1sshd_selinux(8)               SELinux Policy sshd              sshd_selinux(8)
2
3
4

NAME

6       sshd_selinux - Security Enhanced Linux Policy for the sshd processes
7

DESCRIPTION

9       Security-Enhanced  Linux secures the sshd processes via flexible manda‐
10       tory access control.
11
12       The sshd processes execute with the sshd_t SELinux type. You can  check
13       if  you  have  these processes running by executing the ps command with
14       the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep sshd_t
19
20
21

ENTRYPOINTS

23       The sshd_t SELinux type can be entered via the sshd_exec_t file type.
24
25       The default entrypoint paths for the sshd_t domain are the following:
26
27       /usr/sbin/sshd, /usr/sbin/gsisshd
28

PROCESS TYPES

30       SELinux defines process types (domains) for each process running on the
31       system
32
33       You can see the context of a process using the -Z option to ps
34
35       Policy  governs  the  access confined processes have to files.  SELinux
36       sshd policy is very flexible allowing users to setup  their  sshd  pro‐
37       cesses in as secure a method as possible.
38
39       The following process types are defined for sshd:
40
41       sshd_t, sshd_sandbox_t, sshd_net_t, ssh_keygen_t, sshd_keygen_t, ssh_t, ssh_keysign_t
42
43       Note:  semanage  permissive  -a  sshd_t can be used to make the process
44       type sshd_t permissive. SELinux does  not  deny  access  to  permissive
45       process  types, but the AVC (SELinux denials) messages are still gener‐
46       ated.
47
48

BOOLEANS

50       SELinux policy is customizable based on least  access  required.   sshd
51       policy is extremely flexible and has several booleans that allow you to
52       manipulate the policy and run sshd with the tightest access possible.
53
54
55
56       If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn  on
57       the ssh_sysadm_login boolean. Disabled by default.
58
59       setsebool -P ssh_sysadm_login 1
60
61
62
63       If  you  want  to  allow sshd to use tcp wrappers, you must turn on the
64       ssh_use_tcpd boolean. Disabled by default.
65
66       setsebool -P ssh_use_tcpd 1
67
68
69
70       If you want to dontaudit all  daemons  scheduling  requests  (setsched,
71       sys_nice),  you  must turn on the daemons_dontaudit_scheduling boolean.
72       Enabled by default.
73
74       setsebool -P daemons_dontaudit_scheduling 1
75
76
77
78       If you want to allow all domains to execute in fips_mode, you must turn
79       on the fips_mode boolean. Enabled by default.
80
81       setsebool -P fips_mode 1
82
83
84
85       If  you  want  to allow confined applications to run with kerberos, you
86       must turn on the kerberos_enabled boolean. Enabled by default.
87
88       setsebool -P kerberos_enabled 1
89
90
91
92       If you want to allow system to run with  NIS,  you  must  turn  on  the
93       nis_enabled boolean. Disabled by default.
94
95       setsebool -P nis_enabled 1
96
97
98
99       If you want to enable polyinstantiated directory support, you must turn
100       on the polyinstantiation_enabled boolean. Disabled by default.
101
102       setsebool -P polyinstantiation_enabled 1
103
104
105

PORT TYPES

107       SELinux defines port types to represent TCP and UDP ports.
108
109       You can see the types associated with a port  by  using  the  following
110       command:
111
112       semanage port -l
113
114
115       Policy  governs  the  access  confined  processes  have to these ports.
116       SELinux sshd policy is very flexible allowing users to setup their sshd
117       processes in as secure a method as possible.
118
119       The following port types are defined for sshd:
120
121
122       ssh_port_t
123
124
125
126       Default Defined Ports:
127                 tcp 22
128

MANAGED FILES

130       The  SELinux process type sshd_t can manage files labeled with the fol‐
131       lowing file types.  The paths listed are the default  paths  for  these
132       file types.  Note the processes UID still need to have DAC permissions.
133
134       auth_cache_t
135
136            /var/cache/coolkey(/.*)?
137
138       auth_home_t
139
140            /root/.yubico(/.*)?
141            /root/.config/Yubico(/.*)?
142            /root/.google_authenticator
143            /root/.google_authenticator~
144            /home/[^/]+/.yubico(/.*)?
145            /home/[^/]+/.config/Yubico(/.*)?
146            /home/[^/]+/.google_authenticator
147            /home/[^/]+/.google_authenticator~
148
149       cifs_t
150
151
152       cluster_conf_t
153
154            /etc/cluster(/.*)?
155
156       cluster_var_lib_t
157
158            /var/lib/pcsd(/.*)?
159            /var/lib/cluster(/.*)?
160            /var/lib/openais(/.*)?
161            /var/lib/pengine(/.*)?
162            /var/lib/corosync(/.*)?
163            /usr/lib/heartbeat(/.*)?
164            /var/lib/heartbeat(/.*)?
165            /var/lib/pacemaker(/.*)?
166
167       cluster_var_run_t
168
169            /var/run/crm(/.*)?
170            /var/run/cman_.*
171            /var/run/rsctmp(/.*)?
172            /var/run/aisexec.*
173            /var/run/heartbeat(/.*)?
174            /var/run/pcsd-ruby.socket
175            /var/run/corosync-qnetd(/.*)?
176            /var/run/corosync-qdevice(/.*)?
177            /var/run/corosync.pid
178            /var/run/cpglockd.pid
179            /var/run/rgmanager.pid
180            /var/run/cluster/rgmanager.sk
181
182       condor_var_lib_t
183
184            /var/lib/condor(/.*)?
185            /var/lib/condor/spool(/.*)?
186            /var/lib/condor/execute(/.*)?
187
188       ecryptfs_t
189
190            /home/[^/]+/.Private(/.*)?
191            /home/[^/]+/.ecryptfs(/.*)?
192
193       faillog_t
194
195            /var/log/btmp.*
196            /var/log/faillog.*
197            /var/log/tallylog.*
198            /var/run/faillock(/.*)?
199
200       fusefs_t
201
202            /var/run/user/[0-9]+/gvfs
203
204       gitosis_var_lib_t
205
206            /srv/lib/gitosis(/.*)?
207            /var/lib/gitosis(/.*)?
208            /var/lib/gitolite(3)?(/.*)?
209
210       initrc_var_run_t
211
212            /var/run/utmp
213            /var/run/random-seed
214            /var/run/runlevel.dir
215            /var/run/setmixer_flag
216
217       kadmind_tmp_t
218
219            /var/tmp/kadmin_0
220            /var/tmp/kiprop_0
221
222       krb5_host_rcache_t
223
224            /var/tmp/krb5_0.rcache2
225            /var/cache/krb5rcache(/.*)?
226            /var/tmp/nfs_0
227            /var/tmp/DNS_25
228            /var/tmp/host_0
229            /var/tmp/imap_0
230            /var/tmp/HTTP_23
231            /var/tmp/HTTP_48
232            /var/tmp/ldap_55
233            /var/tmp/ldap_487
234            /var/tmp/ldapmap1_0
235
236       lastlog_t
237
238            /var/log/lastlog.*
239
240       nfs_t
241
242
243       openshift_tmp_t
244
245            /var/lib/openshift/.*/.tmp(/.*)?
246            /var/lib/openshift/.*/.sandbox(/.*)?
247            /var/lib/stickshift/.*/.tmp(/.*)?
248            /var/lib/stickshift/.*/.sandbox(/.*)?
249
250       pam_var_run_t
251
252            /var/(db|adm)/sudo(/.*)?
253            /var/lib/sudo(/.*)?
254            /var/run/sudo(/.*)?
255            /var/run/pam_ssh(/.*)?
256            /var/run/sepermit(/.*)?
257            /var/run/pam_mount(/.*)?
258            /var/run/pam_timestamp(/.*)?
259
260       root_t
261
262            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
263            /
264            /initrd
265
266       security_t
267
268            /selinux
269
270       sshd_var_run_t
271
272            /var/run/sshd.pid
273            /var/run/sshd.init.pid
274
275       systemd_passwd_var_run_t
276
277            /var/run/systemd/ask-password(/.*)?
278            /var/run/systemd/ask-password-block(/.*)?
279
280       user_tmp_t
281
282            /dev/shm/mono.*
283            /var/run/user/[^/]+
284            /tmp/.ICE-unix(/.*)?
285            /tmp/.X11-unix(/.*)?
286            /dev/shm/pulse-shm.*
287            /tmp/.X0-lock
288            /var/run/user
289            /tmp/hsperfdata_root
290            /var/tmp/hsperfdata_root
291            /home/[^/]+/tmp
292            /home/[^/]+/.tmp
293            /var/run/user/[0-9]+
294            /tmp/gconfd-[^/]+
295
296       user_tmp_type
297
298            all user tmp files
299
300       var_auth_t
301
302            /var/ace(/.*)?
303            /var/rsa(/.*)?
304            /var/lib/abl(/.*)?
305            /var/lib/rsa(/.*)?
306            /var/lib/pam_ssh(/.*)?
307            /var/lib/pam_shield(/.*)?
308            /var/opt/quest/vas/vasd(/.*)?
309            /var/lib/google-authenticator(/.*)?
310
311       wtmp_t
312
313            /var/log/wtmp.*
314
315

FILE CONTEXTS

317       SELinux requires files to have an extended attribute to define the file
318       type.
319
320       You can see the context of a file using the -Z option to ls
321
322       Policy governs the access  confined  processes  have  to  these  files.
323       SELinux sshd policy is very flexible allowing users to setup their sshd
324       processes in as secure a method as possible.
325
326       STANDARD FILE CONTEXT
327
328       SELinux defines the file context types for the sshd, if you  wanted  to
329       store  files with these types in a different paths, you need to execute
330       the semanage command to specify alternate labeling  and  then  use  re‐
331       storecon to put the labels on disk.
332
333       semanage fcontext -a -t sshd_keygen_exec_t '/srv/sshd/content(/.*)?'
334       restorecon -R -v /srv/mysshd_content
335
336       Note:  SELinux  often  uses  regular expressions to specify labels that
337       match multiple files.
338
339       The following file types are defined for sshd:
340
341
342
343       sshd_exec_t
344
345       - Set files with the sshd_exec_t type, if you want to transition an ex‐
346       ecutable to the sshd_t domain.
347
348
349       Paths:
350            /usr/sbin/sshd, /usr/sbin/gsisshd
351
352
353       sshd_initrc_exec_t
354
355       - Set files with the sshd_initrc_exec_t type, if you want to transition
356       an executable to the sshd_initrc_t domain.
357
358
359
360       sshd_key_t
361
362       - Set files with the sshd_key_t type, if you want to treat the files as
363       sshd key data.
364
365
366       Paths:
367            /etc/ssh/ssh_host.*_key,              /etc/ssh/ssh_host.*_key.pub,
368            /etc/ssh/primes
369
370
371       sshd_keygen_exec_t
372
373       - Set files with the sshd_keygen_exec_t type, if you want to transition
374       an executable to the sshd_keygen_t domain.
375
376
377       Paths:
378            /usr/sbin/sshd-keygen, /usr/libexec/openssh/sshd-keygen
379
380
381       sshd_keygen_unit_file_t
382
383       - Set files with the sshd_keygen_unit_file_t type, if you want to treat
384       the files as sshd keygen unit content.
385
386
387
388       sshd_keytab_t
389
390       - Set files with the sshd_keytab_t type, if you want to treat the files
391       as kerberos keytab files.
392
393
394
395       sshd_tmpfs_t
396
397       - Set files with the sshd_tmpfs_t type, if you want to store sshd files
398       on a tmpfs file system.
399
400
401
402       sshd_unit_file_t
403
404       - Set files with the sshd_unit_file_t type, if you want  to  treat  the
405       files as sshd unit content.
406
407
408
409       sshd_var_run_t
410
411       - Set files with the sshd_var_run_t type, if you want to store the sshd
412       files under the /run or /var/run directory.
413
414
415       Paths:
416            /var/run/sshd.pid, /var/run/sshd.init.pid
417
418
419       Note: File context can be temporarily modified with the chcon  command.
420       If  you want to permanently change the file context you need to use the
421       semanage fcontext command.  This will modify the SELinux labeling data‐
422       base.  You will need to use restorecon to apply the labels.
423
424

COMMANDS

426       semanage  fcontext  can also be used to manipulate default file context
427       mappings.
428
429       semanage permissive can also be used to manipulate  whether  or  not  a
430       process type is permissive.
431
432       semanage  module can also be used to enable/disable/install/remove pol‐
433       icy modules.
434
435       semanage port can also be used to manipulate the port definitions
436
437       semanage boolean can also be used to manipulate the booleans
438
439
440       system-config-selinux is a GUI tool available to customize SELinux pol‐
441       icy settings.
442
443

AUTHOR

445       This manual page was auto-generated using sepolicy manpage .
446
447

SEE ALSO

449       selinux(8), sshd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
450       setsebool(8), ssh_keygen_selinux(8), ssh_keysign_selinux(8),  sshd_key‐
451       gen_selinux(8), sshd_net_selinux(8), sshd_sandbox_selinux(8)
452
453
454
455sshd                               23-10-20                    sshd_selinux(8)
Impressum