Layer: services

Module: ssh

Tunables Interfaces Templates

Description:

Secure shell client and server policy.

Tunables:

ssh_chroot_rw_homedirs

Default value

false

Description

Allow ssh with chroot env to read and write files in the user home directories

ssh_keysign

Default value

false

Description

allow host key based authentication

ssh_sysadm_login

Default value

false

Description

Allow ssh logins as sysadm_r:sysadm_t

Return

Interfaces:

ssh_agent_exec(
	
		domain
		
	)

Summary

Execute the ssh agent client in the caller domain.

Parameters

Parameter:	Description:
domain	Domain allowed access.

ssh_append_home_files(
	
		domain
		
	)

Summary

Append ssh home directory content

Parameters

Parameter:	Description:
domain	Domain allowed access.

ssh_delete_tmp(
	
		domain
		
	)

Summary

Delete from the ssh temp files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

ssh_domtrans(
	
		domain
		
	)

Summary

Execute the ssh daemon sshd domain.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

ssh_domtrans_keygen(
	
		domain
		
	)

Summary

Execute the ssh key generator in the ssh keygen domain.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

ssh_dontaudit_read_server_keys(
	
		domain
		
	)

Summary

Read ssh server keys

Parameters

Parameter:	Description:
domain	Domain to not audit.

ssh_dontaudit_rw_tcp_sockets(
	
		domain
		
	)

Summary

Do not audit attempts to read and write ssh server TCP sockets.

Parameters

Parameter:	Description:
domain	Domain to not audit.

ssh_dontaudit_search_user_home_dir(
	
		domain
		
	)

Summary

Dontaudit search ssh home directory

Parameters

Parameter:	Description:
domain	Domain to not audit.

ssh_dontaudit_use_ptys(
	
		domain
		
	)

Summary

Do not audit attempts to read and write the sshd pty type.

Parameters

Parameter:	Description:
domain	Domain to not audit.

ssh_dyntransition_to(
	
		domain
		
	)

Summary

Allow domain dyntransition to chroot_user_t domain.

Parameters

Parameter:	Description:
domain	Domain allowed access.

ssh_exec(
	
		domain
		
	)

Summary

Execute the ssh client in the caller domain.

Parameters

Parameter:	Description:
domain	Domain allowed access.

ssh_exec_keygen(
	
		domain
		
	)

Summary

Execute the ssh key generator in the caller domain.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

ssh_filetrans_admin_home_content(
	
		domain
		
	)

Summary

Create .ssh directory in the /root directory with an correct label.

Parameters

Parameter:	Description:
domain	Domain allowed access.

ssh_filetrans_home_content(
	
		domain
		
	)

Summary

Create .ssh directory in the user home directory with an correct label.

Parameters

Parameter:	Description:
domain	Domain allowed access.

ssh_filetrans_keys(
	
		domain
		
	)

Summary

Create .ssh directory in the user home directory with an correct label.

Parameters

Parameter:	Description:
domain	Domain allowed access.

ssh_getattr_server_keys(
	
		domain
		
	)

Summary

Getattr ssh server keys

Parameters

Parameter:	Description:
domain	Domain to not audit.

ssh_getattr_user_home_dir(
	
		domain
		
	)

Summary

Getattr ssh home directory

Parameters

Parameter:	Description:
domain	Domain allowed access.

ssh_initrc_domtrans(
	
		domain
		
	)

Summary

Execute sshd server in the sshd domain.

Parameters

Parameter:	Description:
domain	Domain allowed access.

ssh_manage_home_files(
	
		domain
		
	)

Summary

Manage ssh home directory content

Parameters

Parameter:	Description:
domain	Domain allowed access.

ssh_read_pipes(
	
		domain
		
	)

Summary

Read a ssh server unnamed pipe.

Parameters

Parameter:	Description:
domain	Domain allowed access.

ssh_read_user_home_files(
	
		domain
		
	)

Summary

Read ssh home directory content

Parameters

Parameter:	Description:
domain	Domain allowed access.

ssh_run_keygen(
	
		domain
		
			,
		
		role
		
	)

Summary

Execute ssh-keygen in the iptables domain, and allow the specified role the ssh-keygen domain.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.
role	Role allowed access.

ssh_rw_dgram_sockets(
	
		domain
		
	)

Summary

Read and write ssh server unix dgram sockets.

Parameters

Parameter:	Description:
domain	Domain allowed access.

ssh_rw_pipes(
	
		domain
		
	)

Summary

Read and write a ssh server unnamed pipe.

Parameters

Parameter:	Description:
domain	Domain allowed access.

ssh_rw_stream_sockets(
	
		domain
		
	)

Summary

Read and write ssh server unix domain stream sockets.

Parameters

Parameter:	Description:
domain	Domain allowed access.

ssh_rw_tcp_sockets(
	
		domain
		
	)

Summary

Read and write ssh server TCP sockets.

Parameters

Parameter:	Description:
domain	Domain allowed access.

ssh_setattr_key_files(
	
		domain
		
	)

Summary

Set the attributes of sshd key files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

ssh_sigchld(
	
		domain
		
	)

Summary

Send a SIGCHLD signal to the ssh server.

Parameters

Parameter:	Description:
domain	Domain allowed access.

ssh_signal(
	
		domain
		
	)

Summary

Send a generic signal to the ssh server.

Parameters

Parameter:	Description:
domain	Domain allowed access.

ssh_signull(
	
		domain
		
	)

Summary

Send a null signal to sshd processes.

Parameters

Parameter:	Description:
domain	Domain allowed access.

ssh_systemctl(
	
		domain
		
	)

Summary

Execute sshd server in the sshd domain.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

ssh_tcp_connect(
	
		domain
		
	)

Summary

Connect to SSH daemons over TCP sockets. (Deprecated)

Parameters

Parameter:	Description:
domain	Domain allowed access.

ssh_use_ptys(
	
		domain
		
	)

Summary

Read and write inherited sshd pty type.

Parameters

Parameter:	Description:
domain	Domain to not audit.

Return

Templates:

ssh_basic_client_template(
	
		userdomain_prefix
		
			,
		
		user_domain
		
			,
		
		user_role
		
	)

Summary

Basic SSH client template.

Description

This template creates a derived domains which are used for ssh client sessions. A derived type is also created to protect the user ssh keys.

This template was added for NX.

Parameters

Parameter:	Description:
userdomain_prefix	The prefix of the domain (e.g., user is the prefix for user_t).
user_domain	The type of the domain.
user_role	The role associated with the user domain.

ssh_dyntransition_domain_template(
	
		domain
		
	)

Summary

The template to define a domain to which sshd dyntransition.

Parameters

Parameter:	Description:
domain	The prefix of the dyntransition domain

ssh_role_template(
	
		role_prefix
		
			,
		
		role
		
			,
		
		domain
		
	)

Summary

Role access for ssh

Parameters

Parameter:	Description:
role_prefix	The prefix of the role (e.g., user is the prefix for user_r).
role	Role allowed access
domain	User domain for the role

ssh_server_template(
	
		userdomain_prefix
		
	)

Summary

The template to define a ssh server.

Description

This template creates a domains to be used for creating a ssh server. This is typically done to have multiple ssh servers of different sensitivities, such as for an internal network-facing ssh server, and a external network-facing ssh server.

Parameters

Parameter:	Description:
userdomain_prefix	The prefix of the server domain (e.g., sshd is the prefix for sshd_t).

Return