selinux-policy/policy/modules/services/ssh.te
Dominick Grift 4781493e45 Tunable, optional and if(n)def blocks go below.
Tunable, optional and if(n)def blocks go below.

Tunable, optional and if(n)def blocks go below.

Tunable, optional and if(n)def blocks go below.

Tunable, optional and if(n)def blocks go below.

Tunable, optional and if(n)def blocks go below.

Tunable, optional and if(n)def blocks go below.

Tunable, optional and if(n)def blocks go below.

Tunable, optional and if(n)def blocks go below.
2010-09-24 12:44:16 +02:00

434 lines
11 KiB
Plaintext

policy_module(ssh, 2.2.0)
########################################
#
# Declarations
#
## <desc>
## <p>
## allow host key based authentication
## </p>
## </desc>
gen_tunable(allow_ssh_keysign, false)
## <desc>
## <p>
## Allow ssh logins as sysadm_r:sysadm_t
## </p>
## </desc>
gen_tunable(ssh_sysadm_login, false)
## <desc>
## <p>
## allow sshd to forward port connections
## </p>
## </desc>
gen_tunable(sshd_forward_ports, false)
attribute ssh_server;
attribute ssh_agent_type;
type ssh_keygen_t;
type ssh_keygen_exec_t;
init_system_domain(ssh_keygen_t, ssh_keygen_exec_t)
type sshd_exec_t;
corecmd_executable_file(sshd_exec_t)
ssh_server_template(sshd)
init_daemon_domain(sshd_t, sshd_exec_t)
type sshd_initrc_exec_t;
init_script_file(sshd_initrc_exec_t)
type sshd_key_t;
files_type(sshd_key_t)
type ssh_t;
type ssh_exec_t;
typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t };
typealias ssh_t alias { auditadm_ssh_t secadm_ssh_t };
application_domain(ssh_t, ssh_exec_t)
ubac_constrained(ssh_t)
type ssh_agent_exec_t;
corecmd_executable_file(ssh_agent_exec_t)
type ssh_agent_tmp_t;
typealias ssh_agent_tmp_t alias { user_ssh_agent_tmp_t staff_ssh_agent_tmp_t sysadm_ssh_agent_tmp_t };
typealias ssh_agent_tmp_t alias { auditadm_ssh_agent_tmp_t secadm_ssh_agent_tmp_t };
files_tmp_file(ssh_agent_tmp_t)
ubac_constrained(ssh_agent_tmp_t)
type ssh_keysign_t;
type ssh_keysign_exec_t;
typealias ssh_keysign_t alias { user_ssh_keysign_t staff_ssh_keysign_t sysadm_ssh_keysign_t };
typealias ssh_keysign_t alias { auditadm_ssh_keysign_t secadm_ssh_keysign_t };
application_domain(ssh_keysign_t, ssh_keysign_exec_t)
ubac_constrained(ssh_keysign_t)
type ssh_tmpfs_t;
typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t };
typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t };
files_tmpfs_file(ssh_tmpfs_t)
ubac_constrained(ssh_tmpfs_t)
type ssh_home_t;
typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
userdom_user_home_content(ssh_home_t)
ifdef(`enable_mcs',`
init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
')
##############################
#
# SSH client local policy
#
allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow ssh_t self:fd use;
allow ssh_t self:fifo_file rw_fifo_file_perms;
allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow ssh_t self:shm create_shm_perms;
allow ssh_t self:sem create_sem_perms;
allow ssh_t self:msgq create_msgq_perms;
allow ssh_t self:msg { send receive };
allow ssh_t self:tcp_socket create_stream_socket_perms;
# Read the ssh key file.
allow ssh_t sshd_key_t:file read_file_perms;
manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_sock_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file })
manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
userdom_stream_connect(ssh_t)
# Allow the ssh program to communicate with ssh-agent.
stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
allow ssh_t sshd_t:unix_stream_socket connectto;
# ssh client can manage the keys and config
manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
# ssh servers can read the user keys and config
manage_dirs_pattern(ssh_server, ssh_home_t, ssh_home_t)
manage_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
userdom_user_home_dir_filetrans(ssh_server, ssh_home_t, dir)
userdom_admin_home_dir_filetrans(ssh_server, ssh_home_t, dir)
kernel_read_kernel_sysctls(ssh_t)
kernel_read_system_state(ssh_t)
corenet_all_recvfrom_unlabeled(ssh_t)
corenet_all_recvfrom_netlabel(ssh_t)
corenet_tcp_sendrecv_generic_if(ssh_t)
corenet_tcp_sendrecv_generic_node(ssh_t)
corenet_tcp_sendrecv_all_ports(ssh_t)
corenet_tcp_connect_ssh_port(ssh_t)
corenet_sendrecv_ssh_client_packets(ssh_t)
corenet_tcp_bind_generic_node(ssh_t)
corenet_tcp_bind_all_unreserved_ports(ssh_t)
dev_read_urand(ssh_t)
fs_getattr_all_fs(ssh_t)
fs_search_auto_mountpoints(ssh_t)
# run helper programs - needed eg for x11-ssh-askpass
corecmd_exec_shell(ssh_t)
corecmd_exec_bin(ssh_t)
domain_use_interactive_fds(ssh_t)
files_list_home(ssh_t)
files_read_usr_files(ssh_t)
files_read_etc_runtime_files(ssh_t)
files_read_etc_files(ssh_t)
files_read_var_files(ssh_t)
logging_send_syslog_msg(ssh_t)
logging_read_generic_logs(ssh_t)
auth_use_nsswitch(ssh_t)
miscfiles_read_localization(ssh_t)
seutil_read_config(ssh_t)
userdom_dontaudit_list_user_home_dirs(ssh_t)
userdom_search_user_home_dirs(ssh_t)
# Write to the user domain tty.
userdom_use_user_terminals(ssh_t)
# needs to read krb/write tgt
userdom_read_user_tmp_files(ssh_t)
userdom_write_user_tmp_files(ssh_t)
userdom_read_user_home_content_symlinks(ssh_t)
tunable_policy(`allow_ssh_keysign',`
domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
')
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(ssh_t)
fs_manage_nfs_files(ssh_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(ssh_t)
fs_manage_cifs_files(ssh_t)
')
# for port forwarding
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_ssh_port(ssh_t)
corenet_tcp_bind_generic_node(ssh_t)
')
optional_policy(`
xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t)
xserver_domtrans_xauth(ssh_t)
')
########################################
#
# ssh_keygen local policy
#
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
dontaudit ssh_keygen_t self:capability sys_tty_config;
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
allow ssh_keygen_t sshd_key_t:file manage_file_perms;
files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
kernel_read_kernel_sysctls(ssh_keygen_t)
fs_search_auto_mountpoints(ssh_keygen_t)
dev_read_sysfs(ssh_keygen_t)
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
domain_use_interactive_fds(ssh_keygen_t)
files_read_etc_files(ssh_keygen_t)
init_use_fds(ssh_keygen_t)
init_use_script_ptys(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
optional_policy(`
nscd_socket_use(ssh_keygen_t)
')
optional_policy(`
seutil_sigchld_newrole(ssh_keygen_t)
')
optional_policy(`
udev_read_db(ssh_keygen_t)
')
##############################
#
# ssh_keysign_t local policy
#
tunable_policy(`allow_ssh_keysign',`
allow ssh_keysign_t self:capability { setgid setuid };
allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
allow ssh_keysign_t sshd_key_t:file { getattr read };
dev_read_urand(ssh_keysign_t)
files_read_etc_files(ssh_keysign_t)
')
optional_policy(`
tunable_policy(`allow_ssh_keysign',`
nscd_socket_use(ssh_keysign_t)
')
')
#################################
#
# sshd local policy
#
# sshd_t is the domain for the sshd program.
#
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
allow sshd_t self:process setcurrent;
kernel_search_key(sshd_t)
kernel_link_key(sshd_t)
term_use_all_ptys(sshd_t)
term_setattr_all_ptys(sshd_t)
term_setattr_all_ttys(sshd_t)
term_relabelto_all_ptys(sshd_t)
term_use_ptmx(sshd_t)
# for X forwarding
corenet_tcp_bind_xserver_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)
userdom_read_user_home_content_files(sshd_t)
userdom_read_user_home_content_symlinks(sshd_t)
userdom_search_admin_dir(sshd_t)
userdom_manage_tmp_role(system_r, sshd_t)
userdom_spec_domtrans_unpriv_users(sshd_t)
userdom_signal_unpriv_users(sshd_t)
tunable_policy(`sshd_forward_ports',`
corenet_tcp_bind_all_unreserved_ports(sshd_t)
corenet_tcp_connect_all_ports(sshd_t)
')
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
# display the tty.
# some versions of sshd on the new SE Linux require setattr
userdom_signal_all_users(sshd_t)
')
optional_policy(`
daemontools_service_domain(sshd_t, sshd_exec_t)
')
optional_policy(`
kerberos_keytab_template(sshd, sshd_t)
')
optional_policy(`
ftp_dyntrans_sftpd(sshd_t)
ftp_dyntrans_anon_sftpd(sshd_t)
')
optional_policy(`
gitosis_manage_lib_files(sshd_t)
')
optional_policy(`
inetd_tcp_service_domain(sshd_t, sshd_exec_t)
')
optional_policy(`
nx_read_home_files(sshd_t)
')
optional_policy(`
rpm_use_script_fds(sshd_t)
')
optional_policy(`
rssh_spec_domtrans(sshd_t)
# For reading /home/user/.ssh
rssh_read_ro_content(sshd_t)
')
optional_policy(`
usermanage_domtrans_passwd(sshd_t)
usermanage_read_crack_db(sshd_t)
')
optional_policy(`
unconfined_shell_domtrans(sshd_t)
')
optional_policy(`
xserver_domtrans_xauth(sshd_t)
')
ifdef(`TODO',`
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
# display the tty.
# some versions of sshd on the new SE Linux require setattr
allow sshd_t ptyfile:chr_file relabelto;
optional_policy(`
domain_trans(sshd_t, xauth_exec_t, userdomain)
')
',`
optional_policy(`
domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
')
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
# display the tty.
# some versions of sshd on the new SE Linux require setattr
allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr };
')
') dnl endif TODO
########################################
#
# ssh_keygen local policy
#
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
dontaudit ssh_keygen_t self:capability sys_tty_config;
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
allow ssh_keygen_t sshd_key_t:file manage_file_perms;
files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
kernel_read_kernel_sysctls(ssh_keygen_t)
fs_search_auto_mountpoints(ssh_keygen_t)
dev_read_sysfs(ssh_keygen_t)
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
domain_use_interactive_fds(ssh_keygen_t)
files_read_etc_files(ssh_keygen_t)
init_use_fds(ssh_keygen_t)
init_use_script_ptys(ssh_keygen_t)
auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
optional_policy(`
seutil_sigchld_newrole(ssh_keygen_t)
')
optional_policy(`
udev_read_db(ssh_keygen_t)
')