4781493e45
Tunable, optional and if(n)def blocks go below. Tunable, optional and if(n)def blocks go below. Tunable, optional and if(n)def blocks go below. Tunable, optional and if(n)def blocks go below. Tunable, optional and if(n)def blocks go below. Tunable, optional and if(n)def blocks go below. Tunable, optional and if(n)def blocks go below. Tunable, optional and if(n)def blocks go below.
434 lines
11 KiB
Plaintext
434 lines
11 KiB
Plaintext
policy_module(ssh, 2.2.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
## <desc>
|
|
## <p>
|
|
## allow host key based authentication
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(allow_ssh_keysign, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow ssh logins as sysadm_r:sysadm_t
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(ssh_sysadm_login, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## allow sshd to forward port connections
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(sshd_forward_ports, false)
|
|
|
|
attribute ssh_server;
|
|
attribute ssh_agent_type;
|
|
|
|
type ssh_keygen_t;
|
|
type ssh_keygen_exec_t;
|
|
init_system_domain(ssh_keygen_t, ssh_keygen_exec_t)
|
|
|
|
type sshd_exec_t;
|
|
corecmd_executable_file(sshd_exec_t)
|
|
|
|
ssh_server_template(sshd)
|
|
init_daemon_domain(sshd_t, sshd_exec_t)
|
|
|
|
type sshd_initrc_exec_t;
|
|
init_script_file(sshd_initrc_exec_t)
|
|
|
|
type sshd_key_t;
|
|
files_type(sshd_key_t)
|
|
|
|
type ssh_t;
|
|
type ssh_exec_t;
|
|
typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t };
|
|
typealias ssh_t alias { auditadm_ssh_t secadm_ssh_t };
|
|
application_domain(ssh_t, ssh_exec_t)
|
|
ubac_constrained(ssh_t)
|
|
|
|
type ssh_agent_exec_t;
|
|
corecmd_executable_file(ssh_agent_exec_t)
|
|
|
|
type ssh_agent_tmp_t;
|
|
typealias ssh_agent_tmp_t alias { user_ssh_agent_tmp_t staff_ssh_agent_tmp_t sysadm_ssh_agent_tmp_t };
|
|
typealias ssh_agent_tmp_t alias { auditadm_ssh_agent_tmp_t secadm_ssh_agent_tmp_t };
|
|
files_tmp_file(ssh_agent_tmp_t)
|
|
ubac_constrained(ssh_agent_tmp_t)
|
|
|
|
type ssh_keysign_t;
|
|
type ssh_keysign_exec_t;
|
|
typealias ssh_keysign_t alias { user_ssh_keysign_t staff_ssh_keysign_t sysadm_ssh_keysign_t };
|
|
typealias ssh_keysign_t alias { auditadm_ssh_keysign_t secadm_ssh_keysign_t };
|
|
application_domain(ssh_keysign_t, ssh_keysign_exec_t)
|
|
ubac_constrained(ssh_keysign_t)
|
|
|
|
type ssh_tmpfs_t;
|
|
typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t };
|
|
typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t };
|
|
files_tmpfs_file(ssh_tmpfs_t)
|
|
ubac_constrained(ssh_tmpfs_t)
|
|
|
|
type ssh_home_t;
|
|
typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
|
|
typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
|
|
userdom_user_home_content(ssh_home_t)
|
|
|
|
ifdef(`enable_mcs',`
|
|
init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
|
|
')
|
|
|
|
##############################
|
|
#
|
|
# SSH client local policy
|
|
#
|
|
|
|
allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
|
|
allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
|
allow ssh_t self:fd use;
|
|
allow ssh_t self:fifo_file rw_fifo_file_perms;
|
|
allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
|
|
allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
allow ssh_t self:shm create_shm_perms;
|
|
allow ssh_t self:sem create_sem_perms;
|
|
allow ssh_t self:msgq create_msgq_perms;
|
|
allow ssh_t self:msg { send receive };
|
|
allow ssh_t self:tcp_socket create_stream_socket_perms;
|
|
|
|
# Read the ssh key file.
|
|
allow ssh_t sshd_key_t:file read_file_perms;
|
|
|
|
manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
|
|
manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
|
|
manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
|
|
manage_sock_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
|
|
fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file })
|
|
|
|
manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
|
|
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
|
|
userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
|
|
userdom_stream_connect(ssh_t)
|
|
|
|
# Allow the ssh program to communicate with ssh-agent.
|
|
stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
|
|
|
|
allow ssh_t sshd_t:unix_stream_socket connectto;
|
|
|
|
# ssh client can manage the keys and config
|
|
manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
|
|
read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
|
|
|
|
# ssh servers can read the user keys and config
|
|
manage_dirs_pattern(ssh_server, ssh_home_t, ssh_home_t)
|
|
manage_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
|
|
userdom_user_home_dir_filetrans(ssh_server, ssh_home_t, dir)
|
|
userdom_admin_home_dir_filetrans(ssh_server, ssh_home_t, dir)
|
|
|
|
kernel_read_kernel_sysctls(ssh_t)
|
|
kernel_read_system_state(ssh_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(ssh_t)
|
|
corenet_all_recvfrom_netlabel(ssh_t)
|
|
corenet_tcp_sendrecv_generic_if(ssh_t)
|
|
corenet_tcp_sendrecv_generic_node(ssh_t)
|
|
corenet_tcp_sendrecv_all_ports(ssh_t)
|
|
corenet_tcp_connect_ssh_port(ssh_t)
|
|
corenet_sendrecv_ssh_client_packets(ssh_t)
|
|
corenet_tcp_bind_generic_node(ssh_t)
|
|
corenet_tcp_bind_all_unreserved_ports(ssh_t)
|
|
|
|
dev_read_urand(ssh_t)
|
|
|
|
fs_getattr_all_fs(ssh_t)
|
|
fs_search_auto_mountpoints(ssh_t)
|
|
|
|
# run helper programs - needed eg for x11-ssh-askpass
|
|
corecmd_exec_shell(ssh_t)
|
|
corecmd_exec_bin(ssh_t)
|
|
|
|
domain_use_interactive_fds(ssh_t)
|
|
|
|
files_list_home(ssh_t)
|
|
files_read_usr_files(ssh_t)
|
|
files_read_etc_runtime_files(ssh_t)
|
|
files_read_etc_files(ssh_t)
|
|
files_read_var_files(ssh_t)
|
|
|
|
logging_send_syslog_msg(ssh_t)
|
|
logging_read_generic_logs(ssh_t)
|
|
|
|
auth_use_nsswitch(ssh_t)
|
|
|
|
miscfiles_read_localization(ssh_t)
|
|
|
|
seutil_read_config(ssh_t)
|
|
|
|
userdom_dontaudit_list_user_home_dirs(ssh_t)
|
|
userdom_search_user_home_dirs(ssh_t)
|
|
# Write to the user domain tty.
|
|
userdom_use_user_terminals(ssh_t)
|
|
# needs to read krb/write tgt
|
|
userdom_read_user_tmp_files(ssh_t)
|
|
userdom_write_user_tmp_files(ssh_t)
|
|
userdom_read_user_home_content_symlinks(ssh_t)
|
|
|
|
tunable_policy(`allow_ssh_keysign',`
|
|
domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
|
|
')
|
|
|
|
tunable_policy(`use_nfs_home_dirs',`
|
|
fs_manage_nfs_dirs(ssh_t)
|
|
fs_manage_nfs_files(ssh_t)
|
|
')
|
|
|
|
tunable_policy(`use_samba_home_dirs',`
|
|
fs_manage_cifs_dirs(ssh_t)
|
|
fs_manage_cifs_files(ssh_t)
|
|
')
|
|
|
|
# for port forwarding
|
|
tunable_policy(`user_tcp_server',`
|
|
corenet_tcp_bind_ssh_port(ssh_t)
|
|
corenet_tcp_bind_generic_node(ssh_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t)
|
|
xserver_domtrans_xauth(ssh_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# ssh_keygen local policy
|
|
#
|
|
|
|
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
|
|
# and by sysadm_t
|
|
|
|
dontaudit ssh_keygen_t self:capability sys_tty_config;
|
|
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
|
|
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
allow ssh_keygen_t sshd_key_t:file manage_file_perms;
|
|
files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
|
|
|
|
kernel_read_kernel_sysctls(ssh_keygen_t)
|
|
|
|
fs_search_auto_mountpoints(ssh_keygen_t)
|
|
|
|
dev_read_sysfs(ssh_keygen_t)
|
|
dev_read_urand(ssh_keygen_t)
|
|
|
|
term_dontaudit_use_console(ssh_keygen_t)
|
|
|
|
domain_use_interactive_fds(ssh_keygen_t)
|
|
|
|
files_read_etc_files(ssh_keygen_t)
|
|
|
|
init_use_fds(ssh_keygen_t)
|
|
init_use_script_ptys(ssh_keygen_t)
|
|
|
|
logging_send_syslog_msg(ssh_keygen_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
|
|
|
|
optional_policy(`
|
|
nscd_socket_use(ssh_keygen_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(ssh_keygen_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(ssh_keygen_t)
|
|
')
|
|
|
|
##############################
|
|
#
|
|
# ssh_keysign_t local policy
|
|
#
|
|
|
|
tunable_policy(`allow_ssh_keysign',`
|
|
allow ssh_keysign_t self:capability { setgid setuid };
|
|
allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
|
|
|
|
allow ssh_keysign_t sshd_key_t:file { getattr read };
|
|
|
|
dev_read_urand(ssh_keysign_t)
|
|
|
|
files_read_etc_files(ssh_keysign_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
tunable_policy(`allow_ssh_keysign',`
|
|
nscd_socket_use(ssh_keysign_t)
|
|
')
|
|
')
|
|
|
|
#################################
|
|
#
|
|
# sshd local policy
|
|
#
|
|
# sshd_t is the domain for the sshd program.
|
|
#
|
|
|
|
# so a tunnel can point to another ssh tunnel
|
|
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
|
|
allow sshd_t self:key { search link write };
|
|
allow sshd_t self:process setcurrent;
|
|
|
|
kernel_search_key(sshd_t)
|
|
kernel_link_key(sshd_t)
|
|
|
|
term_use_all_ptys(sshd_t)
|
|
term_setattr_all_ptys(sshd_t)
|
|
term_setattr_all_ttys(sshd_t)
|
|
term_relabelto_all_ptys(sshd_t)
|
|
term_use_ptmx(sshd_t)
|
|
|
|
# for X forwarding
|
|
corenet_tcp_bind_xserver_port(sshd_t)
|
|
corenet_sendrecv_xserver_server_packets(sshd_t)
|
|
|
|
userdom_read_user_home_content_files(sshd_t)
|
|
userdom_read_user_home_content_symlinks(sshd_t)
|
|
userdom_search_admin_dir(sshd_t)
|
|
userdom_manage_tmp_role(system_r, sshd_t)
|
|
userdom_spec_domtrans_unpriv_users(sshd_t)
|
|
userdom_signal_unpriv_users(sshd_t)
|
|
|
|
tunable_policy(`sshd_forward_ports',`
|
|
corenet_tcp_bind_all_unreserved_ports(sshd_t)
|
|
corenet_tcp_connect_all_ports(sshd_t)
|
|
')
|
|
|
|
tunable_policy(`ssh_sysadm_login',`
|
|
# Relabel and access ptys created by sshd
|
|
# ioctl is necessary for logout() processing for utmp entry and for w to
|
|
# display the tty.
|
|
# some versions of sshd on the new SE Linux require setattr
|
|
userdom_signal_all_users(sshd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
daemontools_service_domain(sshd_t, sshd_exec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
kerberos_keytab_template(sshd, sshd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
ftp_dyntrans_sftpd(sshd_t)
|
|
ftp_dyntrans_anon_sftpd(sshd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
gitosis_manage_lib_files(sshd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
inetd_tcp_service_domain(sshd_t, sshd_exec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nx_read_home_files(sshd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
rpm_use_script_fds(sshd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
rssh_spec_domtrans(sshd_t)
|
|
# For reading /home/user/.ssh
|
|
rssh_read_ro_content(sshd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
usermanage_domtrans_passwd(sshd_t)
|
|
usermanage_read_crack_db(sshd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
unconfined_shell_domtrans(sshd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
xserver_domtrans_xauth(sshd_t)
|
|
')
|
|
|
|
ifdef(`TODO',`
|
|
tunable_policy(`ssh_sysadm_login',`
|
|
# Relabel and access ptys created by sshd
|
|
# ioctl is necessary for logout() processing for utmp entry and for w to
|
|
# display the tty.
|
|
# some versions of sshd on the new SE Linux require setattr
|
|
allow sshd_t ptyfile:chr_file relabelto;
|
|
|
|
optional_policy(`
|
|
domain_trans(sshd_t, xauth_exec_t, userdomain)
|
|
')
|
|
',`
|
|
optional_policy(`
|
|
domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
|
|
')
|
|
# Relabel and access ptys created by sshd
|
|
# ioctl is necessary for logout() processing for utmp entry and for w to
|
|
# display the tty.
|
|
# some versions of sshd on the new SE Linux require setattr
|
|
allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr };
|
|
')
|
|
') dnl endif TODO
|
|
|
|
########################################
|
|
#
|
|
# ssh_keygen local policy
|
|
#
|
|
|
|
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
|
|
# and by sysadm_t
|
|
|
|
dontaudit ssh_keygen_t self:capability sys_tty_config;
|
|
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
|
|
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
allow ssh_keygen_t sshd_key_t:file manage_file_perms;
|
|
files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
|
|
|
|
kernel_read_kernel_sysctls(ssh_keygen_t)
|
|
|
|
fs_search_auto_mountpoints(ssh_keygen_t)
|
|
|
|
dev_read_sysfs(ssh_keygen_t)
|
|
dev_read_urand(ssh_keygen_t)
|
|
|
|
term_dontaudit_use_console(ssh_keygen_t)
|
|
|
|
domain_use_interactive_fds(ssh_keygen_t)
|
|
|
|
files_read_etc_files(ssh_keygen_t)
|
|
|
|
init_use_fds(ssh_keygen_t)
|
|
init_use_script_ptys(ssh_keygen_t)
|
|
|
|
auth_use_nsswitch(ssh_keygen_t)
|
|
|
|
logging_send_syslog_msg(ssh_keygen_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(ssh_keygen_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(ssh_keygen_t)
|
|
')
|