summaryrefslogtreecommitdiff
path: root/policy/modules/services/ssh.te
blob: abb77da8d98ba3a5561f8add04db27eaabe84242 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417

policy_module(ssh, 2.1.0)

########################################
#
# Declarations
#

## <desc>
## <p>
## allow host key based authentication
## </p>
## </desc>
gen_tunable(allow_ssh_keysign, false)

## <desc>
## <p>
## Allow ssh logins as sysadm_r:sysadm_t
## </p>
## </desc>
gen_tunable(ssh_sysadm_login, false)

attribute ssh_server;
attribute ssh_agent_type;

type ssh_keygen_t;
type ssh_keygen_exec_t;
init_system_domain(ssh_keygen_t, ssh_keygen_exec_t)
role system_r types ssh_keygen_t;

type sshd_exec_t;
corecmd_executable_file(sshd_exec_t)

ssh_server_template(sshd)
init_daemon_domain(sshd_t, sshd_exec_t)

type sshd_key_t;
files_type(sshd_key_t)

type sshd_tmp_t;
files_tmp_file(sshd_tmp_t)
files_poly_parent(sshd_tmp_t)

ifdef(`enable_mcs',`
	init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
')

type ssh_t;
type ssh_exec_t;
typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t };
typealias ssh_t alias { auditadm_ssh_t secadm_ssh_t };
application_domain(ssh_t, ssh_exec_t)
ubac_constrained(ssh_t)

type ssh_agent_exec_t;
corecmd_executable_file(ssh_agent_exec_t)

type ssh_agent_tmp_t;
typealias ssh_agent_tmp_t alias { user_ssh_agent_tmp_t staff_ssh_agent_tmp_t sysadm_ssh_agent_tmp_t };
typealias ssh_agent_tmp_t alias { auditadm_ssh_agent_tmp_t secadm_ssh_agent_tmp_t };
files_tmp_file(ssh_agent_tmp_t)
ubac_constrained(ssh_agent_tmp_t)

type ssh_keysign_t;
type ssh_keysign_exec_t;
typealias ssh_keysign_t alias { user_ssh_keysign_t staff_ssh_keysign_t sysadm_ssh_keysign_t };
typealias ssh_keysign_t alias { auditadm_ssh_keysign_t secadm_ssh_keysign_t };
application_domain(ssh_keysign_t, ssh_keysign_exec_t)
ubac_constrained(ssh_keysign_t)

type ssh_tmpfs_t;
typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t };
typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t };
files_tmpfs_file(ssh_tmpfs_t)
ubac_constrained(ssh_tmpfs_t)

type home_ssh_t;
typealias home_ssh_t alias { user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
typealias home_ssh_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
files_type(home_ssh_t)
userdom_user_home_content(home_ssh_t)

##############################
#
# SSH client local policy
#

allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow ssh_t self:fd use;
allow ssh_t self:fifo_file rw_fifo_file_perms;
allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow ssh_t self:shm create_shm_perms;
allow ssh_t self:sem create_sem_perms;
allow ssh_t self:msgq create_msgq_perms;
allow ssh_t self:msg { send receive };
allow ssh_t self:tcp_socket create_socket_perms;
allow ssh_t self:netlink_route_socket r_netlink_socket_perms;

# Read the ssh key file.
allow ssh_t sshd_key_t:file read_file_perms;

# Access the ssh temporary files.
allow ssh_t sshd_tmp_t:dir manage_dir_perms;
allow ssh_t sshd_tmp_t:file manage_file_perms;
files_tmp_filetrans(ssh_t, sshd_tmp_t, { file dir })

manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_sock_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t,{ dir file lnk_file sock_file fifo_file })

manage_dirs_pattern(ssh_t, home_ssh_t, home_ssh_t)
manage_sock_files_pattern(ssh_t, home_ssh_t, home_ssh_t)
userdom_user_home_dir_filetrans(ssh_t, home_ssh_t, { dir sock_file })

# Allow the ssh program to communicate with ssh-agent.
stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)

allow ssh_t sshd_t:unix_stream_socket connectto;

# ssh client can manage the keys and config
manage_files_pattern(ssh_t, home_ssh_t, home_ssh_t)
read_lnk_files_pattern(ssh_t, home_ssh_t, home_ssh_t)

# ssh servers can read the user keys and config
allow ssh_server home_ssh_t:dir list_dir_perms;
read_files_pattern(ssh_server, home_ssh_t, home_ssh_t)
read_lnk_files_pattern(ssh_server, home_ssh_t, home_ssh_t)

kernel_read_kernel_sysctls(ssh_t)

corenet_all_recvfrom_unlabeled(ssh_t)
corenet_all_recvfrom_netlabel(ssh_t)
corenet_tcp_sendrecv_generic_if(ssh_t)
corenet_tcp_sendrecv_generic_node(ssh_t)
corenet_tcp_sendrecv_all_ports(ssh_t)
corenet_tcp_connect_ssh_port(ssh_t)
corenet_sendrecv_ssh_client_packets(ssh_t)

dev_read_urand(ssh_t)

fs_getattr_all_fs(ssh_t)
fs_search_auto_mountpoints(ssh_t)

# run helper programs - needed eg for x11-ssh-askpass
corecmd_exec_shell(ssh_t)
corecmd_exec_bin(ssh_t)

domain_use_interactive_fds(ssh_t)

files_list_home(ssh_t)
files_read_usr_files(ssh_t)
files_read_etc_runtime_files(ssh_t)
files_read_etc_files(ssh_t)
files_read_var_files(ssh_t)

logging_send_syslog_msg(ssh_t)
logging_read_generic_logs(ssh_t)

miscfiles_read_localization(ssh_t)

seutil_read_config(ssh_t)

sysnet_read_config(ssh_t)
sysnet_dns_name_resolve(ssh_t)

userdom_dontaudit_list_user_home_dirs(ssh_t)
userdom_search_user_home_dirs(ssh_t)
# Write to the user domain tty.
userdom_use_user_terminals(ssh_t)
# needs to read krb tgt
userdom_read_user_tmp_files(ssh_t)

tunable_policy(`allow_ssh_keysign',`
	domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
	allow ssh_keysign_t ssh_t:fd use;
	allow ssh_keysign_t ssh_t:process sigchld;
	allow ssh_keysign_t ssh_t:fifo_file rw_file_perms;
')

tunable_policy(`use_nfs_home_dirs',`
	fs_manage_nfs_dirs(ssh_t)
	fs_manage_nfs_files(ssh_t)
')

tunable_policy(`use_samba_home_dirs',`
	fs_manage_cifs_dirs(ssh_t)
	fs_manage_cifs_files(ssh_t)
')

# for port forwarding
tunable_policy(`user_tcp_server',`
	corenet_tcp_bind_ssh_port(ssh_t)
')

optional_policy(`
	kerberos_use(ssh_t)
')

optional_policy(`
	nis_use_ypbind(ssh_t)
')

optional_policy(`
	nscd_socket_use(ssh_t)
')

optional_policy(`
	xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t)
	xserver_domtrans_xauth(ssh_t)
')

########################################
#
# ssh_keygen local policy
#

# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t

dontaudit ssh_keygen_t self:capability sys_tty_config;
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };

allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;

allow ssh_keygen_t sshd_key_t:file manage_file_perms;
files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)

kernel_read_kernel_sysctls(ssh_keygen_t)

fs_search_auto_mountpoints(ssh_keygen_t)

dev_read_sysfs(ssh_keygen_t)
dev_read_urand(ssh_keygen_t)

term_dontaudit_use_console(ssh_keygen_t)

domain_use_interactive_fds(ssh_keygen_t)

files_read_etc_files(ssh_keygen_t)

init_use_fds(ssh_keygen_t)
init_use_script_ptys(ssh_keygen_t)

logging_send_syslog_msg(ssh_keygen_t)

userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)

optional_policy(`
	nscd_socket_use(ssh_keygen_t)
')

optional_policy(`
	seutil_sigchld_newrole(ssh_keygen_t)
')

optional_policy(`
	udev_read_db(ssh_keygen_t)
')

##############################
#
# ssh_keysign_t local policy
#

tunable_policy(`allow_ssh_keysign',`
	allow ssh_keysign_t self:capability { setgid setuid };
	allow ssh_keysign_t self:unix_stream_socket create_socket_perms;

	allow ssh_keysign_t sshd_key_t:file { getattr read };

	dev_read_urand(ssh_keysign_t)

	files_read_etc_files(ssh_keysign_t)
')

optional_policy(`
	tunable_policy(`allow_ssh_keysign',`
		nscd_socket_use(ssh_keysign_t)
	')
')

#################################
#
# sshd local policy
#
# sshd_t is the domain for the sshd program.
#

# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };

manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })

kernel_search_key(sshd_t)
kernel_link_key(sshd_t)

term_use_all_user_ptys(sshd_t)
term_setattr_all_user_ptys(sshd_t)
term_relabelto_all_user_ptys(sshd_t)

# for X forwarding
corenet_tcp_bind_xserver_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)

tunable_policy(`ssh_sysadm_login',`
	# Relabel and access ptys created by sshd
	# ioctl is necessary for logout() processing for utmp entry and for w to
	# display the tty.
	# some versions of sshd on the new SE Linux require setattr
	userdom_spec_domtrans_all_users(sshd_t)
	userdom_signal_all_users(sshd_t)
',`
	userdom_spec_domtrans_unpriv_users(sshd_t)
	userdom_signal_unpriv_users(sshd_t)
')

optional_policy(`
	daemontools_service_domain(sshd_t, sshd_exec_t)
')

optional_policy(`
	inetd_tcp_service_domain(sshd_t, sshd_exec_t)
')

optional_policy(`
	rpm_use_script_fds(sshd_t)
')

optional_policy(`
	rssh_spec_domtrans(sshd_t)
	# For reading /home/user/.ssh
	rssh_read_ro_content(sshd_t)
')

optional_policy(`
	unconfined_domain(sshd_t)
	unconfined_shell_domtrans(sshd_t)
')

ifdef(`TODO',`
tunable_policy(`ssh_sysadm_login',`
	# Relabel and access ptys created by sshd
	# ioctl is necessary for logout() processing for utmp entry and for w to
	# display the tty.
	# some versions of sshd on the new SE Linux require setattr
	allow sshd_t ptyfile:chr_file relabelto;

	optional_policy(`
		domain_trans(sshd_t, xauth_exec_t, userdomain)
	')
',`
	optional_policy(`
		domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
	')
	# Relabel and access ptys created by sshd
	# ioctl is necessary for logout() processing for utmp entry and for w to
	# display the tty.
	# some versions of sshd on the new SE Linux require setattr
	allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr };
')
') dnl endif TODO

########################################
#
# ssh_keygen local policy
#

# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t

dontaudit ssh_keygen_t self:capability sys_tty_config;
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };

allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;

allow ssh_keygen_t sshd_key_t:file manage_file_perms;
files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)

kernel_read_kernel_sysctls(ssh_keygen_t)

fs_search_auto_mountpoints(ssh_keygen_t)

dev_read_sysfs(ssh_keygen_t)
dev_read_urand(ssh_keygen_t)

term_dontaudit_use_console(ssh_keygen_t)

domain_use_interactive_fds(ssh_keygen_t)

files_read_etc_files(ssh_keygen_t)

init_use_fds(ssh_keygen_t)
init_use_script_ptys(ssh_keygen_t)

logging_send_syslog_msg(ssh_keygen_t)

userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)

optional_policy(`
	nscd_socket_use(ssh_keygen_t)
')

optional_policy(`
	seutil_sigchld_newrole(ssh_keygen_t)
')

optional_policy(`
	udev_read_db(ssh_keygen_t)
')