1sshd_selinux(8)               SELinux Policy sshd              sshd_selinux(8)
2
3
4

NAME

6       sshd_selinux - Security Enhanced Linux Policy for the sshd processes
7

DESCRIPTION

9       Security-Enhanced  Linux secures the sshd processes via flexible manda‐
10       tory access control.
11
12       The sshd processes execute with the sshd_t SELinux type. You can  check
13       if  you  have  these processes running by executing the ps command with
14       the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep sshd_t
19
20
21

ENTRYPOINTS

23       The sshd_t SELinux type can be entered via the sshd_exec_t file type.
24
25       The default entrypoint paths for the sshd_t domain are the following:
26
27       /usr/sbin/sshd, /usr/sbin/gsisshd
28

PROCESS TYPES

30       SELinux defines process types (domains) for each process running on the
31       system
32
33       You can see the context of a process using the -Z option to ps
34
35       Policy  governs  the  access confined processes have to files.  SELinux
36       sshd policy is very flexible allowing users to setup  their  sshd  pro‐
37       cesses in as secure a method as possible.
38
39       The following process types are defined for sshd:
40
41       sshd_t, sshd_sandbox_t, sshd_net_t, ssh_keygen_t, sshd_keygen_t, ssh_t, ssh_keysign_t
42
43       Note:  semanage  permissive  -a  sshd_t can be used to make the process
44       type sshd_t permissive. SELinux does  not  deny  access  to  permissive
45       process  types, but the AVC (SELinux denials) messages are still gener‐
46       ated.
47
48

BOOLEANS

50       SELinux policy is customizable based on least  access  required.   sshd
51       policy is extremely flexible and has several booleans that allow you to
52       manipulate the policy and run sshd with the tightest access possible.
53
54
55
56       If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn  on
57       the ssh_sysadm_login boolean. Disabled by default.
58
59       setsebool -P ssh_sysadm_login 1
60
61
62
63       If  you  want  to  allow sshd to use tcp wrappers, you must turn on the
64       ssh_use_tcpd boolean. Disabled by default.
65
66       setsebool -P ssh_use_tcpd 1
67
68
69
70       If you want to allow all domains to execute in fips_mode, you must turn
71       on the fips_mode boolean. Enabled by default.
72
73       setsebool -P fips_mode 1
74
75
76
77       If  you  want  to allow confined applications to run with kerberos, you
78       must turn on the kerberos_enabled boolean. Disabled by default.
79
80       setsebool -P kerberos_enabled 1
81
82
83
84       If you want to allow system to run with  NIS,  you  must  turn  on  the
85       nis_enabled boolean. Disabled by default.
86
87       setsebool -P nis_enabled 1
88
89
90
91       If you want to enable polyinstantiated directory support, you must turn
92       on the polyinstantiation_enabled boolean. Disabled by default.
93
94       setsebool -P polyinstantiation_enabled 1
95
96
97

PORT TYPES

99       SELinux defines port types to represent TCP and UDP ports.
100
101       You can see the types associated with a port  by  using  the  following
102       command:
103
104       semanage port -l
105
106
107       Policy  governs  the  access  confined  processes  have to these ports.
108       SELinux sshd policy is very flexible allowing users to setup their sshd
109       processes in as secure a method as possible.
110
111       The following port types are defined for sshd:
112
113
114       ssh_port_t
115
116
117
118       Default Defined Ports:
119                 tcp 22
120

MANAGED FILES

122       The  SELinux process type sshd_t can manage files labeled with the fol‐
123       lowing file types.  The paths listed are the default  paths  for  these
124       file types.  Note the processes UID still need to have DAC permissions.
125
126       auth_cache_t
127
128            /var/cache/coolkey(/.*)?
129
130       auth_home_t
131
132            /root/.yubico(/.*)?
133            /root/.config/Yubico(/.*)?
134            /root/.google_authenticator
135            /root/.google_authenticator~
136            /home/[^/]+/.yubico(/.*)?
137            /home/[^/]+/.config/Yubico(/.*)?
138            /home/[^/]+/.google_authenticator
139            /home/[^/]+/.google_authenticator~
140
141       cgroup_t
142
143            /sys/fs/cgroup
144
145       cifs_t
146
147
148       cluster_conf_t
149
150            /etc/cluster(/.*)?
151
152       cluster_var_lib_t
153
154            /var/lib/pcsd(/.*)?
155            /var/lib/cluster(/.*)?
156            /var/lib/openais(/.*)?
157            /var/lib/pengine(/.*)?
158            /var/lib/corosync(/.*)?
159            /usr/lib/heartbeat(/.*)?
160            /var/lib/heartbeat(/.*)?
161            /var/lib/pacemaker(/.*)?
162
163       cluster_var_run_t
164
165            /var/run/crm(/.*)?
166            /var/run/cman_.*
167            /var/run/rsctmp(/.*)?
168            /var/run/aisexec.*
169            /var/run/heartbeat(/.*)?
170            /var/run/corosync-qnetd(/.*)?
171            /var/run/corosync-qdevice(/.*)?
172            /var/run/corosync.pid
173            /var/run/cpglockd.pid
174            /var/run/rgmanager.pid
175            /var/run/cluster/rgmanager.sk
176
177       condor_var_lib_t
178
179            /var/lib/condor(/.*)?
180            /var/lib/condor/spool(/.*)?
181            /var/lib/condor/execute(/.*)?
182
183       ecryptfs_t
184
185            /home/[^/]+/.Private(/.*)?
186            /home/[^/]+/.ecryptfs(/.*)?
187
188       faillog_t
189
190            /var/log/btmp.*
191            /var/log/faillog.*
192            /var/log/tallylog.*
193            /var/run/faillock(/.*)?
194
195       fusefs_t
196
197            /var/run/user/[^/]*/gvfs
198
199       gitosis_var_lib_t
200
201            /srv/lib/gitosis(/.*)?
202            /var/lib/gitosis(/.*)?
203            /var/lib/gitolite(3)?(/.*)?
204
205       initrc_var_run_t
206
207            /var/run/utmp
208            /var/run/random-seed
209            /var/run/runlevel.dir
210            /var/run/setmixer_flag
211
212       lastlog_t
213
214            /var/log/lastlog.*
215
216       nfs_t
217
218
219       pam_var_run_t
220
221            /var/(db|adm)/sudo(/.*)?
222            /var/lib/sudo(/.*)?
223            /var/run/sudo(/.*)?
224            /var/run/motd.d(/.*)?
225            /var/run/pam_ssh(/.*)?
226            /var/run/sepermit(/.*)?
227            /var/run/pam_mount(/.*)?
228            /var/run/pam_timestamp(/.*)?
229            /var/run/motd
230
231       root_t
232
233            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
234            /
235            /initrd
236
237       security_t
238
239            /selinux
240
241       sshd_var_run_t
242
243            /var/run/sshd.pid
244            /var/run/sshd.init.pid
245
246       systemd_passwd_var_run_t
247
248            /var/run/systemd/ask-password(/.*)?
249            /var/run/systemd/ask-password-block(/.*)?
250
251       var_auth_t
252
253            /var/ace(/.*)?
254            /var/rsa(/.*)?
255            /var/lib/abl(/.*)?
256            /var/lib/rsa(/.*)?
257            /var/lib/pam_ssh(/.*)?
258            /var/lib/pam_shield(/.*)?
259            /var/opt/quest/vas/vasd(/.*)?
260            /var/lib/google-authenticator(/.*)?
261
262       wtmp_t
263
264            /var/log/wtmp.*
265
266

FILE CONTEXTS

268       SELinux requires files to have an extended attribute to define the file
269       type.
270
271       You can see the context of a file using the -Z option to ls
272
273       Policy governs the access  confined  processes  have  to  these  files.
274       SELinux sshd policy is very flexible allowing users to setup their sshd
275       processes in as secure a method as possible.
276
277       STANDARD FILE CONTEXT
278
279       SELinux defines the file context types for the sshd, if you  wanted  to
280       store  files  with  these types in a diffent paths, you need to execute
281       the semanage command  to  sepecify  alternate  labeling  and  then  use
282       restorecon to put the labels on disk.
283
284       semanage fcontext -a -t sshd_keytab_t '/srv/mysshd_content(/.*)?'
285       restorecon -R -v /srv/mysshd_content
286
287       Note:  SELinux  often  uses  regular expressions to specify labels that
288       match multiple files.
289
290       The following file types are defined for sshd:
291
292
293
294       sshd_exec_t
295
296       - Set files with the sshd_exec_t type, if you  want  to  transition  an
297       executable to the sshd_t domain.
298
299
300       Paths:
301            /usr/sbin/sshd, /usr/sbin/gsisshd
302
303
304       sshd_initrc_exec_t
305
306       - Set files with the sshd_initrc_exec_t type, if you want to transition
307       an executable to the sshd_initrc_t domain.
308
309
310
311       sshd_key_t
312
313       - Set files with the sshd_key_t type, if you want to treat the files as
314       sshd key data.
315
316
317       Paths:
318            /etc/ssh/ssh_host.*_key,              /etc/ssh/ssh_host.*_key.pub,
319            /etc/ssh/primes
320
321
322       sshd_keygen_exec_t
323
324       - Set files with the sshd_keygen_exec_t type, if you want to transition
325       an executable to the sshd_keygen_t domain.
326
327
328       Paths:
329            /usr/sbin/sshd-keygen, /usr/libexec/openssh/sshd-keygen
330
331
332       sshd_keygen_unit_file_t
333
334       - Set files with the sshd_keygen_unit_file_t type, if you want to treat
335       the files as sshd keygen unit content.
336
337
338
339       sshd_keytab_t
340
341       - Set files with the sshd_keytab_t type, if you want to treat the files
342       as kerberos keytab files.
343
344
345
346       sshd_tmpfs_t
347
348       - Set files with the sshd_tmpfs_t type, if you want to store sshd files
349       on a tmpfs file system.
350
351
352
353       sshd_unit_file_t
354
355       - Set files with the sshd_unit_file_t type, if you want  to  treat  the
356       files as sshd unit content.
357
358
359
360       sshd_var_run_t
361
362       - Set files with the sshd_var_run_t type, if you want to store the sshd
363       files under the /run or /var/run directory.
364
365
366       Paths:
367            /var/run/sshd.pid, /var/run/sshd.init.pid
368
369
370       Note: File context can be temporarily modified with the chcon  command.
371       If  you want to permanently change the file context you need to use the
372       semanage fcontext command.  This will modify the SELinux labeling data‐
373       base.  You will need to use restorecon to apply the labels.
374
375

COMMANDS

377       semanage  fcontext  can also be used to manipulate default file context
378       mappings.
379
380       semanage permissive can also be used to manipulate  whether  or  not  a
381       process type is permissive.
382
383       semanage  module can also be used to enable/disable/install/remove pol‐
384       icy modules.
385
386       semanage port can also be used to manipulate the port definitions
387
388       semanage boolean can also be used to manipulate the booleans
389
390
391       system-config-selinux is a GUI tool available to customize SELinux pol‐
392       icy settings.
393
394

AUTHOR

396       This manual page was auto-generated using sepolicy manpage .
397
398

SEE ALSO

400       selinux(8), sshd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
401       setsebool(8), ssh_keygen_selinux(8), ssh_keysign_selinux(8),  sshd_key‐
402       gen_selinux(8), sshd_net_selinux(8), sshd_sandbox_selinux(8)
403
404
405
406sshd                               21-03-26                    sshd_selinux(8)
Impressum