1ssh_selinux(8)                SELinux Policy ssh                ssh_selinux(8)
2
3
4

NAME

6       ssh_selinux - Security Enhanced Linux Policy for the ssh processes
7

DESCRIPTION

9       Security-Enhanced  Linux  secures the ssh processes via flexible manda‐
10       tory access control.
11
12       The ssh processes execute with the ssh_t SELinux type. You can check if
13       you  have  these processes running by executing the ps command with the
14       -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep ssh_t
19
20
21

ENTRYPOINTS

23       The ssh_t SELinux type can be entered via the ssh_exec_t file type.
24
25       The default entrypoint paths for the ssh_t domain are the following:
26
27       /usr/bin/ssh, /usr/libexec/nm-ssh-service
28

PROCESS TYPES

30       SELinux defines process types (domains) for each process running on the
31       system
32
33       You can see the context of a process using the -Z option to ps
34
35       Policy  governs  the  access confined processes have to files.  SELinux
36       ssh policy is very flexible allowing users to setup their ssh processes
37       in as secure a method as possible.
38
39       The following process types are defined for ssh:
40
41       sshd_t, sshd_sandbox_t, sshd_net_t, ssh_keygen_t, sshd_keygen_t, ssh_t, ssh_keysign_t
42
43       Note: semanage permissive -a ssh_t can be used to make the process type
44       ssh_t permissive. SELinux does not deny access  to  permissive  process
45       types, but the AVC (SELinux denials) messages are still generated.
46
47

BOOLEANS

49       SELinux  policy  is  customizable  based on least access required.  ssh
50       policy is extremely flexible and has several booleans that allow you to
51       manipulate the policy and run ssh with the tightest access possible.
52
53
54
55       If  you  want  to allow host key based authentication, you must turn on
56       the ssh_keysign boolean. Disabled by default.
57
58       setsebool -P ssh_keysign 1
59
60
61
62       If you want to allow all domains to execute in fips_mode, you must turn
63       on the fips_mode boolean. Enabled by default.
64
65       setsebool -P fips_mode 1
66
67
68
69       If  you  want to allow regular users direct dri device access, you must
70       turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default.
71
72       setsebool -P selinuxuser_direct_dri_enabled 1
73
74
75
76       If you want to allow users to run TCP servers (bind to ports and accept
77       connection  from  the  same  domain  and outside users)  disabling this
78       forces FTP passive mode and may change other protocols, you  must  turn
79       on the selinuxuser_tcp_server boolean. Disabled by default.
80
81       setsebool -P selinuxuser_tcp_server 1
82
83
84
85       If  you  want  to allows clients to write to the X server shared memory
86       segments, you must turn on the xserver_clients_write_xshm boolean. Dis‐
87       abled by default.
88
89       setsebool -P xserver_clients_write_xshm 1
90
91
92

PORT TYPES

94       SELinux defines port types to represent TCP and UDP ports.
95
96       You  can  see  the  types associated with a port by using the following
97       command:
98
99       semanage port -l
100
101
102       Policy governs the access  confined  processes  have  to  these  ports.
103       SELinux  ssh  policy is very flexible allowing users to setup their ssh
104       processes in as secure a method as possible.
105
106       The following port types are defined for ssh:
107
108
109       ssh_port_t
110
111
112
113       Default Defined Ports:
114                 tcp 22
115

MANAGED FILES

117       The SELinux process type ssh_t can manage files labeled with  the  fol‐
118       lowing  file  types.   The paths listed are the default paths for these
119       file types.  Note the processes UID still need to have DAC permissions.
120
121       cifs_t
122
123
124       ecryptfs_t
125
126            /home/[^/]+/.Private(/.*)?
127            /home/[^/]+/.ecryptfs(/.*)?
128
129       fusefs_t
130
131            /var/run/user/[0-9]+/gvfs
132
133       krb5_host_rcache_t
134
135            /var/tmp/krb5_0.rcache2
136            /var/cache/krb5rcache(/.*)?
137            /var/tmp/nfs_0
138            /var/tmp/DNS_25
139            /var/tmp/host_0
140            /var/tmp/imap_0
141            /var/tmp/HTTP_23
142            /var/tmp/HTTP_48
143            /var/tmp/ldap_55
144            /var/tmp/ldap_487
145            /var/tmp/ldapmap1_0
146
147       nfs_t
148
149
150       ssh_tmpfs_t
151
152
153       user_tmp_type
154
155            all user tmp files
156
157

FILE CONTEXTS

159       SELinux requires files to have an extended attribute to define the file
160       type.
161
162       You can see the context of a file using the -Z option to ls
163
164       Policy  governs  the  access  confined  processes  have to these files.
165       SELinux ssh policy is very flexible allowing users to setup  their  ssh
166       processes in as secure a method as possible.
167
168       STANDARD FILE CONTEXT
169
170       SELinux  defines  the  file context types for the ssh, if you wanted to
171       store files with these types in a diffent paths, you  need  to  execute
172       the  semanage  command  to  specify alternate labeling and then use re‐
173       storecon to put the labels on disk.
174
175       semanage fcontext -a -t ssh_home_t '/srv/myssh_content(/.*)?'
176       restorecon -R -v /srv/myssh_content
177
178       Note: SELinux often uses regular expressions  to  specify  labels  that
179       match multiple files.
180
181       The following file types are defined for ssh:
182
183
184
185       ssh_agent_exec_t
186
187       -  Set  files with the ssh_agent_exec_t type, if you want to transition
188       an executable to the ssh_agent_t domain.
189
190
191
192       ssh_agent_tmp_t
193
194       - Set files with the ssh_agent_tmp_t type, if you  want  to  store  ssh
195       agent temporary files in the /tmp directories.
196
197
198
199       ssh_exec_t
200
201       - Set files with the ssh_exec_t type, if you want to transition an exe‐
202       cutable to the ssh_t domain.
203
204
205       Paths:
206            /usr/bin/ssh, /usr/libexec/nm-ssh-service
207
208
209       ssh_home_t
210
211       - Set files with the ssh_home_t type, if you want to store ssh files in
212       the users home directory.
213
214
215       Paths:
216            /var/lib/[^/]+/.ssh(/.*)?,                       /root/.ssh(/.*)?,
217            /var/lib/one/.ssh(/.*)?, /var/lib/pgsql/.ssh(/.*)?, /var/lib/open‐
218            shift/[^/]+/.ssh(/.*)?,                /var/lib/amanda/.ssh(/.*)?,
219            /var/lib/stickshift/[^/]+/.ssh(/.*)?,               /var/lib/gito‐
220            lite/.ssh(/.*)?,    /var/lib/nocpulse/.ssh(/.*)?,   /var/lib/gito‐
221            lite3/.ssh(/.*)?,        /var/lib/openshift/gear/[^/]+/.ssh(/.*)?,
222            /root/.shosts, /home/[^/]+/.ssh(/.*)?, /home/[^/]+/.ansible/cp/.*,
223            /home/[^/]+/.shosts
224
225
226       ssh_keygen_exec_t
227
228       - Set files with the ssh_keygen_exec_t type, if you want to  transition
229       an executable to the ssh_keygen_t domain.
230
231
232
233       ssh_keygen_tmp_t
234
235       -  Set  files  with the ssh_keygen_tmp_t type, if you want to store ssh
236       keygen temporary files in the /tmp directories.
237
238
239
240       ssh_keysign_exec_t
241
242       - Set files with the ssh_keysign_exec_t type, if you want to transition
243       an executable to the ssh_keysign_t domain.
244
245
246       Paths:
247            /usr/lib/openssh/ssh-keysign, /usr/libexec/openssh/ssh-keysign
248
249
250       ssh_tmpfs_t
251
252       -  Set  files with the ssh_tmpfs_t type, if you want to store ssh files
253       on a tmpfs file system.
254
255
256
257       sshd_exec_t
258
259       - Set files with the sshd_exec_t type, if you want to transition an ex‐
260       ecutable to the sshd_t domain.
261
262
263       Paths:
264            /usr/sbin/sshd, /usr/sbin/gsisshd
265
266
267       sshd_initrc_exec_t
268
269       - Set files with the sshd_initrc_exec_t type, if you want to transition
270       an executable to the sshd_initrc_t domain.
271
272
273
274       sshd_key_t
275
276       - Set files with the sshd_key_t type, if you want to treat the files as
277       sshd key data.
278
279
280       Paths:
281            /etc/ssh/ssh_host.*_key,              /etc/ssh/ssh_host.*_key.pub,
282            /etc/ssh/primes
283
284
285       sshd_keygen_exec_t
286
287       - Set files with the sshd_keygen_exec_t type, if you want to transition
288       an executable to the sshd_keygen_t domain.
289
290
291       Paths:
292            /usr/sbin/sshd-keygen, /usr/libexec/openssh/sshd-keygen
293
294
295       sshd_keygen_unit_file_t
296
297       - Set files with the sshd_keygen_unit_file_t type, if you want to treat
298       the files as sshd keygen unit content.
299
300
301
302       sshd_keytab_t
303
304       - Set files with the sshd_keytab_t type, if you want to treat the files
305       as kerberos keytab files.
306
307
308
309       sshd_tmpfs_t
310
311       - Set files with the sshd_tmpfs_t type, if you want to store sshd files
312       on a tmpfs file system.
313
314
315
316       sshd_unit_file_t
317
318       - Set files with the sshd_unit_file_t type, if you want  to  treat  the
319       files as sshd unit content.
320
321
322
323       sshd_var_run_t
324
325       - Set files with the sshd_var_run_t type, if you want to store the sshd
326       files under the /run or /var/run directory.
327
328
329       Paths:
330            /var/run/sshd.pid, /var/run/sshd.init.pid
331
332
333       Note: File context can be temporarily modified with the chcon  command.
334       If  you want to permanently change the file context you need to use the
335       semanage fcontext command.  This will modify the SELinux labeling data‐
336       base.  You will need to use restorecon to apply the labels.
337
338

COMMANDS

340       semanage  fcontext  can also be used to manipulate default file context
341       mappings.
342
343       semanage permissive can also be used to manipulate  whether  or  not  a
344       process type is permissive.
345
346       semanage  module can also be used to enable/disable/install/remove pol‐
347       icy modules.
348
349       semanage port can also be used to manipulate the port definitions
350
351       semanage boolean can also be used to manipulate the booleans
352
353
354       system-config-selinux is a GUI tool available to customize SELinux pol‐
355       icy settings.
356
357

AUTHOR

359       This manual page was auto-generated using sepolicy manpage .
360
361

SEE ALSO

363       selinux(8),  ssh(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
364       setsebool(8),       ssh_keygen_selinux(8),       ssh_keygen_selinux(8),
365       ssh_keysign_selinux(8), ssh_keysign_selinux(8)
366
367
368
369ssh                                23-02-03                     ssh_selinux(8)
Impressum