1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
|
#DESC SSH - SSH daemon
#
# Authors: Anthony Colatrella (NSA) <amcolat@epoch.ncsc.mil>
# Stephen Smalley <sds@epoch.ncsc.mil>
# Russell Coker <russell@coker.com.au>
# X-Debian-Packages: ssh
#
# sshd_exec_t is the type of the sshd executable.
# sshd_key_t is the type of the ssh private key files
type sshd_exec_t, file_type, exec_type, sysadmfile;
type sshd_key_t, file_type, sysadmfile;
type ssh_port_t, port_type;
ifdef(`inetd.te', `
ifdef(`run_ssh_inetd', `
define(`using_ssh_inetd', `')
')
')dnl end if inetd
define(`sshd_program_domain', `
# privowner is for changing the identity on the terminal device
# privfd is for passing the terminal file handle to the user process
# auth_chkpwd is for running unix_chkpwd and unix_verify.
type $1_t, domain, privuser, privrole, privlog, privowner, privfd, auth_chkpwd;
role system_r types $1_t;
dontaudit $1_t shadow_t:file { getattr read };
uses_shlib($1_t)
allow $1_t self:unix_dgram_socket create_socket_perms;
allow $1_t self:unix_stream_socket create_stream_socket_perms;
allow $1_t self:fifo_file rw_file_perms;
allow $1_t self:process { fork sigchld setsched setrlimit };
dontaudit $1_t self:lnk_file read;
# do not allow statfs()
dontaudit $1_t fs_type:filesystem getattr;
allow $1_t bin_t:dir search;
allow $1_t bin_t:lnk_file read;
# for sshd subsystems, such as sftp-server.
allow $1_t bin_t:file getattr;
# Read /var.
allow $1_t var_t:dir { getattr search };
# Read /var/log.
allow $1_t var_log_t:dir search;
# Read /etc.
allow $1_t etc_t:dir search;
# ioctl is for pam_console
dontaudit $1_t etc_t:file ioctl;
allow $1_t etc_t:file { getattr read };
allow $1_t etc_t:lnk_file { getattr read };
allow $1_t etc_runtime_t:file { getattr read };
# Read and write /dev/tty and /dev/null.
allow $1_t devtty_t:chr_file rw_file_perms;
allow $1_t { null_device_t zero_device_t }:chr_file rw_file_perms;
# Read /dev/urandom
allow $1_t urandom_device_t:chr_file { getattr read };
can_network($1_t)
allow $1_t urandom_device_t:chr_file { getattr };
allow $1_t self:capability { sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
allow $1_t { home_root_t home_dir_type }:dir { search getattr };
can_ypbind($1_t)
ifdef(`nfs_home_dirs', `
ifdef(`automount.te', `
allow $1_t autofs_t:dir { search getattr };
')
allow $1_t nfs_t:dir { search getattr };
allow $1_t nfs_t:file { getattr read };
')dnl end if nfs_home_dirs
ifdef(`single_userdomain', `
ifdef(`ssh_sysadm_login', `
allow $1_t home_type:dir { getattr search };
allow $1_t home_type:file { getattr read };
', `
allow $1_t user_home_type:dir { getattr search };
allow $1_t user_home_type:file { getattr read };
')dnl end ssh sysadm login
') dnl single userdomain
# Set exec context.
can_setexec($1_t)
# Allow shells to be run in sysadm_t as well.
# Commented out. Use newrole rather than directly entering sysadm_t.
#domain_trans($1_t, shell_exec_t, sysadm_t)
# Update utmp.
allow $1_t initrc_var_run_t:file rw_file_perms;
# Update wtmp.
allow $1_t wtmp_t:file rw_file_perms;
# Get security policy decisions.
can_getsecurity($1_t)
# Allow read access to login context
allow $1_t default_context_t:file r_file_perms;
# Access key files
allow $1_t sshd_key_t:file { getattr read };
# Update /var/log/lastlog.
allow $1_t lastlog_t:file rw_file_perms;
read_locale($1_t)
read_sysctl($1_t)
# Can create ptys
can_create_pty($1, `, server_pty')
allow $1_t $1_devpts_t:chr_file { setattr getattr relabelfrom };
dontaudit sshd_t userpty_type:chr_file relabelfrom;
')dnl end sshd_program_domain
# macro for defining which domains a sshd can spawn
# $1_t is the domain of the sshd, $2 is the domain to be spawned, $3 is the
# type of the pty for the child
define(`sshd_spawn_domain', `
login_spawn_domain($1, $2)
ifdef(`xauth.te', `
domain_trans($1_t, xauth_exec_t, $2)
')
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
# display the tty.
# some versions of sshd on the new SE Linux require setattr
allow $1_t $3:chr_file { relabelto read write getattr ioctl setattr };
# inheriting stream sockets is needed for "ssh host command" as no pty
# is allocated
allow $2 $1_t:unix_stream_socket rw_stream_socket_perms;
')dnl end sshd_spawn_domain definition
#################################
#
# Rules for the sshd_t domain, et al.
#
# sshd_t is the domain for the sshd program.
# sshd_extern_t is the domain for ssh from outside our network
#
sshd_program_domain(sshd)
ifdef(`ssh_sysadm_login', `
sshd_spawn_domain(sshd, userdomain, { sysadm_devpts_t userpty_type })
', `
sshd_spawn_domain(sshd, unpriv_userdomain, userpty_type)
')
ifdef(`use_x_ports', `
# for X forwarding
allow sshd_t xserver_port_t:tcp_socket name_bind;
')
sshd_program_domain(sshd_extern)
sshd_spawn_domain(sshd_extern, user_mini_domain, mini_pty_type)
# for when the network connection breaks after running newrole -r sysadm_r
dontaudit sshd_t sysadm_devpts_t:chr_file setattr;
# Allow checking users mail at login
allow sshd_t { var_spool_t mail_spool_t }:dir search;
allow sshd_t mail_spool_t:lnk_file read;
allow sshd_t mail_spool_t:file getattr;
ifdef(`using_ssh_inetd', `
allow inetd_t ssh_port_t:tcp_socket name_bind;
domain_auto_trans(inetd_t, sshd_exec_t, sshd_t)
domain_trans(inetd_t, sshd_exec_t, sshd_extern_t)
allow { sshd_t sshd_extern_t } inetd_t:tcp_socket rw_socket_perms;
allow { sshd_t sshd_extern_t } var_run_t:dir { getattr search };
allow { sshd_t sshd_extern_t } self:process signal;
', `
allow { sshd_t sshd_extern_t } initrc_devpts_t:chr_file rw_file_perms;
allow { sshd_t sshd_extern_t } self:capability net_bind_service;
allow { sshd_t sshd_extern_t } ssh_port_t:tcp_socket name_bind;
# for port forwarding
can_tcp_connect(userdomain, sshd_t)
domain_auto_trans(initrc_t, sshd_exec_t, sshd_t)
domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
# Inherit and use descriptors from init.
allow { sshd_t sshd_extern_t } init_t:fd use;
# Create /var/run/sshd.pid
var_run_domain(sshd)
var_run_domain(sshd_extern)
')
ifdef(`direct_sysadm_daemon', `
# Direct execution by sysadm_r.
domain_auto_trans(sysadm_t, sshd_exec_t, sshd_t)
role_transition sysadm_r sshd_exec_t system_r;
')
undefine(`sshd_program_domain')
# so a tunnel can point to another ssh tunnel...
can_tcp_connect(sshd_t, sshd_t)
tmp_domain(sshd)
ifdef(`pam.te', `
can_exec(sshd_t, pam_exec_t)
')
ifdef(`automount.te', `
allow sshd_t autofs_t:dir { search };
')
dontaudit sshd_t krb5_conf_t:file { write };
allow sshd_t krb5_conf_t:file { getattr read };
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
daemon_base_domain(ssh_keygen)
allow ssh_keygen_t etc_t:file { getattr read };
file_type_auto_trans(ssh_keygen_t, etc_t, sshd_key_t, file)
# Type for the ssh executable.
type ssh_exec_t, file_type, exec_type, sysadmfile;
# Everything else is in the ssh_domain macro in
# macros/program/ssh_macros.te.
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
allow ssh_keygen_t sysadm_tty_device_t:chr_file { read write };
allow ssh_keygen_t urandom_device_t:chr_file { getattr read };
|