ssh_selinux(8)

1ssh_selinux(8)                SELinux Policy ssh                ssh_selinux(8)
2
3
4

NAME

6       ssh_selinux - Security Enhanced Linux Policy for the ssh processes
7

DESCRIPTION

9       Security-Enhanced  Linux  secures the ssh processes via flexible manda‐
10       tory access control.
11
12       The ssh processes execute with the ssh_t SELinux type. You can check if
13       you  have  these processes running by executing the ps command with the
14       -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep ssh_t
19
20
21

ENTRYPOINTS

23       The ssh_t SELinux type can be entered via the ssh_exec_t file type.
24
25       The default entrypoint paths for the ssh_t domain are the following:
26
27       /usr/bin/ssh, /usr/libexec/nm-ssh-service
28

PROCESS TYPES

30       SELinux defines process types (domains) for each process running on the
31       system
32
33       You can see the context of a process using the -Z option to ps
34
35       Policy  governs  the  access confined processes have to files.  SELinux
36       ssh policy is very flexible allowing users to setup their ssh processes
37       in as secure a method as possible.
38
39       The following process types are defined for ssh:
40
41       sshd_t, sshd_sandbox_t, sshd_net_t, ssh_keygen_t, sshd_keygen_t, ssh_t, ssh_keysign_t
42
43       Note: semanage permissive -a ssh_t can be used to make the process type
44       ssh_t permissive. SELinux does not deny access  to  permissive  process
45       types, but the AVC (SELinux denials) messages are still generated.
46
47

BOOLEANS

49       SELinux  policy  is  customizable  based on least access required.  ssh
50       policy is extremely flexible and has several booleans that allow you to
51       manipulate the policy and run ssh with the tightest access possible.
52
53
54
55       If  you  want  to allow host key based authentication, you must turn on
56       the ssh_keysign boolean. Disabled by default.
57
58       setsebool -P ssh_keysign 1
59
60
61
62       If you want to allow users to resolve user passwd entries directly from
63       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
64       gin_nsswitch_use_ldap boolean. Disabled by default.
65
66       setsebool -P authlogin_nsswitch_use_ldap 1
67
68
69
70       If you want to allow all domains to execute in fips_mode, you must turn
71       on the fips_mode boolean. Enabled by default.
72
73       setsebool -P fips_mode 1
74
75
76
77       If  you  want  to allow confined applications to run with kerberos, you
78       must turn on the kerberos_enabled boolean. Enabled by default.
79
80       setsebool -P kerberos_enabled 1
81
82
83
84       If you want to allow system to run with  NIS,  you  must  turn  on  the
85       nis_enabled boolean. Disabled by default.
86
87       setsebool -P nis_enabled 1
88
89
90
91       If  you  want to allow confined applications to use nscd shared memory,
92       you must turn on the nscd_use_shm boolean. Disabled by default.
93
94       setsebool -P nscd_use_shm 1
95
96
97
98       If you want to allow regular users direct dri device access,  you  must
99       turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default.
100
101       setsebool -P selinuxuser_direct_dri_enabled 1
102
103
104
105       If you want to allow users to run TCP servers (bind to ports and accept
106       connection from the same domain  and  outside  users)   disabling  this
107       forces  FTP  passive mode and may change other protocols, you must turn
108       on the selinuxuser_tcp_server boolean. Disabled by default.
109
110       setsebool -P selinuxuser_tcp_server 1
111
112
113
114       If you want to allows clients to write to the X  server  shared  memory
115       segments, you must turn on the xserver_clients_write_xshm boolean. Dis‐
116       abled by default.
117
118       setsebool -P xserver_clients_write_xshm 1
119
120
121

PORT TYPES

123       SELinux defines port types to represent TCP and UDP ports.
124
125       You can see the types associated with a port  by  using  the  following
126       command:
127
128       semanage port -l
129
130
131       Policy  governs  the  access  confined  processes  have to these ports.
132       SELinux ssh policy is very flexible allowing users to setup  their  ssh
133       processes in as secure a method as possible.
134
135       The following port types are defined for ssh:
136
137
138       ssh_port_t
139
140
141
142       Default Defined Ports:
143                 tcp 22
144

MANAGED FILES

146       The  SELinux  process type ssh_t can manage files labeled with the fol‐
147       lowing file types.  The paths listed are the default  paths  for  these
148       file types.  Note the processes UID still need to have DAC permissions.
149
150       cifs_t
151
152
153       ecryptfs_t
154
155            /home/[^/]+/.Private(/.*)?
156            /home/[^/]+/.ecryptfs(/.*)?
157
158       fusefs_t
159
160            /var/run/user/[^/]*/gvfs
161
162       nfs_t
163
164
165       ssh_home_t
166
167            /var/lib/[^/]+/.ssh(/.*)?
168            /root/.ssh(/.*)?
169            /var/lib/one/.ssh(/.*)?
170            /var/lib/pgsql/.ssh(/.*)?
171            /var/lib/openshift/[^/]+/.ssh(/.*)?
172            /var/lib/amanda/.ssh(/.*)?
173            /var/lib/stickshift/[^/]+/.ssh(/.*)?
174            /var/lib/gitolite/.ssh(/.*)?
175            /var/lib/nocpulse/.ssh(/.*)?
176            /var/lib/gitolite3/.ssh(/.*)?
177            /var/lib/openshift/gear/[^/]+/.ssh(/.*)?
178            /root/.shosts
179            /home/[^/]+/.ssh(/.*)?
180            /home/[^/]+/.ansible/cp/.*
181            /home/[^/]+/.shosts
182
183       ssh_tmpfs_t
184
185
186       user_fonts_cache_t
187
188            /root/.fontconfig(/.*)?
189            /root/.fonts/auto(/.*)?
190            /root/.fonts.cache-.*
191            /root/.cache/fontconfig(/.*)?
192            /home/[^/]+/.fontconfig(/.*)?
193            /home/[^/]+/.fonts/auto(/.*)?
194            /home/[^/]+/.fonts.cache-.*
195            /home/[^/]+/.cache/fontconfig(/.*)?
196
197       user_tmp_t
198
199            /dev/shm/mono.*
200            /var/run/user(/.*)?
201            /tmp/.ICE-unix(/.*)?
202            /tmp/.X11-unix(/.*)?
203            /dev/shm/pulse-shm.*
204            /tmp/.X0-lock
205            /tmp/hsperfdata_root
206            /var/tmp/hsperfdata_root
207            /home/[^/]+/tmp
208            /home/[^/]+/.tmp
209            /tmp/gconfd-[^/]+
210
211       user_tmp_type
212
213            all user tmp files
214
215       xserver_tmpfs_t
216
217
218

FILE CONTEXTS

220       SELinux requires files to have an extended attribute to define the file
221       type.
222
223       You can see the context of a file using the -Z option to ls
224
225       Policy governs the access  confined  processes  have  to  these  files.
226       SELinux  ssh  policy is very flexible allowing users to setup their ssh
227       processes in as secure a method as possible.
228
229       STANDARD FILE CONTEXT
230
231       SELinux defines the file context types for the ssh, if  you  wanted  to
232       store  files  with  these types in a diffent paths, you need to execute
233       the semanage command  to  sepecify  alternate  labeling  and  then  use
234       restorecon to put the labels on disk.
235
236       semanage fcontext -a -t ssh_home_t '/srv/myssh_content(/.*)?'
237       restorecon -R -v /srv/myssh_content
238
239       Note:  SELinux  often  uses  regular expressions to specify labels that
240       match multiple files.
241
242       The following file types are defined for ssh:
243
244
245
246       ssh_agent_exec_t
247
248       - Set files with the ssh_agent_exec_t type, if you want  to  transition
249       an executable to the ssh_agent_t domain.
250
251
252
253       ssh_agent_tmp_t
254
255       -  Set  files  with  the ssh_agent_tmp_t type, if you want to store ssh
256       agent temporary files in the /tmp directories.
257
258
259
260       ssh_exec_t
261
262       - Set files with the ssh_exec_t type, if you want to transition an exe‐
263       cutable to the ssh_t domain.
264
265
266       Paths:
267            /usr/bin/ssh, /usr/libexec/nm-ssh-service
268
269
270       ssh_home_t
271
272       - Set files with the ssh_home_t type, if you want to store ssh files in
273       the users home directory.
274
275
276       Paths:
277            /var/lib/[^/]+/.ssh(/.*)?,                       /root/.ssh(/.*)?,
278            /var/lib/one/.ssh(/.*)?, /var/lib/pgsql/.ssh(/.*)?, /var/lib/open‐
279            shift/[^/]+/.ssh(/.*)?,                /var/lib/amanda/.ssh(/.*)?,
280            /var/lib/stickshift/[^/]+/.ssh(/.*)?,               /var/lib/gito‐
281            lite/.ssh(/.*)?,   /var/lib/nocpulse/.ssh(/.*)?,    /var/lib/gito‐
282            lite3/.ssh(/.*)?,        /var/lib/openshift/gear/[^/]+/.ssh(/.*)?,
283            /root/.shosts, /home/[^/]+/.ssh(/.*)?, /home/[^/]+/.ansible/cp/.*,
284            /home/[^/]+/.shosts
285
286
287       ssh_keygen_exec_t
288
289       -  Set files with the ssh_keygen_exec_t type, if you want to transition
290       an executable to the ssh_keygen_t domain.
291
292
293
294       ssh_keygen_tmp_t
295
296       - Set files with the ssh_keygen_tmp_t type, if you want  to  store  ssh
297       keygen temporary files in the /tmp directories.
298
299
300
301       ssh_keysign_exec_t
302
303       - Set files with the ssh_keysign_exec_t type, if you want to transition
304       an executable to the ssh_keysign_t domain.
305
306
307       Paths:
308            /usr/lib/openssh/ssh-keysign, /usr/libexec/openssh/ssh-keysign
309
310
311       ssh_tmpfs_t
312
313       - Set files with the ssh_tmpfs_t type, if you want to store  ssh  files
314       on a tmpfs file system.
315
316
317
318       sshd_exec_t
319
320       -  Set  files  with  the sshd_exec_t type, if you want to transition an
321       executable to the sshd_t domain.
322
323
324       Paths:
325            /usr/sbin/sshd, /usr/sbin/gsisshd
326
327
328       sshd_initrc_exec_t
329
330       - Set files with the sshd_initrc_exec_t type, if you want to transition
331       an executable to the sshd_initrc_t domain.
332
333
334
335       sshd_key_t
336
337       - Set files with the sshd_key_t type, if you want to treat the files as
338       sshd key data.
339
340
341       Paths:
342            /etc/ssh/ssh_host.*_key,              /etc/ssh/ssh_host.*_key.pub,
343            /etc/ssh/primes
344
345
346       sshd_keygen_exec_t
347
348       - Set files with the sshd_keygen_exec_t type, if you want to transition
349       an executable to the sshd_keygen_t domain.
350
351
352       Paths:
353            /usr/sbin/sshd-keygen, /usr/libexec/openssh/sshd-keygen
354
355
356       sshd_keygen_unit_file_t
357
358       - Set files with the sshd_keygen_unit_file_t type, if you want to treat
359       the files as sshd keygen unit content.
360
361
362
363       sshd_keytab_t
364
365       - Set files with the sshd_keytab_t type, if you want to treat the files
366       as kerberos keytab files.
367
368
369
370       sshd_tmpfs_t
371
372       - Set files with the sshd_tmpfs_t type, if you want to store sshd files
373       on a tmpfs file system.
374
375
376
377       sshd_unit_file_t
378
379       -  Set  files  with the sshd_unit_file_t type, if you want to treat the
380       files as sshd unit content.
381
382
383
384       sshd_var_run_t
385
386       - Set files with the sshd_var_run_t type, if you want to store the sshd
387       files under the /run or /var/run directory.
388
389
390       Paths:
391            /var/run/sshd.pid, /var/run/sshd.init.pid
392
393
394       Note:  File context can be temporarily modified with the chcon command.
395       If you want to permanently change the file context you need to use  the
396       semanage fcontext command.  This will modify the SELinux labeling data‐
397       base.  You will need to use restorecon to apply the labels.
398
399

COMMANDS

401       semanage fcontext can also be used to manipulate default  file  context
402       mappings.
403
404       semanage  permissive  can  also  be used to manipulate whether or not a
405       process type is permissive.
406
407       semanage module can also be used to enable/disable/install/remove  pol‐
408       icy modules.
409
410       semanage port can also be used to manipulate the port definitions
411
412       semanage boolean can also be used to manipulate the booleans
413
414
415       system-config-selinux is a GUI tool available to customize SELinux pol‐
416       icy settings.
417
418

AUTHOR

420       This manual page was auto-generated using sepolicy manpage .
421
422