rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity
f5842c1fa5
selinux-policy/policy/modules/services/ssh.if
Chris PeBenito 1900668638 trunk: Unified labeled networking policy from Paul Moore. 
The latest revision of the labeled policy patches which enable both labeled 
and unlabeled policy support for NetLabel.  This revision takes into account
Chris' feedback from the first version and reduces the number of interface
calls in each domain down to two at present: one for unlabeled access, one for
NetLabel access.  The older, transport layer specific interfaces, are still  
present for use by third-party modules but are not used in the default policy
modules.

trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.

This patch changes the policy to use the netmsg initial SID as the "base"
SID/context for NetLabel packets which only have MLS security attributes.
Currently we use the unlabeled initial SID which makes it very difficult to
distinquish between actual unlabeled packets and those packets which have MLS
security attributes.
2007-06-27 15:23:21 +00:00

714 lines
17 KiB
Plaintext
Raw Blame History

## <summary>Secure shell client and server policy.</summary>
#######################################
## <summary>
## Basic SSH client template.
## </summary>
## <desc>
## <p>
## This template creates a derived domains which are used
## for ssh client sessions. A derived
## type is also created to protect the user ssh keys.
## </p>
## <p>
## This template was added for NX.
## </p>
## </desc>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## The type of the domain.
## </summary>
## </param>
## <param name="user_role">
## <summary>
## The role associated with the user domain.
## </summary>
## </param>
#
template(`ssh_basic_client_template',`
gen_require(`
attribute ssh_server;
type ssh_exec_t, sshd_key_t, sshd_tmp_t;
')
##############################
#
# Declarations
#
type $1_ssh_t;
domain_type($1_ssh_t)
domain_entry_file($1_ssh_t,ssh_exec_t)
role $3 types $1_ssh_t;
type $1_home_ssh_t;
files_type($1_home_ssh_t)
##############################
#
# Client local policy
#
allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };
allow $1_ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_ssh_t self:fd use;
allow $1_ssh_t self:fifo_file rw_fifo_file_perms;
allow $1_ssh_t self:unix_dgram_socket { create_socket_perms sendto };
allow $1_ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow $1_ssh_t self:shm create_shm_perms;
allow $1_ssh_t self:sem create_sem_perms;
allow $1_ssh_t self:msgq create_msgq_perms;
allow $1_ssh_t self:msg { send receive };
allow $1_ssh_t self:tcp_socket create_socket_perms;
allow $1_ssh_t self:netlink_route_socket r_netlink_socket_perms;
# for rsync
allow $1_ssh_t $2:unix_stream_socket rw_socket_perms;
allow $1_ssh_t $2:unix_stream_socket connectto;
# Read the ssh key file.
allow $1_ssh_t sshd_key_t:file read_file_perms;
# Access the ssh temporary files.
allow $1_ssh_t sshd_tmp_t:dir manage_dir_perms;
allow $1_ssh_t sshd_tmp_t:file manage_file_perms;
files_tmp_filetrans($1_ssh_t, sshd_tmp_t, { file dir })
# Transition from the domain to the derived domain.
domtrans_pattern($2, ssh_exec_t, $1_ssh_t)
# inheriting stream sockets is needed for "ssh host command" as no pty
# is allocated
# cjp: should probably fix target to be an attribute for ssh servers
# or "regular" (not special like sshd_extern_t) servers
allow $2 ssh_server:unix_stream_socket rw_stream_socket_perms;
# allow ps to show ssh
ps_process_pattern($2,$1_ssh_t)
# user can manage the keys and config
manage_files_pattern($2,$1_home_ssh_t,$1_home_ssh_t)
manage_lnk_files_pattern($2,$1_home_ssh_t,$1_home_ssh_t)
manage_sock_files_pattern($2,$1_home_ssh_t,$1_home_ssh_t)
# ssh client can manage the keys and config
manage_files_pattern($1_ssh_t,$1_home_ssh_t,$1_home_ssh_t)
read_lnk_files_pattern($1_ssh_t,$1_home_ssh_t,$1_home_ssh_t)
# ssh servers can read the user keys and config
allow ssh_server $1_home_ssh_t:dir list_dir_perms;
read_files_pattern(ssh_server,$1_home_ssh_t,$1_home_ssh_t)
read_lnk_files_pattern(ssh_server,$1_home_ssh_t,$1_home_ssh_t)
kernel_read_kernel_sysctls($1_ssh_t)
corenet_all_recvfrom_unlabeled($1_ssh_t)
corenet_all_recvfrom_netlabel($1_ssh_t)
corenet_tcp_sendrecv_all_if($1_ssh_t)
corenet_tcp_sendrecv_all_nodes($1_ssh_t)
corenet_tcp_sendrecv_all_ports($1_ssh_t)
corenet_tcp_connect_ssh_port($1_ssh_t)
corenet_sendrecv_ssh_client_packets($1_ssh_t)
dev_read_urand($1_ssh_t)
fs_getattr_all_fs($1_ssh_t)
fs_search_auto_mountpoints($1_ssh_t)
# run helper programs - needed eg for x11-ssh-askpass
corecmd_exec_shell($1_ssh_t)
corecmd_exec_bin($1_ssh_t)
domain_use_interactive_fds($1_ssh_t)
files_list_home($1_ssh_t)
files_read_usr_files($1_ssh_t)
files_read_etc_runtime_files($1_ssh_t)
files_read_etc_files($1_ssh_t)
files_read_var_files($1_ssh_t)
libs_use_ld_so($1_ssh_t)
libs_use_shared_libs($1_ssh_t)
logging_send_syslog_msg($1_ssh_t)
logging_read_generic_logs($1_ssh_t)
miscfiles_read_localization($1_ssh_t)
seutil_read_config($1_ssh_t)
sysnet_read_config($1_ssh_t)
sysnet_dns_name_resolve($1_ssh_t)
tunable_policy(`read_default_t',`
files_list_default($1_ssh_t)
files_read_default_files($1_ssh_t)
files_read_default_symlinks($1_ssh_t)
files_read_default_sockets($1_ssh_t)
files_read_default_pipes($1_ssh_t)
')
optional_policy(`
kerberos_use($1_ssh_t)
')
optional_policy(`
nis_use_ypbind($1_ssh_t)
')
optional_policy(`
nscd_socket_use($1_ssh_t)
')
')
#######################################
## <summary>
## The per role template for the ssh module.
## </summary>
## <desc>
## <p>
## This template creates a derived domains which are used
## for ssh client sessions and user ssh agents. A derived
## type is also created to protect the user ssh keys.
## </p>
## <p>
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
## </p>
## </desc>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## The type of the user domain.
## </summary>
## </param>
## <param name="user_role">
## <summary>
## The role associated with the user domain.
## </summary>
## </param>
#
template(`ssh_per_role_template',`
gen_require(`
type ssh_agent_exec_t, ssh_keysign_exec_t;
')
##############################
#
# Declarations
#
ssh_basic_client_template($1,$2,$3)
userdom_user_home_content($1,$1_home_ssh_t)
type $1_ssh_agent_t;
domain_type($1_ssh_agent_t)
domain_entry_file($1_ssh_agent_t,ssh_agent_exec_t)
domain_interactive_fd($1_ssh_agent_t)
role $3 types $1_ssh_agent_t;
type $1_ssh_agent_tmp_t;
files_tmp_file($1_ssh_agent_tmp_t)
type $1_ssh_keysign_t;
domain_type($1_ssh_keysign_t)
domain_entry_file($1_ssh_keysign_t,ssh_keysign_exec_t)
role $3 types $1_ssh_keysign_t;
type $1_ssh_tmpfs_t;
files_tmpfs_file($1_ssh_tmpfs_t)
##############################
#
# Client local policy
#
manage_files_pattern($1_ssh_t,$1_ssh_tmpfs_t,$1_ssh_tmpfs_t)
manage_lnk_files_pattern($1_ssh_t,$1_ssh_tmpfs_t,$1_ssh_tmpfs_t)
manage_fifo_files_pattern($1_ssh_t,$1_ssh_tmpfs_t,$1_ssh_tmpfs_t)
manage_sock_files_pattern($1_ssh_t,$1_ssh_tmpfs_t,$1_ssh_tmpfs_t)
fs_tmpfs_filetrans($1_ssh_t,$1_ssh_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
manage_dirs_pattern($1_ssh_t,$1_home_ssh_t,$1_home_ssh_t)
manage_sock_files_pattern($1_ssh_t,$1_home_ssh_t,$1_home_ssh_t)
userdom_user_home_dir_filetrans($1,$1_ssh_t,$1_home_ssh_t,{ dir sock_file })
# Allow the ssh program to communicate with ssh-agent.
stream_connect_pattern($1_ssh_t,$1_ssh_agent_tmp_t,$1_ssh_agent_tmp_t,$1_ssh_agent_t)
allow $1_ssh_t sshd_t:unix_stream_socket connectto;
allow $2 $1_ssh_t:process signal;
userdom_use_unpriv_users_fds($1_ssh_t)
userdom_dontaudit_list_user_home_dirs($1,$1_ssh_t)
userdom_search_user_home_dirs($1,$1_ssh_t)
# Write to the user domain tty.
userdom_use_user_terminals($1,$1_ssh_t)
# needs to read krb tgt
userdom_read_user_tmp_files($1, $1_ssh_t)
tunable_policy(`allow_ssh_keysign',`
domain_auto_trans($1_ssh_t, ssh_keysign_exec_t, $1_ssh_keysign_t)
allow $1_ssh_keysign_t $1_ssh_t:fd use;
allow $1_ssh_keysign_t $1_ssh_t:process sigchld;
allow $1_ssh_keysign_t $1_ssh_t:fifo_file rw_file_perms;
')
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_ssh_t)
fs_manage_nfs_files($1_ssh_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs($1_ssh_t)
fs_manage_cifs_files($1_ssh_t)
')
# for port forwarding
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_ssh_port($1_ssh_t)
')
optional_policy(`
xserver_user_client_template($1,$1_ssh_t,$1_ssh_tmpfs_t)
xserver_domtrans_user_xauth($1,$1_ssh_t)
')
ifdef(`TODO',`
# for /bin/sh used to execute xauth
dontaudit $1_ssh_t proc_t:{ lnk_file file } { getattr read };
#allow ssh to access keys stored on removable media
# Should we have a boolean around this?
files_search_mnt($1_ssh_t)
r_dir_file($1_ssh_t, removable_t)
') dnl endif TODO
##############################
#
# $1_ssh_agent_t local policy
#
allow $1_ssh_agent_t self:process setrlimit;
allow $1_ssh_agent_t self:capability setgid;
allow $1_ssh_agent_t { $1_ssh_agent_t $2 }:process signull;
allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
manage_dirs_pattern($1_ssh_agent_t,$1_ssh_agent_tmp_t,$1_ssh_agent_tmp_t)
manage_sock_files_pattern($1_ssh_agent_t,$1_ssh_agent_tmp_t,$1_ssh_agent_tmp_t)
files_tmp_filetrans($1_ssh_agent_t,$1_ssh_agent_tmp_t,{ dir sock_file })
# for ssh-add
stream_connect_pattern($2,$1_ssh_agent_tmp_t,$1_ssh_agent_tmp_t,$1_ssh_agent_t)
# Allow the user shell to signal the ssh program.
allow $2 $1_ssh_agent_t:process signal;
# allow ps to show ssh
ps_process_pattern($2,$1_ssh_agent_t)
domtrans_pattern($2, ssh_agent_exec_t, $1_ssh_agent_t)
kernel_read_kernel_sysctls($1_ssh_agent_t)
dev_read_urand($1_ssh_agent_t)
dev_read_rand($1_ssh_agent_t)
fs_search_auto_mountpoints($1_ssh_agent_t)
# transition back to normal privs upon exec
corecmd_shell_domtrans($1_ssh_agent_t,$1_t)
corecmd_bin_domtrans($1_ssh_agent_t, $1_t)
domain_use_interactive_fds($1_ssh_agent_t)
files_read_etc_files($1_ssh_agent_t)
files_read_etc_runtime_files($1_ssh_agent_t)
files_search_home($1_ssh_agent_t)
libs_read_lib_files($1_ssh_agent_t)
libs_use_ld_so($1_ssh_agent_t)
libs_use_shared_libs($1_ssh_agent_t)
logging_send_syslog_msg($1_ssh_agent_t)
miscfiles_read_localization($1_ssh_agent_t)
seutil_dontaudit_read_config($1_ssh_agent_t)
# Write to the user domain tty.
userdom_use_user_terminals($1,$1_ssh_agent_t)
# for the transition back to normal privs upon exec
userdom_user_home_domtrans($1,$1_ssh_agent_t,$2)
allow $2 $1_ssh_agent_t:fd use;
allow $2 $1_ssh_agent_t:fifo_file rw_file_perms;
allow $2 $1_ssh_agent_t:process sigchld;
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_ssh_agent_t)
# transition back to normal privs upon exec
fs_nfs_domtrans($1_ssh_agent_t, $1_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files($1_ssh_agent_t)
# transition back to normal privs upon exec
fs_cifs_domtrans($1_ssh_agent_t, $1_t)
')
optional_policy(`
nis_use_ypbind($1_ssh_agent_t)
')
optional_policy(`
xserver_use_xdm_fds($1_ssh_agent_t)
xserver_rw_xdm_pipes($1_ssh_agent_t)
')
ifdef(`TODO',`
dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read };
') dnl endif TODO
##############################
#
# $1_ssh_keysign_t local policy
#
tunable_policy(`allow_ssh_keysign',`
allow $1_ssh_keysign_t self:capability { setgid setuid };
allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms;
allow $1_ssh_keysign_t sshd_key_t:file { getattr read };
dev_read_urand($1_ssh_keysign_t)
files_read_etc_files($1_ssh_keysign_t)
libs_use_ld_so($1_ssh_keysign_t)
libs_use_shared_libs($1_ssh_keysign_t)
')
optional_policy(`
tunable_policy(`allow_ssh_keysign',`
nscd_socket_use($1_ssh_keysign_t)
')
')
')
#######################################
## <summary>
## The template to define a ssh server.
## </summary>
## <desc>
## <p>
## This template creates a domains to be used for
## creating a ssh server. This is typically done
## to have multiple ssh servers of different sensitivities,
## such as for an internal network-facing ssh server, and
## a external network-facing ssh server.
## </p>
## </desc>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the server domain (e.g., sshd
## is the prefix for sshd_t).
## </summary>
## </param>
#
template(`ssh_server_template', `
type $1_t, ssh_server;
auth_login_pgm_domain($1_t)
type $1_devpts_t;
term_login_pty($1_devpts_t)
type $1_var_run_t;
files_pid_file($1_var_run_t)
allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
allow $1_t self:fifo_file rw_fifo_file_perms;
allow $1_t self:process { signal setsched setrlimit setexec };
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
# ssh agent connections:
allow $1_t self:unix_stream_socket create_stream_socket_perms;
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
term_create_pty($1_t,$1_devpts_t)
allow $1_t $1_var_run_t:file manage_file_perms;
files_pid_filetrans($1_t,$1_var_run_t,file)
can_exec($1_t, sshd_exec_t)
# Access key files
allow $1_t sshd_key_t:file { getattr read };
kernel_read_kernel_sysctls($1_t)
corenet_all_recvfrom_unlabeled($1_t)
corenet_all_recvfrom_netlabel($1_t)
corenet_tcp_sendrecv_all_if($1_t)
corenet_udp_sendrecv_all_if($1_t)
corenet_raw_sendrecv_all_if($1_t)
corenet_tcp_sendrecv_all_nodes($1_t)
corenet_udp_sendrecv_all_nodes($1_t)
corenet_raw_sendrecv_all_nodes($1_t)
corenet_udp_sendrecv_all_ports($1_t)
corenet_tcp_sendrecv_all_ports($1_t)
corenet_tcp_bind_all_nodes($1_t)
corenet_udp_bind_all_nodes($1_t)
corenet_tcp_bind_ssh_port($1_t)
corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_ssh_server_packets($1_t)
fs_dontaudit_getattr_all_fs($1_t)
auth_rw_login_records($1_t)
auth_rw_faillog($1_t)
corecmd_read_bin_symlinks($1_t)
corecmd_getattr_bin_files($1_t)
# for sshd subsystems, such as sftp-server.
corecmd_getattr_bin_files($1_t)
domain_interactive_fd($1_t)
files_read_etc_files($1_t)
files_read_etc_runtime_files($1_t)
libs_use_ld_so($1_t)
libs_use_shared_libs($1_t)
logging_search_logs($1_t)
miscfiles_read_localization($1_t)
sysnet_read_config($1_t)
userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t)
userdom_search_all_users_home_dirs($1_t)
# Allow checking users mail at login
mta_getattr_spool($1_t)
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files($1_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_read_cifs_files($1_t)
')
optional_policy(`
kerberos_use($1_t)
')
optional_policy(`
nscd_socket_use($1_t)
')
optional_policy(`
nx_spec_domtrans_server($1_t)
')
')
########################################
## <summary>
## Send a SIGCHLD signal to the ssh server.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`ssh_sigchld',`
gen_require(`
type sshd_t;
')
allow $1 sshd_t:process sigchld;
')
########################################
## <summary>
## Read a ssh server unnamed pipe.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`ssh_read_pipes',`
gen_require(`
type sshd_t;
')
allow $1 sshd_t:fifo_file { getattr read };
')
########################################
## <summary>
## Read and write ssh server unix domain stream sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`ssh_rw_stream_sockets',`
gen_require(`
type sshd_t;
')
allow $1 sshd_t:unix_stream_socket rw_stream_socket_perms;
')
########################################
## <summary>
## Read and write ssh server TCP sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`ssh_rw_tcp_sockets',`
gen_require(`
type sshd_t;
')
allow $1 sshd_t:tcp_socket rw_stream_socket_perms;
')
########################################
## <summary>
## Do not audit attempts to read and write
## ssh server TCP sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`ssh_dontaudit_rw_tcp_sockets',`
gen_require(`
type sshd_t;
')
dontaudit $1 sshd_t:tcp_socket { read write };
')
########################################
## <summary>
## Connect to SSH daemons over TCP sockets. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`ssh_tcp_connect',`
refpolicywarn(`$0($*) has been deprecated.')
')
########################################
## <summary>
## Execute the ssh daemon sshd domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`ssh_domtrans',`
gen_require(`
type sshd_t, sshd_exec_t;
')
domtrans_pattern($1,sshd_exec_t,sshd_t)
')
########################################
## <summary>
## Execute the ssh client in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`ssh_exec',`
gen_require(`
type ssh_exec_t;
')
corecmd_search_bin($1)
can_exec($1,ssh_exec_t)
')
########################################
## <summary>
## Execute the ssh key generator in the ssh keygen domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`ssh_domtrans_keygen',`
gen_require(`
type ssh_keygen_t, ssh_keygen_exec_t;
')
domtrans_pattern($1,ssh_keygen_exec_t,ssh_keygen_t)
')
########################################
## <summary>
## Read ssh server keys
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`ssh_dontaudit_read_server_keys',`
gen_require(`
type sshd_key_t;
')
dontaudit $1 sshd_key_t:file { getattr read };
')
Reference in New Issue View Git Blame Copy Permalink