir })
|
|
|
|
|
2006-05-09 15:12:17 +00:00
|
|
|
# Transition from the domain to the derived domain.
|
2006-12-12 20:08:08 +00:00
|
|
|
domtrans_pattern($2, ssh_exec_t, $1_ssh_t)
|
2005-06-21 21:07:46 +00:00
|
|
|
|
2006-05-09 15:12:17 +00:00
|
|
|
# inheriting stream sockets is needed for "ssh host command" as no pty
|
|
|
|
# is allocated
|
|
|
|
# cjp: should probably fix target to be an attribute for ssh servers
|
|
|
|
# or "regular" (not special like sshd_extern_t) servers
|
|
|
|
allow $2 ssh_server:unix_stream_socket rw_stream_socket_perms;
|
2005-06-23 20:35:48 +00:00
|
|
|
|
2006-05-09 15:12:17 +00:00
|
|
|
# allow ps to show ssh
|
2008-07-23 21:38:39 +00:00
|
|
|
ps_process_pattern($2, $1_ssh_t)
|
2005-06-23 20:35:48 +00:00
|
|
|
|
|
|
|
# user can manage the keys and config
|
2010-08-26 13:41:21 +00:00
|
|
|
manage_files_pattern($2, ssh_home_t, ssh_home_t)
|
|
|
|
manage_lnk_files_pattern($2, ssh_home_t, ssh_home_t)
|
|
|
|
manage_sock_files_pattern($2, ssh_home_t, ssh_home_t)
|
2005-06-23 20:35:48 +00:00
|
|
|
|
|
|
|
# ssh client can manage the keys and config
|
2010-08-26 13:41:21 +00:00
|
|
|
manage_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t)
|
|
|
|
read_lnk_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t)
|
2005-06-23 20:35:48 +00:00
|
|
|
|
|
|
|
# ssh servers can read the user keys and config
|
2010-08-26 13:41:21 +00:00
|
|
|
allow ssh_server ssh_home_t:dir list_dir_perms;
|
|
|
|
read_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
|
|
|
|
read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
|
2005-06-23 20:35:48 +00:00
|
|
|
|
2006-01-31 16:49:43 +00:00
|
|
|
kernel_read_kernel_sysctls($1_ssh_t)
|
2010-01-15 20:28:27 +00:00
|
|
|
kernel_read_system_state($1_ssh_t)
|
2005-06-22 21:14:48 +00:00
|
|
|
|
2007-06-27 15:23:21 +00:00
|
|
|
corenet_all_recvfrom_unlabeled($1_ssh_t)
|
|
|
|
corenet_all_recvfrom_netlabel($1_ssh_t)
|
2009-01-06 20:24:10 +00:00
|
|
|
corenet_tcp_sendrecv_generic_if($1_ssh_t)
|
2009-01-09 19:48:02 +00:00
|
|
|
corenet_tcp_sendrecv_generic_node($1_ssh_t)
|
2005-06-23 15:44:18 +00:00
|
|
|
corenet_tcp_sendrecv_all_ports($1_ssh_t)
|
2005-09-16 19:36:10 +00:00
|
|
|
corenet_tcp_connect_ssh_port($1_ssh_t)
|
2006-05-25 20:18:24 +00:00
|
|
|
corenet_sendrecv_ssh_client_packets($1_ssh_t)
|
2010-08-26 13:41:21 +00:00
|
|
|
corenet_tcp_bind_generic_node($1_ssh_t)
|
|
|
|
corenet_tcp_bind_all_unreserved_ports($1_ssh_t)
|
2005-06-23 15:44:18 +00:00
|
|
|
|
2005-06-22 21:14:48 +00:00
|
|
|
dev_read_urand($1_ssh_t)
|
|
|
|
|
|
|
|
fs_getattr_all_fs($1_ssh_t)
|
2005-06-27 16:30:55 +00:00
|
|
|
fs_search_auto_mountpoints($1_ssh_t)
|
2005-06-22 21:14:48 +00:00
|
|
|
|
|
|
|
# run helper programs - needed eg for x11-ssh-askpass
|
|
|
|
corecmd_exec_shell($1_ssh_t)
|
|
|
|
corecmd_exec_bin($1_ssh_t)
|
|
|
|
|
2006-02-20 21:33:25 +00:00
|
|
|
domain_use_interactive_fds($1_ssh_t)
|
2005-06-22 21:14:48 +00:00
|
|
|
|
|
|
|
files_list_home($1_ssh_t)
|
|
|
|
files_read_usr_files($1_ssh_t)
|
|
|
|
files_read_etc_runtime_files($1_ssh_t)
|
2005-06-29 14:26:41 +00:00
|
|
|
files_read_etc_files($1_ssh_t)
|
2005-09-16 19:36:10 +00:00
|
|
|
files_read_var_files($1_ssh_t)
|
2005-06-22 21:14:48 +00:00
|
|
|
|
2010-01-15 20:28:27 +00:00
|
|
|
auth_use_nsswitch($1_ssh_t)
|
|
|
|
|
2005-06-22 21:14:48 +00:00
|
|
|
logging_send_syslog_msg($1_ssh_t)
|
|
|
|
logging_read_generic_logs($1_ssh_t)
|
|
|
|
|
|
|
|
miscfiles_read_localization($1_ssh_t)
|
|
|
|
|
|
|
|
seutil_read_config($1_ssh_t)
|
|
|
|
|
2006-05-09 15:12:17 +00:00
|
|
|
optional_policy(`
|
|
|
|
kerberos_use($1_ssh_t)
|
|
|
|
')
|
|
|
|
')
|
|
|
|
|
2005-06-24 20:37:09 +00:00
|
|
|
#######################################
|
|
|
|
## <summary>
|
|
|
|
## The template to define a ssh server.
|
|
|
|
## </summary>
|
|
|
|
## <desc>
|
|
|
|
## <p>
|
|
|
|
## This template creates a domains to be used for
|
|
|
|
## creating a ssh server. This is typically done
|
|
|
|
## to have multiple ssh servers of different sensitivities,
|
|
|
|
## such as for an internal network-facing ssh server, and
|
|
|
|
## a external network-facing ssh server.
|
|
|
|
## </p>
|
|
|
|
## </desc>
|
|
|
|
## <param name="userdomain_prefix">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-06-29 14:26:41 +00:00
|
|
|
## The prefix of the server domain (e.g., sshd
|
|
|
|
## is the prefix for sshd_t).
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-24 20:37:09 +00:00
|
|
|
## </param>
|
2005-06-21 21:07:46 +00:00
|
|
|
#
|
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Signed-off-by: Dominick Grift <domg472@gmail.com>
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
2010-09-16 06:24:26 +00:00
|
|
|
template(`ssh_server_template',`
|
2005-09-26 20:26:32 +00:00
|
|
|
type $1_t, ssh_server;
|
2006-07-31 22:26:59 +00:00
|
|
|
auth_login_pgm_domain($1_t)
|
2005-06-21 21:07:46 +00:00
|
|
|
|
|
|
|
type $1_devpts_t;
|
|
|
|
term_login_pty($1_devpts_t)
|
|
|
|
|
2010-01-15 20:28:27 +00:00
|
|
|
type $1_tmpfs_t;
|
|
|
|
files_tmpfs_file($1_tmpfs_t)
|
|
|
|
|
2005-06-21 21:07:46 +00:00
|
|
|
type $1_var_run_t;
|
|
|
|
files_pid_file($1_var_run_t)
|
|
|
|
|
2010-08-26 13:41:21 +00:00
|
|
|
allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1_t self:fifo_file rw_fifo_file_perms;
|
2010-08-26 13:41:21 +00:00
|
|
|
allow $1_t self:process { signal getsched setsched setrlimit setexec };
|
2006-09-19 17:02:29 +00:00
|
|
|
allow $1_t self:tcp_socket create_stream_socket_perms;
|
|
|
|
allow $1_t self:udp_socket create_socket_perms;
|
|
|
|
# ssh agent connections:
|
|
|
|
allow $1_t self:unix_stream_socket create_stream_socket_perms;
|
2010-01-15 20:28:27 +00:00
|
|
|
allow $1_t self:shm create_shm_perms;
|
2005-06-21 21:07:46 +00:00
|
|
|
|
2010-09-15 20:09:15 +00:00
|
|
|
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom };
|
2010-01-15 20:28:27 +00:00
|
|
|
term_create_pty($1_t, $1_devpts_t)
|
|
|
|
|
|
|
|
manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
|
|
|
|
fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file)
|
2005-06-21 21:07:46 +00:00
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1_t $1_var_run_t:file manage_file_perms;
|
2008-07-23 21:38:39 +00:00
|
|
|
files_pid_filetrans($1_t, $1_var_run_t, file)
|
2005-06-21 21:07:46 +00:00
|
|
|
|
|
|
|
can_exec($1_t, sshd_exec_t)
|
|
|
|
|
|
|
|
# Access key files
|
2008-10-20 16:10:42 +00:00
|
|
|
allow $1_t sshd_key_t:file read_file_perms;
|
2005-06-21 21:07:46 +00:00
|
|
|
|
2006-01-31 16:49:43 +00:00
|
|
|
kernel_read_kernel_sysctls($1_t)
|
2010-01-15 20:28:27 +00:00
|
|
|
kernel_read_network_state($1_t)
|
2010-08-26 13:41:21 +00:00
|
|
|
kernel_request_load_module(ssh_t)
|
2005-06-21 21:07:46 +00:00
|
|
|
|
2007-06-27 15:23:21 +00:00
|
|
|
corenet_all_recvfrom_unlabeled($1_t)
|
|
|
|
corenet_all_recvfrom_netlabel($1_t)
|
2009-01-06 20:24:10 +00:00
|
|
|
corenet_tcp_sendrecv_generic_if($1_t)
|
|
|
|
corenet_udp_sendrecv_generic_if($1_t)
|
|
|
|
corenet_raw_sendrecv_generic_if($1_t)
|
2009-01-09 19:48:02 +00:00
|
|
|
corenet_tcp_sendrecv_generic_node($1_t)
|
|
|
|
corenet_udp_sendrecv_generic_node($1_t)
|
|
|
|
corenet_raw_sendrecv_generic_node($1_t)
|
2005-06-21 21:07:46 +00:00
|
|
|
corenet_udp_sendrecv_all_ports($1_t)
|
|
|
|
corenet_tcp_sendrecv_all_ports($1_t)
|
2009-01-09 19:48:02 +00:00
|
|
|
corenet_tcp_bind_generic_node($1_t)
|
|
|
|
corenet_udp_bind_generic_node($1_t)
|
2007-03-26 18:41:45 +00:00
|
|
|
corenet_tcp_bind_ssh_port($1_t)
|
2006-05-25 20:18:24 +00:00
|
|
|
corenet_sendrecv_ssh_server_packets($1_t)
|
2010-08-26 13:41:21 +00:00
|
|
|
# -R qualifier
|
|
|
|
corenet_sendrecv_ssh_server_packets($1_t)
|
|
|
|
# tunnel feature and -w (net_admin capability also)
|
|
|
|
corenet_rw_tun_tap_dev($1_t)
|
2005-06-21 21:07:46 +00:00
|
|
|
|
2005-06-22 21:14:48 +00:00
|
|
|
fs_dontaudit_getattr_all_fs($1_t)
|
|
|
|
|
2005-06-21 21:07:46 +00:00
|
|
|
auth_rw_login_records($1_t)
|
2006-10-31 21:01:48 +00:00
|
|
|
auth_rw_faillog($1_t)
|
2005-06-21 21:07:46 +00:00
|
|
|
|
2006-02-02 21:08:12 +00:00
|
|
|
corecmd_read_bin_symlinks($1_t)
|
|
|
|
corecmd_getattr_bin_files($1_t)
|
2005-06-27 18:37:33 +00:00
|
|
|
# for sshd subsystems, such as sftp-server.
|
2006-02-02 21:08:12 +00:00
|
|
|
corecmd_getattr_bin_files($1_t)
|
2005-06-27 18:37:33 +00:00
|
|
|
|
2006-02-20 21:33:25 +00:00
|
|
|
domain_interactive_fd($1_t)
|
2010-08-26 13:41:21 +00:00
|
|
|
domain_dyntrans_type($1_t)
|
2005-06-21 21:07:46 +00:00
|
|
|
|
2005-06-29 14:26:41 +00:00
|
|
|
files_read_etc_files($1_t)
|
2005-06-21 21:07:46 +00:00
|
|
|
files_read_etc_runtime_files($1_t)
|
2010-05-19 12:31:17 +00:00
|
|
|
files_read_usr_files($1_t)
|
2005-06-21 21:07:46 +00:00
|
|
|
|
|
|
|
logging_search_logs($1_t)
|
|
|
|
|
|
|
|
miscfiles_read_localization($1_t)
|
|
|
|
|
2008-11-05 16:10:46 +00:00
|
|
|
userdom_dontaudit_relabelfrom_user_ptys($1_t)
|
2010-08-26 13:41:21 +00:00
|
|
|
userdom_read_user_home_content_files($1_t)
|
2005-06-22 21:14:48 +00:00
|
|
|
|
2010-01-15 20:28:27 +00:00
|
|
|
# Allow checking users mail at login
|
|
|
|
mta_getattr_spool($1_t)
|
|
|
|
|
2005-06-21 21:07:46 +00:00
|
|
|
tunable_policy(`use_nfs_home_dirs',`
|
|
|
|
fs_read_nfs_files($1_t)
|
2010-01-15 20:28:27 +00:00
|
|
|
fs_read_nfs_symlinks($1_t)
|
2005-06-21 21:07:46 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
tunable_policy(`use_samba_home_dirs',`
|
|
|
|
fs_read_cifs_files($1_t)
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-09-13 13:06:07 +00:00
|
|
|
kerberos_use($1_t)
|
2010-01-15 20:28:27 +00:00
|
|
|
kerberos_manage_host_rcache($1_t)
|
2005-09-13 13:06:07 +00:00
|
|
|
')
|
|
|
|
|
2008-02-05 18:24:43 +00:00
|
|
|
optional_policy(`
|
2010-01-15 20:28:27 +00:00
|
|
|
files_read_var_lib_symlinks($1_t)
|
2006-05-09 15:12:17 +00:00
|
|
|
nx_spec_domtrans_server($1_t)
|
2005-07-13 20:48:51 +00:00
|
|
|
')
|
2010-08-26 13:41:21 +00:00
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
rlogin_read_home_content($1_t)
|
|
|
|
')
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
shutdown_getattr_exec_files($1_t)
|
|
|
|
')
|
2005-06-21 21:07:46 +00:00
|
|
|
')
|
2005-06-22 21:14:48 +00:00
|
|
|
|
2008-11-05 16:10:46 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Role access for ssh
|
|
|
|
## </summary>
|
|
|
|
## <param name="role_prefix">
|
|
|
|
## <summary>
|
|
|
|
## The prefix of the role (e.g., user
|
|
|
|
## is the prefix for user_r).
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="role">
|
|
|
|
## <summary>
|
|
|
|
## Role allowed access
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## User domain for the role
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
template(`ssh_role_template',`
|
|
|
|
gen_require(`
|
|
|
|
attribute ssh_server, ssh_agent_type;
|
2010-01-15 20:28:27 +00:00
|
|
|
type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t;
|
2008-11-05 16:10:46 +00:00
|
|
|
type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t;
|
|
|
|
type ssh_agent_tmp_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
##############################
|
|
|
|
#
|
|
|
|
# Declarations
|
|
|
|
#
|
|
|
|
|
|
|
|
role $2 types ssh_t;
|
|
|
|
|
|
|
|
type $1_ssh_agent_t, ssh_agent_type;
|
|
|
|
application_domain($1_ssh_agent_t, ssh_agent_exec_t)
|
|
|
|
domain_interactive_fd($1_ssh_agent_t)
|
|
|
|
ubac_constrained($1_ssh_agent_t)
|
|
|
|
role $2 types $1_ssh_agent_t;
|
|
|
|
|
|
|
|
##############################
|
|
|
|
#
|
|
|
|
# Local policy
|
|
|
|
#
|
|
|
|
|
|
|
|
# Transition from the domain to the derived domain.
|
|
|
|
domtrans_pattern($3, ssh_exec_t, ssh_t)
|
|
|
|
|
|
|
|
# inheriting stream sockets is needed for "ssh host command" as no pty
|
|
|
|
# is allocated
|
|
|
|
allow $3 ssh_server:unix_stream_socket rw_stream_socket_perms;
|
|
|
|
|
|
|
|
# allow ps to show ssh
|
|
|
|
ps_process_pattern($3, ssh_t)
|
2010-09-16 07:59:06 +00:00
|
|
|
allow $3 ssh_t:process { ptrace signal_perms };
|
2008-11-05 16:10:46 +00:00
|
|
|
|
|
|
|
# for rsync
|
|
|
|
allow ssh_t $3:unix_stream_socket rw_socket_perms;
|
|
|
|
allow ssh_t $3:unix_stream_socket connectto;
|
|
|
|
|
|
|
|
# user can manage the keys and config
|
2010-01-15 20:28:27 +00:00
|
|
|
manage_files_pattern($3, ssh_home_t, ssh_home_t)
|
|
|
|
manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t)
|
|
|
|
manage_sock_files_pattern($3, ssh_home_t, ssh_home_t)
|
|
|
|
userdom_search_user_home_dirs($1_t)
|
2010-08-26 13:41:21 +00:00
|
|
|
userdom_manage_tmp_role($2, ssh_t)
|
2008-11-05 16:10:46 +00:00
|
|
|
|
|
|
|
##############################
|
|
|
|
#
|
|
|
|
# SSH agent local policy
|
|
|
|
#
|
|
|
|
|
|
|
|
allow $1_ssh_agent_t self:process setrlimit;
|
|
|
|
allow $1_ssh_agent_t self:capability setgid;
|
|
|
|
|
|
|
|
allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull;
|
|
|
|
|
|
|
|
allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
|
|
|
|
|
|
manage_dirs_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t)
|
|
|
|
manage_sock_files_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t)
|
|
|
|
files_tmp_filetrans($1_ssh_agent_t, ssh_agent_tmp_t, { dir sock_file })
|
|
|
|
|
|
|
|
# for ssh-add
|
|
|
|
stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
|
|
|
|
|
|
|
|
# Allow the user shell to signal the ssh program.
|
2010-09-16 07:59:06 +00:00
|
|
|
allow $3 $1_ssh_agent_t:process { ptrace signal_perms };
|
2008-11-05 16:10:46 +00:00
|
|
|
|
|
|
|
# allow ps to show ssh
|
|
|
|
ps_process_pattern($3, $1_ssh_agent_t)
|
|
|
|
|
|
|
|
domtrans_pattern($3, ssh_agent_exec_t, $1_ssh_agent_t)
|
|
|
|
|
|
|
|
kernel_read_kernel_sysctls($1_ssh_agent_t)
|
|
|
|
|
|
|
|
dev_read_urand($1_ssh_agent_t)
|
|
|
|
dev_read_rand($1_ssh_agent_t)
|
|
|
|
|
|
|
|
fs_search_auto_mountpoints($1_ssh_agent_t)
|
|
|
|
|
|
|
|
# transition back to normal privs upon exec
|
|
|
|
corecmd_shell_domtrans($1_ssh_agent_t, $3)
|
|
|
|
corecmd_bin_domtrans($1_ssh_agent_t, $3)
|
|
|
|
|
|
|
|
domain_use_interactive_fds($1_ssh_agent_t)
|
|
|
|
|
|
|
|
files_read_etc_files($1_ssh_agent_t)
|
|
|
|
files_read_etc_runtime_files($1_ssh_agent_t)
|
|
|
|
|
|
|
|
libs_read_lib_files($1_ssh_agent_t)
|
|
|
|
|
|
|
|
logging_send_syslog_msg($1_ssh_agent_t)
|
|
|
|
|
|
|
|
miscfiles_read_localization($1_ssh_agent_t)
|
2010-09-09 16:14:48 +00:00
|
|
|
miscfiles_read_generic_certs($1_ssh_agent_t)
|
2008-11-05 16:10:46 +00:00
|
|
|
|
|
|
|
seutil_dontaudit_read_config($1_ssh_agent_t)
|
|
|
|
|
|
|
|
# Write to the user domain tty.
|
|
|
|
userdom_use_user_terminals($1_ssh_agent_t)
|
|
|
|
|
|
|
|
# for the transition back to normal privs upon exec
|
2010-05-19 12:31:17 +00:00
|
|
|
userdom_search_user_home_content($1_ssh_agent_t)
|
2008-11-05 16:10:46 +00:00
|
|
|
userdom_user_home_domtrans($1_ssh_agent_t, $3)
|
|
|
|
|
|
|
|
tunable_policy(`use_nfs_home_dirs',`
|
|
|
|
fs_manage_nfs_files($1_ssh_agent_t)
|
|
|
|
|
|
|
|
# transition back to normal privs upon exec
|
|
|
|
fs_nfs_domtrans($1_ssh_agent_t, $3)
|
|
|
|
')
|
|
|
|
|
|
|
|
tunable_policy(`use_samba_home_dirs',`
|
|
|
|
fs_manage_cifs_files($1_ssh_agent_t)
|
|
|
|
|
|
|
|
# transition back to normal privs upon exec
|
|
|
|
fs_cifs_domtrans($1_ssh_agent_t, $3)
|
|
|
|
')
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
nis_use_ypbind($1_ssh_agent_t)
|
|
|
|
')
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
xserver_use_xdm_fds($1_ssh_agent_t)
|
|
|
|
xserver_rw_xdm_pipes($1_ssh_agent_t)
|
|
|
|
')
|
|
|
|
')
|
|
|
|
|
2005-06-24 13:36:57 +00:00
|
|
|
########################################
|
2006-01-20 20:10:35 +00:00
|
|
|
## <summary>
|
|
|
|
## Send a SIGCHLD signal to the ssh server.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-01-20 20:10:35 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2006-01-20 20:10:35 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`ssh_sigchld',`
|
|
|
|
gen_require(`
|
|
|
|
type sshd_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 sshd_t:process sigchld;
|
|
|
|
')
|
|
|
|
|
2010-01-15 20:28:27 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Send a generic signal to the ssh server.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`ssh_signal',`
|
|
|
|
gen_require(`
|
|
|
|
type sshd_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 sshd_t:process signal;
|
|
|
|
')
|
|
|
|
|
2006-01-20 20:10:35 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read a ssh server unnamed pipe.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-01-20 20:10:35 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2006-01-20 20:10:35 +00:00
|
|
|
## </param>
|
|
|
|
#
|
2006-02-02 21:08:12 +00:00
|
|
|
interface(`ssh_read_pipes',`
|
2006-01-20 20:10:35 +00:00
|
|
|
gen_require(`
|
|
|
|
type sshd_t;
|
|
|
|
')
|
|
|
|
|
2010-09-15 20:09:15 +00:00
|
|
|
allow $1 sshd_t:fifo_file read_fifo_file_perms;
|
2006-01-20 20:10:35 +00:00
|
|
|
')
|
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Signed-off-by: Dominick Grift <domg472@gmail.com>
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
2010-09-16 06:24:26 +00:00
|
|
|
|
2010-01-15 20:28:27 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read and write a ssh server unnamed pipe.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`ssh_rw_pipes',`
|
|
|
|
gen_require(`
|
|
|
|
type sshd_t;
|
|
|
|
')
|
|
|
|
|
2010-09-15 20:09:15 +00:00
|
|
|
allow $1 sshd_t:fifo_file rw_inherited_fifo_file_perms;
|
2010-01-15 20:28:27 +00:00
|
|
|
')
|
2006-01-20 20:10:35 +00:00
|
|
|
|
2006-04-25 19:17:43 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read and write ssh server unix domain stream sockets.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`ssh_rw_stream_sockets',`
|
|
|
|
gen_require(`
|
|
|
|
type sshd_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 sshd_t:unix_stream_socket rw_stream_socket_perms;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read and write ssh server TCP sockets.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`ssh_rw_tcp_sockets',`
|
|
|
|
gen_require(`
|
|
|
|
type sshd_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 sshd_t:tcp_socket rw_stream_socket_perms;
|
|
|
|
')
|
|
|
|
|
2006-01-20 20:10:35 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to read and write
|
|
|
|
## ssh server TCP sockets.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-01-20 20:10:35 +00:00
|
|
|
## Domain to not audit.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2006-01-20 20:10:35 +00:00
|
|
|
## </param>
|
|
|
|
#
|
2006-02-02 21:08:12 +00:00
|
|
|
interface(`ssh_dontaudit_rw_tcp_sockets',`
|
2006-01-20 20:10:35 +00:00
|
|
|
gen_require(`
|
|
|
|
type sshd_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 sshd_t:tcp_socket { read write };
|
|
|
|
')
|
|
|
|
|
2006-02-15 16:42:51 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
2006-08-15 20:00:58 +00:00
|
|
|
## Connect to SSH daemons over TCP sockets. (Deprecated)
|
2006-02-15 16:42:51 +00:00
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`ssh_tcp_connect',`
|
2006-08-15 20:00:58 +00:00
|
|
|
refpolicywarn(`$0($*) has been deprecated.')
|
2006-02-15 16:42:51 +00:00
|
|
|
')
|
|
|
|
|
2007-02-16 23:01:42 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Execute the ssh daemon sshd domain.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
2010-08-05 13:03:19 +00:00
|
|
|
## Domain allowed to transition.
|
2007-02-16 23:01:42 +00:00
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`ssh_domtrans',`
|
|
|
|
gen_require(`
|
|
|
|
type sshd_t, sshd_exec_t;
|
|
|
|
')
|
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
domtrans_pattern($1, sshd_exec_t, sshd_t)
|
2007-02-16 23:01:42 +00:00
|
|
|
')
|
|
|
|
|
2010-08-26 13:41:21 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Execute sshd server in the sshd domain.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`ssh_initrc_domtrans',`
|
|
|
|
gen_require(`
|
|
|
|
type sshd_initrc_exec_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
init_labeled_script_domtrans($1, sshd_initrc_exec_t)
|
|
|
|
')
|
|
|
|
|
2006-05-05 18:51:42 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Execute the ssh client in the caller domain.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`ssh_exec',`
|
|
|
|
gen_require(`
|
|
|
|
type ssh_exec_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
corecmd_search_bin($1)
|
2008-07-23 21:38:39 +00:00
|
|
|
can_exec($1, ssh_exec_t)
|
2006-05-05 18:51:42 +00:00
|
|
|
')
|
|
|
|
|
2010-01-15 20:28:27 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Set the attributes of sshd key files.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`ssh_setattr_key_files',`
|
|
|
|
gen_require(`
|
|
|
|
type sshd_key_t;
|
|
|
|
')
|
|
|
|
|
2010-09-15 20:09:15 +00:00
|
|
|
allow $1 sshd_key_t:file setattr_file_perms;
|
2010-01-15 20:28:27 +00:00
|
|
|
files_search_pids($1)
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Execute the ssh agent client in the caller domain.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`ssh_agent_exec',`
|
|
|
|
gen_require(`
|
|
|
|
type ssh_agent_exec_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
corecmd_search_bin($1)
|
|
|
|
can_exec($1, ssh_agent_exec_t)
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read ssh home directory content
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`ssh_read_user_home_files',`
|
|
|
|
gen_require(`
|
|
|
|
type ssh_home_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 ssh_home_t:dir list_dir_perms;
|
|
|
|
read_files_pattern($1, ssh_home_t, ssh_home_t)
|
|
|
|
read_lnk_files_pattern($1, ssh_home_t, ssh_home_t)
|
|
|
|
userdom_search_user_home_dirs($1)
|
|
|
|
')
|
|
|
|
|
2006-09-01 15:52:05 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Execute the ssh key generator in the ssh keygen domain.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
2010-08-05 13:03:19 +00:00
|
|
|
## Domain allowed to transition.
|
2006-09-01 15:52:05 +00:00
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`ssh_domtrans_keygen',`
|
|
|
|
gen_require(`
|
|
|
|
type ssh_keygen_t, ssh_keygen_exec_t;
|
|
|
|
')
|
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
|
2006-09-01 15:52:05 +00:00
|
|
|
')
|
|
|
|
|
2006-01-20 20:10:35 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read ssh server keys
|
|
|
|
## </summary>
|
2005-06-24 13:36:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2010-08-05 13:03:19 +00:00
|
|
|
## Domain to not audit.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-24 13:36:57 +00:00
|
|
|
## </param>
|
|
|
|
#
|
2005-06-22 21:14:48 +00:00
|
|
|
interface(`ssh_dontaudit_read_server_keys',`
|
|
|
|
gen_require(`
|
|
|
|
type sshd_key_t;
|
|
|
|
')
|
|
|
|
|
2010-09-15 20:09:15 +00:00
|
|
|
dontaudit $1 sshd_key_t:file read_file_perms;
|
2005-06-22 21:14:48 +00:00
|
|
|
')
|
2010-01-15 20:28:27 +00:00
|
|
|
|
2010-05-19 12:31:17 +00:00
|
|
|
######################################
|
|
|
|
## <summary>
|
|
|
|
## Manage ssh home directory content
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`ssh_manage_home_files',`
|
|
|
|
gen_require(`
|
|
|
|
type ssh_home_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
manage_files_pattern($1, ssh_home_t, ssh_home_t)
|
|
|
|
userdom_search_user_home_dirs($1)
|
|
|
|
')
|
|
|
|
|
2010-01-15 20:28:27 +00:00
|
|
|
#######################################
|
|
|
|
## <summary>
|
|
|
|
## Delete from the ssh temp files.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`ssh_delete_tmp',`
|
|
|
|
gen_require(`
|
|
|
|
type sshd_tmp_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
files_search_tmp($1)
|
|
|
|
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
|
|
|
|
')
|
2010-08-26 13:41:21 +00:00
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Send a null signal to sshd processes.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`ssh_signull',`
|
|
|
|
gen_require(`
|
|
|
|
type sshd_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 sshd_t:process signull;
|
|
|
|
')
|