diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc index 6262c7b..078bcd7 100644 --- a/policy/modules/services/ssh.fc +++ b/policy/modules/services/ssh.fc @@ -1,4 +1,4 @@ -HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0) +HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) /etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0) /etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index 12f2338..2232c8c 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -65,8 +65,7 @@ template(`ssh_basic_client_template',` allow $1_ssh_t self:sem create_sem_perms; allow $1_ssh_t self:msgq create_msgq_perms; allow $1_ssh_t self:msg { send receive }; - allow $1_ssh_t self:tcp_socket create_socket_perms; - allow $1_ssh_t self:netlink_route_socket r_netlink_socket_perms; + allow $1_ssh_t self:tcp_socket create_stream_socket_perms; # for rsync allow $1_ssh_t $2:unix_stream_socket rw_socket_perms; @@ -107,6 +106,7 @@ template(`ssh_basic_client_template',` read_lnk_files_pattern(ssh_server, $1_home_ssh_t, $1_home_ssh_t) kernel_read_kernel_sysctls($1_ssh_t) + kernel_read_system_state($1_ssh_t) corenet_all_recvfrom_unlabeled($1_ssh_t) corenet_all_recvfrom_netlabel($1_ssh_t) @@ -133,6 +133,8 @@ template(`ssh_basic_client_template',` files_read_etc_files($1_ssh_t) files_read_var_files($1_ssh_t) + auth_use_nsswitch($1_ssh_t) + logging_send_syslog_msg($1_ssh_t) logging_read_generic_logs($1_ssh_t) @@ -140,20 +142,9 @@ template(`ssh_basic_client_template',` seutil_read_config($1_ssh_t) - sysnet_read_config($1_ssh_t) - sysnet_dns_name_resolve($1_ssh_t) - optional_policy(` kerberos_use($1_ssh_t) ') - - optional_policy(` - nis_use_ypbind($1_ssh_t) - ') - - optional_policy(` - nscd_socket_use($1_ssh_t) - ') ') ####################################### @@ -183,19 +174,26 @@ template(`ssh_server_template', ` type $1_devpts_t; term_login_pty($1_devpts_t) + type $1_tmpfs_t; + files_tmpfs_file($1_tmpfs_t) + type $1_var_run_t; files_pid_file($1_var_run_t) allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config }; allow $1_t self:fifo_file rw_fifo_file_perms; - allow $1_t self:process { signal setsched setrlimit setexec }; + allow $1_t self:process { signal getsched setsched setrlimit setexec }; allow $1_t self:tcp_socket create_stream_socket_perms; allow $1_t self:udp_socket create_socket_perms; # ssh agent connections: allow $1_t self:unix_stream_socket create_stream_socket_perms; + allow $1_t self:shm create_shm_perms; allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom }; - term_create_pty($1_t,$1_devpts_t) + term_create_pty($1_t, $1_devpts_t) + + manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file) allow $1_t $1_var_run_t:file manage_file_perms; files_pid_filetrans($1_t, $1_var_run_t, file) @@ -206,6 +204,7 @@ template(`ssh_server_template', ` allow $1_t sshd_key_t:file read_file_perms; kernel_read_kernel_sysctls($1_t) + kernel_read_network_state($1_t) corenet_all_recvfrom_unlabeled($1_t) corenet_all_recvfrom_netlabel($1_t) @@ -242,13 +241,15 @@ template(`ssh_server_template', ` miscfiles_read_localization($1_t) - sysnet_read_config($1_t) - userdom_dontaudit_relabelfrom_user_ptys($1_t) userdom_search_user_home_dirs($1_t) + # Allow checking users mail at login + mta_getattr_spool($1_t) + tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files($1_t) + fs_read_nfs_symlinks($1_t) ') tunable_policy(`use_samba_home_dirs',` @@ -257,18 +258,12 @@ template(`ssh_server_template', ` optional_policy(` kerberos_use($1_t) + kerberos_manage_host_rcache($1_t) ') optional_policy(` - # Allow checking users mail at login - mta_getattr_spool($1_t) - ') + files_read_var_lib_symlinks($1_t) - optional_policy(` - nscd_socket_use($1_t) - ') - - optional_policy(` nx_spec_domtrans_server($1_t) ') ') @@ -298,7 +293,7 @@ template(`ssh_role_template',` gen_require(` attribute ssh_server, ssh_agent_type; - type ssh_t, ssh_exec_t, ssh_tmpfs_t, home_ssh_t; + type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t; type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t; type ssh_agent_tmp_t; ') @@ -337,9 +332,10 @@ template(`ssh_role_template',` allow ssh_t $3:unix_stream_socket connectto; # user can manage the keys and config - manage_files_pattern($3, home_ssh_t, home_ssh_t) - manage_lnk_files_pattern($3, home_ssh_t, home_ssh_t) - manage_sock_files_pattern($3, home_ssh_t, home_ssh_t) + manage_files_pattern($3, ssh_home_t, ssh_home_t) + manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t) + manage_sock_files_pattern($3, ssh_home_t, ssh_home_t) + userdom_search_user_home_dirs($1_t) ############################## # @@ -446,6 +442,24 @@ interface(`ssh_sigchld',` ######################################## ## +## Send a generic signal to the ssh server. +## +## +## +## Domain allowed access. +## +## +# +interface(`ssh_signal',` + gen_require(` + type sshd_t; + ') + + allow $1 sshd_t:process signal; +') + +######################################## +## ## Read a ssh server unnamed pipe. ## ## @@ -461,6 +475,23 @@ interface(`ssh_read_pipes',` allow $1 sshd_t:fifo_file { getattr read }; ') +######################################## +## +## Read and write a ssh server unnamed pipe. +## +## +## +## Domain allowed access. +## +## +# +interface(`ssh_rw_pipes',` + gen_require(` + type sshd_t; + ') + + allow $1 sshd_t:fifo_file { write read getattr ioctl }; +') ######################################## ## @@ -570,6 +601,65 @@ interface(`ssh_exec',` ######################################## ## +## Set the attributes of sshd key files. +## +## +## +## Domain allowed access. +## +## +# +interface(`ssh_setattr_key_files',` + gen_require(` + type sshd_key_t; + ') + + allow $1 sshd_key_t:file setattr; + files_search_pids($1) +') + +######################################## +## +## Execute the ssh agent client in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`ssh_agent_exec',` + gen_require(` + type ssh_agent_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, ssh_agent_exec_t) +') + +######################################## +## +## Read ssh home directory content +## +## +## +## Domain allowed access. +## +## +# +interface(`ssh_read_user_home_files',` + gen_require(` + type ssh_home_t; + ') + + allow $1 ssh_home_t:dir list_dir_perms; + read_files_pattern($1, ssh_home_t, ssh_home_t) + read_lnk_files_pattern($1, ssh_home_t, ssh_home_t) + userdom_search_user_home_dirs($1) +') + +######################################## +## ## Execute the ssh key generator in the ssh keygen domain. ## ## @@ -603,3 +693,22 @@ interface(`ssh_dontaudit_read_server_keys',` dontaudit $1 sshd_key_t:file { getattr read }; ') + +####################################### +## +## Delete from the ssh temp files. +## +## +## +## Domain allowed access. +## +## +# +interface(`ssh_delete_tmp',` + gen_require(` + type sshd_tmp_t; + ') + + files_search_tmp($1) + delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index abb77da..439f117 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -1,5 +1,5 @@ -policy_module(ssh, 2.1.0) +policy_module(ssh, 2.1.1) ######################################## # @@ -74,11 +74,11 @@ typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t }; files_tmpfs_file(ssh_tmpfs_t) ubac_constrained(ssh_tmpfs_t) -type home_ssh_t; -typealias home_ssh_t alias { user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t }; -typealias home_ssh_t alias { auditadm_home_ssh_t secadm_home_ssh_t }; -files_type(home_ssh_t) -userdom_user_home_content(home_ssh_t) +type ssh_home_t; +typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t }; +typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t }; +files_type(ssh_home_t) +userdom_user_home_content(ssh_home_t) ############################## # @@ -95,8 +95,7 @@ allow ssh_t self:shm create_shm_perms; allow ssh_t self:sem create_sem_perms; allow ssh_t self:msgq create_msgq_perms; allow ssh_t self:msg { send receive }; -allow ssh_t self:tcp_socket create_socket_perms; -allow ssh_t self:netlink_route_socket r_netlink_socket_perms; +allow ssh_t self:tcp_socket create_stream_socket_perms; # Read the ssh key file. allow ssh_t sshd_key_t:file read_file_perms; @@ -110,7 +109,7 @@ manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_sock_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) -fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) +fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }) manage_dirs_pattern(ssh_t, home_ssh_t, home_ssh_t) manage_sock_files_pattern(ssh_t, home_ssh_t, home_ssh_t) @@ -126,11 +125,12 @@ manage_files_pattern(ssh_t, home_ssh_t, home_ssh_t) read_lnk_files_pattern(ssh_t, home_ssh_t, home_ssh_t) # ssh servers can read the user keys and config -allow ssh_server home_ssh_t:dir list_dir_perms; -read_files_pattern(ssh_server, home_ssh_t, home_ssh_t) -read_lnk_files_pattern(ssh_server, home_ssh_t, home_ssh_t) +allow ssh_server ssh_home_t:dir list_dir_perms; +read_files_pattern(ssh_server, ssh_home_t, ssh_home_t) +read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t) kernel_read_kernel_sysctls(ssh_t) +kernel_read_system_state(ssh_t) corenet_all_recvfrom_unlabeled(ssh_t) corenet_all_recvfrom_netlabel(ssh_t) @@ -160,13 +160,12 @@ files_read_var_files(ssh_t) logging_send_syslog_msg(ssh_t) logging_read_generic_logs(ssh_t) +auth_use_nsswitch(ssh_t) + miscfiles_read_localization(ssh_t) seutil_read_config(ssh_t) -sysnet_read_config(ssh_t) -sysnet_dns_name_resolve(ssh_t) - userdom_dontaudit_list_user_home_dirs(ssh_t) userdom_search_user_home_dirs(ssh_t) # Write to the user domain tty. @@ -194,18 +193,7 @@ tunable_policy(`use_samba_home_dirs',` # for port forwarding tunable_policy(`user_tcp_server',` corenet_tcp_bind_ssh_port(ssh_t) -') - -optional_policy(` - kerberos_use(ssh_t) -') - -optional_policy(` - nis_use_ypbind(ssh_t) -') - -optional_policy(` - nscd_socket_use(ssh_t) + corenet_tcp_bind_generic_node(ssh_t) ') optional_policy(` @@ -323,6 +311,10 @@ tunable_policy(`ssh_sysadm_login',` ') optional_policy(` + kerberos_keytab_template(sshd, sshd_t) +') + +optional_policy(` daemontools_service_domain(sshd_t, sshd_exec_t) ') @@ -400,15 +392,13 @@ files_read_etc_files(ssh_keygen_t) init_use_fds(ssh_keygen_t) init_use_script_ptys(ssh_keygen_t) +auth_use_nsswitch(ssh_keygen_t) + logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) optional_policy(` - nscd_socket_use(ssh_keygen_t) -') - -optional_policy(` seutil_sigchld_newrole(ssh_keygen_t) ')