1ssh_selinux(8)                SELinux Policy ssh                ssh_selinux(8)
2
3
4

NAME

6       ssh_selinux - Security Enhanced Linux Policy for the ssh processes
7

DESCRIPTION

9       Security-Enhanced  Linux  secures the ssh processes via flexible manda‐
10       tory access control.
11
12       The ssh processes execute with the ssh_t SELinux type. You can check if
13       you  have  these processes running by executing the ps command with the
14       -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep ssh_t
19
20
21

ENTRYPOINTS

23       The ssh_t SELinux type can be entered via the ssh_exec_t file type.
24
25       The default entrypoint paths for the ssh_t domain are the following:
26
27       /usr/bin/ssh, /usr/libexec/nm-ssh-service
28

PROCESS TYPES

30       SELinux defines process types (domains) for each process running on the
31       system
32
33       You can see the context of a process using the -Z option to ps
34
35       Policy  governs  the  access confined processes have to files.  SELinux
36       ssh policy is very flexible allowing users to setup their ssh processes
37       in as secure a method as possible.
38
39       The following process types are defined for ssh:
40
41       sshd_t, sshd_sandbox_t, sshd_net_t, ssh_keygen_t, sshd_keygen_t, ssh_t, ssh_keysign_t
42
43       Note: semanage permissive -a ssh_t can be used to make the process type
44       ssh_t permissive. SELinux does not deny access  to  permissive  process
45       types, but the AVC (SELinux denials) messages are still generated.
46
47

BOOLEANS

49       SELinux  policy  is  customizable  based on least access required.  ssh
50       policy is extremely flexible and has several booleans that allow you to
51       manipulate the policy and run ssh with the tightest access possible.
52
53
54
55       If  you  want  to allow host key based authentication, you must turn on
56       the ssh_keysign boolean. Disabled by default.
57
58       setsebool -P ssh_keysign 1
59
60
61
62       If you want to allow all domains to execute in fips_mode, you must turn
63       on the fips_mode boolean. Enabled by default.
64
65       setsebool -P fips_mode 1
66
67
68
69       If  you  want  to  allow  system  to run with NIS, you must turn on the
70       nis_enabled boolean. Disabled by default.
71
72       setsebool -P nis_enabled 1
73
74
75
76       If you want to allow regular users direct dri device access,  you  must
77       turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default.
78
79       setsebool -P selinuxuser_direct_dri_enabled 1
80
81
82
83       If you want to allow users to run TCP servers (bind to ports and accept
84       connection from the same domain  and  outside  users)   disabling  this
85       forces  FTP  passive mode and may change other protocols, you must turn
86       on the selinuxuser_tcp_server boolean. Disabled by default.
87
88       setsebool -P selinuxuser_tcp_server 1
89
90
91
92       If you want to allows clients to write to the X  server  shared  memory
93       segments, you must turn on the xserver_clients_write_xshm boolean. Dis‐
94       abled by default.
95
96       setsebool -P xserver_clients_write_xshm 1
97
98
99

PORT TYPES

101       SELinux defines port types to represent TCP and UDP ports.
102
103       You can see the types associated with a port  by  using  the  following
104       command:
105
106       semanage port -l
107
108
109       Policy  governs  the  access  confined  processes  have to these ports.
110       SELinux ssh policy is very flexible allowing users to setup  their  ssh
111       processes in as secure a method as possible.
112
113       The following port types are defined for ssh:
114
115
116       ssh_port_t
117
118
119
120       Default Defined Ports:
121                 tcp 22
122

MANAGED FILES

124       The  SELinux  process type ssh_t can manage files labeled with the fol‐
125       lowing file types.  The paths listed are the default  paths  for  these
126       file types.  Note the processes UID still need to have DAC permissions.
127
128       cifs_t
129
130
131       ecryptfs_t
132
133            /home/[^/]+/.Private(/.*)?
134            /home/[^/]+/.ecryptfs(/.*)?
135
136       fusefs_t
137
138            /var/run/user/[0-9]+/gvfs
139
140       krb5_host_rcache_t
141
142            /var/tmp/krb5_0.rcache2
143            /var/cache/krb5rcache(/.*)?
144            /var/tmp/nfs_0
145            /var/tmp/DNS_25
146            /var/tmp/host_0
147            /var/tmp/imap_0
148            /var/tmp/HTTP_23
149            /var/tmp/HTTP_48
150            /var/tmp/ldap_55
151            /var/tmp/ldap_487
152            /var/tmp/ldapmap1_0
153
154       nfs_t
155
156
157       ssh_tmpfs_t
158
159
160       user_tmp_type
161
162            all user tmp files
163
164

FILE CONTEXTS

166       SELinux requires files to have an extended attribute to define the file
167       type.
168
169       You can see the context of a file using the -Z option to ls
170
171       Policy governs the access  confined  processes  have  to  these  files.
172       SELinux  ssh  policy is very flexible allowing users to setup their ssh
173       processes in as secure a method as possible.
174
175       STANDARD FILE CONTEXT
176
177       SELinux defines the file context types for the ssh, if  you  wanted  to
178       store  files with these types in a different paths, you need to execute
179       the semanage command to specify alternate labeling  and  then  use  re‐
180       storecon to put the labels on disk.
181
182       semanage fcontext -a -t ssh_keygen_exec_t '/srv/ssh/content(/.*)?'
183       restorecon -R -v /srv/myssh_content
184
185       Note:  SELinux  often  uses  regular expressions to specify labels that
186       match multiple files.
187
188       The following file types are defined for ssh:
189
190
191
192       ssh_agent_exec_t
193
194       - Set files with the ssh_agent_exec_t type, if you want  to  transition
195       an executable to the ssh_agent_t domain.
196
197
198       Paths:
199            /usr/bin/ssh-agent, /usr/libexec/openssh/ssh-pkcs11-helper
200
201
202       ssh_agent_tmp_t
203
204       -  Set  files  with  the ssh_agent_tmp_t type, if you want to store ssh
205       agent temporary files in the /tmp directories.
206
207
208
209       ssh_exec_t
210
211       - Set files with the ssh_exec_t type, if you want to transition an exe‐
212       cutable to the ssh_t domain.
213
214
215       Paths:
216            /usr/bin/ssh, /usr/libexec/nm-ssh-service
217
218
219       ssh_home_t
220
221       - Set files with the ssh_home_t type, if you want to store ssh files in
222       the users home directory.
223
224
225       Paths:
226            /var/lib/[^/]+/.ssh(/.*)?,                       /root/.ssh(/.*)?,
227            /var/lib/one/.ssh(/.*)?, /var/lib/pgsql/.ssh(/.*)?, /var/lib/open‐
228            shift/[^/]+/.ssh(/.*)?,                /var/lib/amanda/.ssh(/.*)?,
229            /var/lib/stickshift/[^/]+/.ssh(/.*)?,               /var/lib/gito‐
230            lite/.ssh(/.*)?,   /var/lib/nocpulse/.ssh(/.*)?,    /var/lib/gito‐
231            lite3/.ssh(/.*)?,        /var/lib/openshift/gear/[^/]+/.ssh(/.*)?,
232            /root/.shosts, /home/[^/]+/.ssh(/.*)?, /home/[^/]+/.ansible/cp/.*,
233            /home/[^/]+/.shosts
234
235
236       ssh_keygen_exec_t
237
238       -  Set files with the ssh_keygen_exec_t type, if you want to transition
239       an executable to the ssh_keygen_t domain.
240
241
242
243       ssh_keygen_tmp_t
244
245       - Set files with the ssh_keygen_tmp_t type, if you want  to  store  ssh
246       keygen temporary files in the /tmp directories.
247
248
249
250       ssh_keysign_exec_t
251
252       - Set files with the ssh_keysign_exec_t type, if you want to transition
253       an executable to the ssh_keysign_t domain.
254
255
256       Paths:
257            /usr/lib/openssh/ssh-keysign, /usr/libexec/openssh/ssh-keysign
258
259
260       ssh_tmpfs_t
261
262       - Set files with the ssh_tmpfs_t type, if you want to store  ssh  files
263       on a tmpfs file system.
264
265
266
267       sshd_exec_t
268
269       - Set files with the sshd_exec_t type, if you want to transition an ex‐
270       ecutable to the sshd_t domain.
271
272
273       Paths:
274            /usr/sbin/sshd, /usr/sbin/gsisshd
275
276
277       sshd_initrc_exec_t
278
279       - Set files with the sshd_initrc_exec_t type, if you want to transition
280       an executable to the sshd_initrc_t domain.
281
282
283
284       sshd_key_t
285
286       - Set files with the sshd_key_t type, if you want to treat the files as
287       sshd key data.
288
289
290       Paths:
291            /etc/ssh/ssh_host.*_key,              /etc/ssh/ssh_host.*_key.pub,
292            /etc/ssh/primes
293
294
295       sshd_keygen_exec_t
296
297       - Set files with the sshd_keygen_exec_t type, if you want to transition
298       an executable to the sshd_keygen_t domain.
299
300
301       Paths:
302            /usr/sbin/sshd-keygen, /usr/libexec/openssh/sshd-keygen
303
304
305       sshd_keygen_unit_file_t
306
307       - Set files with the sshd_keygen_unit_file_t type, if you want to treat
308       the files as sshd keygen unit content.
309
310
311
312       sshd_keytab_t
313
314       - Set files with the sshd_keytab_t type, if you want to treat the files
315       as kerberos keytab files.
316
317
318
319       sshd_tmpfs_t
320
321       - Set files with the sshd_tmpfs_t type, if you want to store sshd files
322       on a tmpfs file system.
323
324
325
326       sshd_unit_file_t
327
328       -  Set  files  with the sshd_unit_file_t type, if you want to treat the
329       files as sshd unit content.
330
331
332
333       sshd_var_run_t
334
335       - Set files with the sshd_var_run_t type, if you want to store the sshd
336       files under the /run or /var/run directory.
337
338
339       Paths:
340            /var/run/sshd.pid, /var/run/sshd.init.pid
341
342
343       Note:  File context can be temporarily modified with the chcon command.
344       If you want to permanently change the file context you need to use  the
345       semanage fcontext command.  This will modify the SELinux labeling data‐
346       base.  You will need to use restorecon to apply the labels.
347
348

COMMANDS

350       semanage fcontext can also be used to manipulate default  file  context
351       mappings.
352
353       semanage  permissive  can  also  be used to manipulate whether or not a
354       process type is permissive.
355
356       semanage module can also be used to enable/disable/install/remove  pol‐
357       icy modules.
358
359       semanage port can also be used to manipulate the port definitions
360
361       semanage boolean can also be used to manipulate the booleans
362
363
364       system-config-selinux is a GUI tool available to customize SELinux pol‐
365       icy settings.
366
367

AUTHOR

369       This manual page was auto-generated using sepolicy manpage .
370
371

SEE ALSO

373       selinux(8), ssh(8), semanage(8), restorecon(8), chcon(1),  sepolicy(8),
374       setsebool(8),       ssh_keygen_selinux(8),       ssh_keygen_selinux(8),
375       ssh_keysign_selinux(8), ssh_keysign_selinux(8)
376
377
378
379ssh                                23-10-20                     ssh_selinux(8)
Impressum