diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if index a55373e..1f3f640 100644 --- a/refpolicy/policy/modules/services/ssh.if +++ b/refpolicy/policy/modules/services/ssh.if @@ -31,6 +31,7 @@ template(`ssh_per_userdomain_template',` allow $1_ssh_t self:sem { associate getattr setattr create destroy read write unix_read unix_write }; allow $1_ssh_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write }; allow $1_ssh_t self:msg { send receive }; + allow $1_ssh_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown }; # Transition from the user domain to the derived domain. domain_auto_trans($1_t, ssh_exec_t, $1_ssh_t) @@ -40,6 +41,13 @@ template(`ssh_per_userdomain_template',` kernel_read_kernel_sysctl($1_ssh_t) + corenet_tcp_sendrecv_all_if($1_ssh_t) + corenet_raw_sendrecv_all_if($1_ssh_t) + corenet_tcp_sendrecv_all_nodes($1_ssh_t) + corenet_raw_sendrecv_all_nodes($1_ssh_t) + corenet_tcp_sendrecv_all_ports($1_ssh_t) + corenet_tcp_bind_all_nodes($1_ssh_t) + dev_read_urand($1_ssh_t) fs_getattr_all_fs($1_ssh_t) @@ -65,6 +73,16 @@ template(`ssh_per_userdomain_template',` seutil_read_config($1_ssh_t) + sysnet_read_config($1_ssh_t) + + tunable_policy(`use_dns',` + allow $1_ssh_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }; + corenet_udp_sendrecv_all_if($1_ssh_t) + corenet_udp_sendrecv_all_nodes($1_ssh_t) + corenet_udp_sendrecv_dns_port($1_ssh_t) + corenet_udp_bind_all_nodes($1_ssh_t) + ') + tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs($1_ssh_t) fs_manage_nfs_files($1_ssh_t) @@ -104,8 +122,6 @@ template(`ssh_per_userdomain_template',` # Grant permissions needed to create TCP and UDP sockets and # to access the network. - can_network_client_tcp($1_ssh_t) - can_resolve($1_ssh_t) can_ypbind($1_ssh_t) can_kerberos($1_ssh_t)