3
# Authors: Anthony Colatrella (NSA) <amcolat@epoch.ncsc.mil>
4
# Stephen Smalley <sds@epoch.ncsc.mil>
5
# Russell Coker <russell@coker.com.au>
6
# X-Debian-Packages: ssh
9
# sshd_exec_t is the type of the sshd executable.
10
# sshd_key_t is the type of the ssh private key files
11
type sshd_exec_t, file_type, exec_type, sysadmfile;
12
type sshd_key_t, file_type, sysadmfile;
14
type ssh_port_t, port_type;
17
ifdef(`run_ssh_inetd', `
18
define(`using_ssh_inetd', `')
22
define(`sshd_program_domain', `
23
# privowner is for changing the identity on the terminal device
24
# privfd is for passing the terminal file handle to the user process
25
# auth_chkpwd is for running unix_chkpwd and unix_verify.
26
type $1_t, domain, privuser, privrole, privlog, privowner, privfd, auth_chkpwd;
27
role system_r types $1_t;
28
dontaudit $1_t shadow_t:file { getattr read };
30
allow $1_t self:unix_dgram_socket create_socket_perms;
31
allow $1_t self:unix_stream_socket create_stream_socket_perms;
32
allow $1_t self:fifo_file rw_file_perms;
33
allow $1_t self:process { fork sigchld setsched setrlimit };
35
dontaudit $1_t self:lnk_file read;
37
# do not allow statfs()
38
dontaudit $1_t fs_type:filesystem getattr;
40
allow $1_t bin_t:dir search;
41
allow $1_t bin_t:lnk_file read;
43
# for sshd subsystems, such as sftp-server.
44
allow $1_t bin_t:file getattr;
47
allow $1_t var_t:dir { getattr search };
50
allow $1_t var_log_t:dir search;
53
allow $1_t etc_t:dir search;
54
# ioctl is for pam_console
55
dontaudit $1_t etc_t:file ioctl;
56
allow $1_t etc_t:file { getattr read };
57
allow $1_t etc_t:lnk_file { getattr read };
58
allow $1_t etc_runtime_t:file { getattr read };
60
# Read and write /dev/tty and /dev/null.
61
allow $1_t devtty_t:chr_file rw_file_perms;
62
allow $1_t { null_device_t zero_device_t }:chr_file rw_file_perms;
65
allow $1_t urandom_device_t:chr_file { getattr read };
68
allow $1_t urandom_device_t:chr_file { getattr };
70
allow $1_t self:capability { sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
71
allow $1_t { home_root_t home_dir_type }:dir { search getattr };
73
ifdef(`nfs_home_dirs', `
74
ifdef(`automount.te', `
75
allow $1_t autofs_t:dir { search getattr };
77
allow $1_t nfs_t:dir { search getattr };
78
allow $1_t nfs_t:file { getattr read };
79
')dnl end if nfs_home_dirs
81
ifdef(`single_userdomain', `
82
ifdef(`ssh_sysadm_login', `
83
allow $1_t home_type:dir { getattr search };
84
allow $1_t home_type:file { getattr read };
86
allow $1_t user_home_type:dir { getattr search };
87
allow $1_t user_home_type:file { getattr read };
88
')dnl end ssh sysadm login
89
') dnl single userdomain
94
# Allow shells to be run in sysadm_t as well.
95
# Commented out. Use newrole rather than directly entering sysadm_t.
96
#domain_trans($1_t, shell_exec_t, sysadm_t)
99
allow $1_t initrc_var_run_t:file rw_file_perms;
102
allow $1_t wtmp_t:file rw_file_perms;
104
# Get security policy decisions.
105
can_getsecurity($1_t)
107
# Allow read access to login context
108
allow $1_t default_context_t:file r_file_perms;
111
allow $1_t sshd_key_t:file { getattr read };
113
# Update /var/log/lastlog.
114
allow $1_t lastlog_t:file rw_file_perms;
120
can_create_pty($1, `, server_pty')
121
allow $1_t $1_devpts_t:chr_file { setattr getattr relabelfrom };
122
dontaudit sshd_t userpty_type:chr_file relabelfrom;
123
')dnl end sshd_program_domain
125
# macro for defining which domains a sshd can spawn
126
# $1_t is the domain of the sshd, $2 is the domain to be spawned, $3 is the
127
# type of the pty for the child
128
define(`sshd_spawn_domain', `
129
login_spawn_domain($1, $2)
131
domain_trans($1_t, xauth_exec_t, $2)
134
# Relabel and access ptys created by sshd
135
# ioctl is necessary for logout() processing for utmp entry and for w to
137
# some versions of sshd on the new SE Linux require setattr
138
allow $1_t $3:chr_file { relabelto read write getattr ioctl setattr };
140
# inheriting stream sockets is needed for "ssh host command" as no pty
142
allow $2 $1_t:unix_stream_socket rw_stream_socket_perms;
143
')dnl end sshd_spawn_domain definition
145
#################################
147
# Rules for the sshd_t domain, et al.
149
# sshd_t is the domain for the sshd program.
150
# sshd_extern_t is the domain for ssh from outside our network
152
sshd_program_domain(sshd)
153
ifdef(`ssh_sysadm_login', `
154
sshd_spawn_domain(sshd, userdomain, { sysadm_devpts_t userpty_type })
156
sshd_spawn_domain(sshd, unpriv_userdomain, userpty_type)
159
ifdef(`use_x_ports', `
161
allow sshd_t xserver_port_t:tcp_socket name_bind;
164
sshd_program_domain(sshd_extern)
165
sshd_spawn_domain(sshd_extern, user_mini_domain, mini_pty_type)
167
# for when the network connection breaks after running newrole -r sysadm_r
168
dontaudit sshd_t sysadm_devpts_t:chr_file setattr;
170
# Allow checking users mail at login
171
allow sshd_t { var_spool_t mail_spool_t }:dir search;
172
allow sshd_t mail_spool_t:lnk_file read;
173
allow sshd_t mail_spool_t:file getattr;
175
ifdef(`using_ssh_inetd', `
176
allow inetd_t ssh_port_t:tcp_socket name_bind;
177
domain_auto_trans(inetd_t, sshd_exec_t, sshd_t)
178
domain_trans(inetd_t, sshd_exec_t, sshd_extern_t)
179
allow { sshd_t sshd_extern_t } inetd_t:tcp_socket rw_socket_perms;
180
allow { sshd_t sshd_extern_t } var_run_t:dir { getattr search };
181
allow { sshd_t sshd_extern_t } self:process signal;
183
allow { sshd_t sshd_extern_t } initrc_devpts_t:chr_file rw_file_perms;
184
allow { sshd_t sshd_extern_t } self:capability net_bind_service;
185
allow { sshd_t sshd_extern_t } ssh_port_t:tcp_socket name_bind;
187
# for port forwarding
188
can_tcp_connect(userdomain, sshd_t)
190
domain_auto_trans(initrc_t, sshd_exec_t, sshd_t)
191
domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
193
# Inherit and use descriptors from init.
194
allow { sshd_t sshd_extern_t } init_t:fd use;
196
# Create /var/run/sshd.pid
198
var_run_domain(sshd_extern)
201
ifdef(`direct_sysadm_daemon', `
202
# Direct execution by sysadm_r.
203
domain_auto_trans(sysadm_t, sshd_exec_t, sshd_t)
204
role_transition sysadm_r sshd_exec_t system_r;
207
undefine(`sshd_program_domain')
209
# so a tunnel can point to another ssh tunnel...
210
can_tcp_connect(sshd_t, sshd_t)
214
can_exec(sshd_t, pam_exec_t)
218
ifdef(`automount.te', `
219
allow sshd_t autofs_t:dir { search };
221
dontaudit sshd_t krb5_conf_t:file { write };
222
allow sshd_t krb5_conf_t:file { getattr read };
224
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
226
daemon_base_domain(ssh_keygen)
227
allow ssh_keygen_t etc_t:file { getattr read };
228
file_type_auto_trans(ssh_keygen_t, etc_t, sshd_key_t, file)
230
# Type for the ssh executable.
231
type ssh_exec_t, file_type, exec_type, sysadmfile;
233
# Everything else is in the ssh_domain macro in
234
# macros/program/ssh_macros.te.
236
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
237
allow ssh_keygen_t sysadm_tty_device_t:chr_file { read write };
238
allow ssh_keygen_t urandom_device_t:chr_file { getattr read };