ssh_selinux(8)

1ssh_selinux(8)                SELinux Policy ssh                ssh_selinux(8)
2
3
4

NAME

6       ssh_selinux - Security Enhanced Linux Policy for the ssh processes
7

DESCRIPTION

9       Security-Enhanced  Linux  secures the ssh processes via flexible manda‐
10       tory access control.
11
12       The ssh processes execute with the ssh_t SELinux type. You can check if
13       you  have  these processes running by executing the ps command with the
14       -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep ssh_t
19
20
21

ENTRYPOINTS

23       The ssh_t SELinux type can be entered via the ssh_exec_t file type.
24
25       The default entrypoint paths for the ssh_t domain are the following:
26
27       /usr/bin/ssh, /usr/libexec/nm-ssh-service
28

PROCESS TYPES

30       SELinux defines process types (domains) for each process running on the
31       system
32
33       You can see the context of a process using the -Z option to ps
34
35       Policy  governs  the  access confined processes have to files.  SELinux
36       ssh policy is very flexible allowing users to setup their ssh processes
37       in as secure a method as possible.
38
39       The following process types are defined for ssh:
40
41       sshd_t, sshd_sandbox_t, sshd_net_t, ssh_keygen_t, sshd_keygen_t, ssh_t, ssh_keysign_t
42
43       Note: semanage permissive -a ssh_t can be used to make the process type
44       ssh_t permissive. SELinux does not deny access  to  permissive  process
45       types, but the AVC (SELinux denials) messages are still generated.
46
47

BOOLEANS

49       SELinux  policy  is  customizable  based on least access required.  ssh
50       policy is extremely flexible and has several booleans that allow you to
51       manipulate the policy and run ssh with the tightest access possible.
52
53
54
55       If  you  want  to allow host key based authentication, you must turn on
56       the ssh_keysign boolean. Disabled by default.
57
58       setsebool -P ssh_keysign 1
59
60
61
62       If you want to allow all domains to execute in fips_mode, you must turn
63       on the fips_mode boolean. Enabled by default.
64
65       setsebool -P fips_mode 1
66
67
68
69       If  you  want to allow regular users direct dri device access, you must
70       turn  on  the  selinuxuser_direct_dri_enabled  boolean.   Disabled   by
71       default.
72
73       setsebool -P selinuxuser_direct_dri_enabled 1
74
75
76
77       If you want to allow users to run TCP servers (bind to ports and accept
78       connection from the same domain  and  outside  users)   disabling  this
79       forces  FTP  passive mode and may change other protocols, you must turn
80       on the selinuxuser_tcp_server boolean. Disabled by default.
81
82       setsebool -P selinuxuser_tcp_server 1
83
84
85
86       If you want to allows clients to write to the X  server  shared  memory
87       segments, you must turn on the xserver_clients_write_xshm boolean. Dis‐
88       abled by default.
89
90       setsebool -P xserver_clients_write_xshm 1
91
92
93

PORT TYPES

95       SELinux defines port types to represent TCP and UDP ports.
96
97       You can see the types associated with a port  by  using  the  following
98       command:
99
100       semanage port -l
101
102
103       Policy  governs  the  access  confined  processes  have to these ports.
104       SELinux ssh policy is very flexible allowing users to setup  their  ssh
105       processes in as secure a method as possible.
106
107       The following port types are defined for ssh:
108
109
110       ssh_port_t
111
112
113
114       Default Defined Ports:
115                 tcp 22
116

MANAGED FILES

118       The  SELinux  process type ssh_t can manage files labeled with the fol‐
119       lowing file types.  The paths listed are the default  paths  for  these
120       file types.  Note the processes UID still need to have DAC permissions.
121
122       cifs_t
123
124
125       ecryptfs_t
126
127            /home/[^/]+/.Private(/.*)?
128            /home/[^/]+/.ecryptfs(/.*)?
129
130       fusefs_t
131
132            /var/run/user/[^/]*/gvfs
133
134       nfs_t
135
136
137

FILE CONTEXTS

139       SELinux requires files to have an extended attribute to define the file
140       type.
141
142       You can see the context of a file using the -Z option to ls
143
144       Policy governs the access  confined  processes  have  to  these  files.
145       SELinux  ssh  policy is very flexible allowing users to setup their ssh
146       processes in as secure a method as possible.
147
148       STANDARD FILE CONTEXT
149
150       SELinux defines the file context types for the ssh, if  you  wanted  to
151       store  files  with  these types in a diffent paths, you need to execute
152       the semanage command  to  sepecify  alternate  labeling  and  then  use
153       restorecon to put the labels on disk.
154
155       semanage fcontext -a -t ssh_home_t '/srv/myssh_content(/.*)?'
156       restorecon -R -v /srv/myssh_content
157
158       Note:  SELinux  often  uses  regular expressions to specify labels that
159       match multiple files.
160
161       The following file types are defined for ssh:
162
163
164
165       ssh_agent_exec_t
166
167       - Set files with the ssh_agent_exec_t type, if you want  to  transition
168       an executable to the ssh_agent_t domain.
169
170
171
172       ssh_agent_tmp_t
173
174       -  Set  files  with  the ssh_agent_tmp_t type, if you want to store ssh
175       agent temporary files in the /tmp directories.
176
177
178
179       ssh_exec_t
180
181       - Set files with the ssh_exec_t type, if you want to transition an exe‐
182       cutable to the ssh_t domain.
183
184
185       Paths:
186            /usr/bin/ssh, /usr/libexec/nm-ssh-service
187
188
189       ssh_home_t
190
191       - Set files with the ssh_home_t type, if you want to store ssh files in
192       the users home directory.
193
194
195       Paths:
196            /var/lib/[^/]+/.ssh(/.*)?,                       /root/.ssh(/.*)?,
197            /var/lib/one/.ssh(/.*)?, /var/lib/pgsql/.ssh(/.*)?, /var/lib/open‐
198            shift/[^/]+/.ssh(/.*)?,                /var/lib/amanda/.ssh(/.*)?,
199            /var/lib/stickshift/[^/]+/.ssh(/.*)?,               /var/lib/gito‐
200            lite/.ssh(/.*)?,   /var/lib/nocpulse/.ssh(/.*)?,    /var/lib/gito‐
201            lite3/.ssh(/.*)?,        /var/lib/openshift/gear/[^/]+/.ssh(/.*)?,
202            /root/.shosts, /home/[^/]+/.ssh(/.*)?, /home/[^/]+/.ansible/cp/.*,
203            /home/[^/]+/.shosts
204
205
206       ssh_keygen_exec_t
207
208       -  Set files with the ssh_keygen_exec_t type, if you want to transition
209       an executable to the ssh_keygen_t domain.
210
211
212
213       ssh_keygen_tmp_t
214
215       - Set files with the ssh_keygen_tmp_t type, if you want  to  store  ssh
216       keygen temporary files in the /tmp directories.
217
218
219
220       ssh_keysign_exec_t
221
222       - Set files with the ssh_keysign_exec_t type, if you want to transition
223       an executable to the ssh_keysign_t domain.
224
225
226       Paths:
227            /usr/lib/openssh/ssh-keysign, /usr/libexec/openssh/ssh-keysign
228
229
230       ssh_tmpfs_t
231
232       - Set files with the ssh_tmpfs_t type, if you want to store  ssh  files
233       on a tmpfs file system.
234
235
236
237       sshd_exec_t
238
239       -  Set  files  with  the sshd_exec_t type, if you want to transition an
240       executable to the sshd_t domain.
241
242
243       Paths:
244            /usr/sbin/sshd, /usr/sbin/gsisshd
245
246
247       sshd_initrc_exec_t
248
249       - Set files with the sshd_initrc_exec_t type, if you want to transition
250       an executable to the sshd_initrc_t domain.
251
252
253
254       sshd_key_t
255
256       - Set files with the sshd_key_t type, if you want to treat the files as
257       sshd key data.
258
259
260       Paths:
261            /etc/ssh/ssh_host.*_key,              /etc/ssh/ssh_host.*_key.pub,
262            /etc/ssh/primes
263
264
265       sshd_keygen_exec_t
266
267       - Set files with the sshd_keygen_exec_t type, if you want to transition
268       an executable to the sshd_keygen_t domain.
269
270
271       Paths:
272            /usr/sbin/sshd-keygen, /usr/libexec/openssh/sshd-keygen
273
274
275       sshd_keygen_unit_file_t
276
277       - Set files with the sshd_keygen_unit_file_t type, if you want to treat
278       the files as sshd keygen unit content.
279
280
281
282       sshd_keytab_t
283
284       - Set files with the sshd_keytab_t type, if you want to treat the files
285       as kerberos keytab files.
286
287
288
289       sshd_tmpfs_t
290
291       - Set files with the sshd_tmpfs_t type, if you want to store sshd files
292       on a tmpfs file system.
293
294
295
296       sshd_unit_file_t
297
298       -  Set  files  with the sshd_unit_file_t type, if you want to treat the
299       files as sshd unit content.
300
301
302
303       sshd_var_run_t
304
305       - Set files with the sshd_var_run_t type, if you want to store the sshd
306       files under the /run or /var/run directory.
307
308
309       Paths:
310            /var/run/sshd.pid, /var/run/sshd.init.pid
311
312
313       Note:  File context can be temporarily modified with the chcon command.
314       If you want to permanently change the file context you need to use  the
315       semanage fcontext command.  This will modify the SELinux labeling data‐
316       base.  You will need to use restorecon to apply the labels.
317
318

COMMANDS

320       semanage fcontext can also be used to manipulate default  file  context
321       mappings.
322
323       semanage  permissive  can  also  be used to manipulate whether or not a
324       process type is permissive.
325
326       semanage module can also be used to enable/disable/install/remove  pol‐
327       icy modules.
328
329       semanage port can also be used to manipulate the port definitions
330
331       semanage boolean can also be used to manipulate the booleans
332
333
334       system-config-selinux is a GUI tool available to customize SELinux pol‐
335       icy settings.
336
337

AUTHOR

339       This manual page was auto-generated using sepolicy manpage .
340
341