1900668638
The latest revision of the labeled policy patches which enable both labeled and unlabeled policy support for NetLabel. This revision takes into account Chris' feedback from the first version and reduces the number of interface calls in each domain down to two at present: one for unlabeled access, one for NetLabel access. The older, transport layer specific interfaces, are still present for use by third-party modules but are not used in the default policy modules. trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore. This patch changes the policy to use the netmsg initial SID as the "base" SID/context for NetLabel packets which only have MLS security attributes. Currently we use the unlabeled initial SID which makes it very difficult to distinquish between actual unlabeled packets and those packets which have MLS security attributes.
255 lines
6.1 KiB
Plaintext
255 lines
6.1 KiB
Plaintext
|
|
policy_module(ssh,1.6.2)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
## <desc>
|
|
## <p>
|
|
## allow host key based authentication
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(allow_ssh_keysign,false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow ssh logins as sysadm_r:sysadm_t
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(ssh_sysadm_login,false)
|
|
|
|
attribute ssh_server;
|
|
|
|
# Type for the ssh-agent executable.
|
|
type ssh_agent_exec_t;
|
|
files_type(ssh_agent_exec_t)
|
|
|
|
# ssh client executable.
|
|
type ssh_exec_t;
|
|
corecmd_executable_file(ssh_exec_t)
|
|
|
|
type ssh_keygen_t;
|
|
type ssh_keygen_exec_t;
|
|
init_system_domain(ssh_keygen_t,ssh_keygen_exec_t)
|
|
role system_r types ssh_keygen_t;
|
|
|
|
type ssh_keysign_exec_t;
|
|
corecmd_executable_file(ssh_keysign_exec_t)
|
|
|
|
type sshd_exec_t;
|
|
corecmd_executable_file(sshd_exec_t)
|
|
|
|
ssh_server_template(sshd)
|
|
init_daemon_domain(sshd_t,sshd_exec_t)
|
|
|
|
ssh_server_template(sshd_extern)
|
|
|
|
type sshd_key_t;
|
|
files_type(sshd_key_t)
|
|
|
|
type sshd_tmp_t;
|
|
files_tmp_file(sshd_tmp_t)
|
|
files_poly_parent(sshd_tmp_t)
|
|
|
|
ifdef(`enable_mcs',`
|
|
init_ranged_daemon_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh)
|
|
')
|
|
|
|
#################################
|
|
#
|
|
# sshd local policy
|
|
#
|
|
# sshd_t is the domain for the sshd program.
|
|
#
|
|
|
|
# so a tunnel can point to another ssh tunnel
|
|
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
|
|
allow sshd_t self:key { search link write };
|
|
|
|
manage_dirs_pattern(sshd_t,sshd_tmp_t,sshd_tmp_t)
|
|
manage_files_pattern(sshd_t,sshd_tmp_t,sshd_tmp_t)
|
|
manage_sock_files_pattern(sshd_t,sshd_tmp_t,sshd_tmp_t)
|
|
files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
|
|
|
|
kernel_search_key(sshd_t)
|
|
kernel_link_key(sshd_t)
|
|
|
|
# for X forwarding
|
|
corenet_tcp_bind_xserver_port(sshd_t)
|
|
corenet_sendrecv_xserver_server_packets(sshd_t)
|
|
|
|
ifdef(`targeted_policy',`
|
|
unconfined_domain(sshd_t)
|
|
')
|
|
|
|
tunable_policy(`ssh_sysadm_login',`
|
|
# Relabel and access ptys created by sshd
|
|
# ioctl is necessary for logout() processing for utmp entry and for w to
|
|
# display the tty.
|
|
# some versions of sshd on the new SE Linux require setattr
|
|
term_use_all_user_ptys(sshd_t)
|
|
term_setattr_all_user_ptys(sshd_t)
|
|
term_relabelto_all_user_ptys(sshd_t)
|
|
|
|
userdom_spec_domtrans_all_users(sshd_t)
|
|
userdom_signal_all_users(sshd_t)
|
|
',`
|
|
userdom_spec_domtrans_unpriv_users(sshd_t)
|
|
userdom_signal_unpriv_users(sshd_t)
|
|
|
|
userdom_setattr_unpriv_users_ptys(sshd_t)
|
|
userdom_relabelto_unpriv_users_ptys(sshd_t)
|
|
userdom_use_unpriv_users_ptys(sshd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
daemontools_service_domain(sshd_t, sshd_exec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
inetd_tcp_service_domain(sshd_t, sshd_exec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
rpm_use_script_fds(sshd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
rssh_spec_domtrans_all_users(sshd_t)
|
|
# For reading /home/user/.ssh
|
|
rssh_read_all_users_ro_content(sshd_t)
|
|
')
|
|
|
|
ifdef(`TODO',`
|
|
tunable_policy(`ssh_sysadm_login',`
|
|
# Relabel and access ptys created by sshd
|
|
# ioctl is necessary for logout() processing for utmp entry and for w to
|
|
# display the tty.
|
|
# some versions of sshd on the new SE Linux require setattr
|
|
allow sshd_t ptyfile:chr_file relabelto;
|
|
|
|
optional_policy(`
|
|
domain_trans(sshd_t, xauth_exec_t, userdomain)
|
|
')
|
|
',`
|
|
optional_policy(`
|
|
domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
|
|
')
|
|
# Relabel and access ptys created by sshd
|
|
# ioctl is necessary for logout() processing for utmp entry and for w to
|
|
# display the tty.
|
|
# some versions of sshd on the new SE Linux require setattr
|
|
allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr };
|
|
')
|
|
') dnl endif TODO
|
|
|
|
#################################
|
|
#
|
|
# sshd_extern local policy
|
|
#
|
|
# sshd_extern_t is the domain for ssh from outside our network
|
|
#
|
|
|
|
ifdef(`strict_policy',`
|
|
ifdef(`TODO',`
|
|
domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
|
|
|
|
domain_trans(sshd_extern_t, shell_exec_t, user_mini_domain)
|
|
# Signal the user domains.
|
|
allow sshd_extern_t user_mini_domain:process signal;
|
|
|
|
ifdef(`xauth.te', `
|
|
domain_trans(sshd_extern_t, xauth_exec_t, user_mini_domain)
|
|
')
|
|
|
|
# Relabel and access ptys created by sshd
|
|
# ioctl is necessary for logout() processing for utmp entry and for w to
|
|
# display the tty.
|
|
# some versions of sshd on the new SE Linux require setattr
|
|
allow sshd_extern_t user_mini_domain:chr_file { relabelto read write getattr ioctl setattr };
|
|
|
|
# inheriting stream sockets is needed for "ssh host command" as no pty
|
|
# is allocated
|
|
allow user_mini_domain sshd_extern_t:unix_stream_socket rw_stream_socket_perms;
|
|
|
|
optional_policy(`
|
|
domain_trans(inetd_t, sshd_exec_t, sshd_extern_t)
|
|
')
|
|
|
|
ifdef(`direct_sysadm_daemon', `
|
|
# Direct execution by sysadm_r.
|
|
domain_auto_trans(sysadm_t, sshd_exec_t, sshd_t)
|
|
role_transition sysadm_r sshd_exec_t system_r;
|
|
')
|
|
') dnl endif TODO
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# ssh_keygen local policy
|
|
#
|
|
|
|
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
|
|
# and by sysadm_t
|
|
|
|
dontaudit ssh_keygen_t self:capability sys_tty_config;
|
|
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
|
|
|
|
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
allow ssh_keygen_t sshd_key_t:file manage_file_perms;
|
|
files_etc_filetrans(ssh_keygen_t,sshd_key_t,file)
|
|
|
|
kernel_read_kernel_sysctls(ssh_keygen_t)
|
|
|
|
fs_search_auto_mountpoints(ssh_keygen_t)
|
|
|
|
dev_read_sysfs(ssh_keygen_t)
|
|
dev_read_urand(ssh_keygen_t)
|
|
|
|
term_dontaudit_use_console(ssh_keygen_t)
|
|
|
|
domain_use_interactive_fds(ssh_keygen_t)
|
|
|
|
files_read_etc_files(ssh_keygen_t)
|
|
|
|
init_use_fds(ssh_keygen_t)
|
|
init_use_script_ptys(ssh_keygen_t)
|
|
|
|
libs_use_ld_so(ssh_keygen_t)
|
|
libs_use_shared_libs(ssh_keygen_t)
|
|
|
|
logging_send_syslog_msg(ssh_keygen_t)
|
|
|
|
allow ssh_keygen_t proc_t:dir r_dir_perms;
|
|
allow ssh_keygen_t proc_t:lnk_file read;
|
|
|
|
userdom_use_sysadm_ttys(ssh_keygen_t)
|
|
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
|
|
|
|
# cjp: with the old daemon_(base_)domain being broken up into
|
|
# a daemon and system interface, this probably is not needed:
|
|
ifdef(`direct_sysadm_daemon',`
|
|
userdom_dontaudit_use_sysadm_terms(ssh_keygen_t)
|
|
')
|
|
|
|
ifdef(`targeted_policy',`
|
|
term_dontaudit_use_unallocated_ttys(ssh_keygen_t)
|
|
term_dontaudit_use_generic_ptys(ssh_keygen_t)
|
|
files_dontaudit_read_root_files(ssh_keygen_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nscd_socket_use(ssh_keygen_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(ssh_keygen_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(ssh_keygen_t)
|
|
')
|