<html> <head> <title> Security Enhanced Linux Reference Policy </title> <style type="text/css" media="all">@import "style.css";</style> </head> <body> <div id="Header">Security Enhanced Linux Reference Policy</div> <div id='Menu'> <a href="admin.html">+ admin</a></br/> <div id='subitem'> </div> <a href="apps.html">+ apps</a></br/> <div id='subitem'> </div> <a href="contrib.html">+ contrib</a></br/> <div id='subitem'> </div> <a href="kernel.html">+ kernel</a></br/> <div id='subitem'> </div> <a href="roles.html">+ roles</a></br/> <div id='subitem'> </div> <a href="services.html">+ services</a></br/> <div id='subitem'> - <a href='services_postgresql.html'> postgresql</a><br/> - <a href='services_ssh.html'> ssh</a><br/> - <a href='services_xserver.html'> xserver</a><br/> </div> <a href="system.html">+ system</a></br/> <div id='subitem'> </div> <br/><p/> <a href="global_booleans.html">* Global Booleans </a> <br/><p/> <a href="global_tunables.html">* Global Tunables </a> <p/><br/><p/> <a href="index.html">* Layer Index</a> <br/><p/> <a href="booleans.html">* Boolean Index</a> <br/><p/> <a href="tunables.html">* Tunable Index</a> <br/><p/> <a href="interfaces.html">* Interface Index</a> <br/><p/> <a href="templates.html">* Template Index</a> </div> <div id="Content"> <a name="top":></a> <h1>Layer: services</h1><p/> <h2>Module: ssh</h2><p/> <a href=#tunables>Tunables</a> <a href=#interfaces>Interfaces</a> <a href=#templates>Templates</a> <h3>Description:</h3> <p><p>Secure shell client and server policy.</p></p> <hr> <a name="tunables"></a> <h3>Tunables: </h3> <a name="link_ssh_chroot_rw_homedirs"></a> <div id="interface"> <div id="codeblock">ssh_chroot_rw_homedirs</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p> </p><p> Allow ssh with chroot env to read and write files in the user home directories </p><p> </p> </div></div> <a name="link_ssh_keysign"></a> <div id="interface"> <div id="codeblock">ssh_keysign</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p> </p><p> allow host key based authentication </p><p> </p> </div></div> <a name="link_ssh_sysadm_login"></a> <div id="interface"> <div id="codeblock">ssh_sysadm_login</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p> </p><p> Allow ssh logins as sysadm_r:sysadm_t </p><p> </p> </div></div> <a href=#top>Return</a> <a name="interfaces"></a> <h3>Interfaces: </h3> <a name="link_ssh_agent_exec"></a> <div id="interface"> <div id="codeblock"> <b>ssh_agent_exec</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Execute the ssh agent client in the caller domain. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_ssh_append_home_files"></a> <div id="interface"> <div id="codeblock"> <b>ssh_append_home_files</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Append ssh home directory content </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_ssh_delete_tmp"></a> <div id="interface"> <div id="codeblock"> <b>ssh_delete_tmp</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Delete from the ssh temp files. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_ssh_domtrans"></a> <div id="interface"> <div id="codeblock"> <b>ssh_domtrans</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Execute the ssh daemon sshd domain. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed to transition. </p> </td></tr> </table> </div> </div> <a name="link_ssh_domtrans_keygen"></a> <div id="interface"> <div id="codeblock"> <b>ssh_domtrans_keygen</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Execute the ssh key generator in the ssh keygen domain. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed to transition. </p> </td></tr> </table> </div> </div> <a name="link_ssh_dontaudit_read_server_keys"></a> <div id="interface"> <div id="codeblock"> <b>ssh_dontaudit_read_server_keys</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Read ssh server keys </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain to not audit. </p> </td></tr> </table> </div> </div> <a name="link_ssh_dontaudit_rw_tcp_sockets"></a> <div id="interface"> <div id="codeblock"> <b>ssh_dontaudit_rw_tcp_sockets</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Do not audit attempts to read and write ssh server TCP sockets. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain to not audit. </p> </td></tr> </table> </div> </div> <a name="link_ssh_dontaudit_search_user_home_dir"></a> <div id="interface"> <div id="codeblock"> <b>ssh_dontaudit_search_user_home_dir</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Dontaudit search ssh home directory </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain to not audit. </p> </td></tr> </table> </div> </div> <a name="link_ssh_dontaudit_use_ptys"></a> <div id="interface"> <div id="codeblock"> <b>ssh_dontaudit_use_ptys</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Do not audit attempts to read and write the sshd pty type. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain to not audit. </p> </td></tr> </table> </div> </div> <a name="link_ssh_dyntransition_to"></a> <div id="interface"> <div id="codeblock"> <b>ssh_dyntransition_to</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Allow domain dyntransition to chroot_user_t domain. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_ssh_exec"></a> <div id="interface"> <div id="codeblock"> <b>ssh_exec</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Execute the ssh client in the caller domain. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_ssh_exec_keygen"></a> <div id="interface"> <div id="codeblock"> <b>ssh_exec_keygen</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Execute the ssh key generator in the caller domain. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed to transition. </p> </td></tr> </table> </div> </div> <a name="link_ssh_filetrans_admin_home_content"></a> <div id="interface"> <div id="codeblock"> <b>ssh_filetrans_admin_home_content</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Create .ssh directory in the /root directory with an correct label. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_ssh_filetrans_home_content"></a> <div id="interface"> <div id="codeblock"> <b>ssh_filetrans_home_content</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Create .ssh directory in the user home directory with an correct label. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_ssh_filetrans_keys"></a> <div id="interface"> <div id="codeblock"> <b>ssh_filetrans_keys</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Create .ssh directory in the user home directory with an correct label. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_ssh_getattr_server_keys"></a> <div id="interface"> <div id="codeblock"> <b>ssh_getattr_server_keys</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Getattr ssh server keys </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain to not audit. </p> </td></tr> </table> </div> </div> <a name="link_ssh_getattr_user_home_dir"></a> <div id="interface"> <div id="codeblock"> <b>ssh_getattr_user_home_dir</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Getattr ssh home directory </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_ssh_initrc_domtrans"></a> <div id="interface"> <div id="codeblock"> <b>ssh_initrc_domtrans</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Execute sshd server in the sshd domain. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_ssh_manage_home_files"></a> <div id="interface"> <div id="codeblock"> <b>ssh_manage_home_files</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Manage ssh home directory content </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_ssh_read_pipes"></a> <div id="interface"> <div id="codeblock"> <b>ssh_read_pipes</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Read a ssh server unnamed pipe. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_ssh_read_user_home_files"></a> <div id="interface"> <div id="codeblock"> <b>ssh_read_user_home_files</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Read ssh home directory content </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_ssh_run_keygen"></a> <div id="interface"> <div id="codeblock"> <b>ssh_run_keygen</b>( domain , role )<br> </div> <div id="description"> <h5>Summary</h5> <p> Execute ssh-keygen in the iptables domain, and allow the specified role the ssh-keygen domain. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed to transition. </p> </td></tr> <tr><td> role </td><td> <p> Role allowed access. </p> </td></tr> </table> </div> </div> <a name="link_ssh_rw_dgram_sockets"></a> <div id="interface"> <div id="codeblock"> <b>ssh_rw_dgram_sockets</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Read and write ssh server unix dgram sockets. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_ssh_rw_pipes"></a> <div id="interface"> <div id="codeblock"> <b>ssh_rw_pipes</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Read and write a ssh server unnamed pipe. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_ssh_rw_stream_sockets"></a> <div id="interface"> <div id="codeblock"> <b>ssh_rw_stream_sockets</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Read and write ssh server unix domain stream sockets. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_ssh_rw_tcp_sockets"></a> <div id="interface"> <div id="codeblock"> <b>ssh_rw_tcp_sockets</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Read and write ssh server TCP sockets. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_ssh_setattr_key_files"></a> <div id="interface"> <div id="codeblock"> <b>ssh_setattr_key_files</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Set the attributes of sshd key files. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_ssh_sigchld"></a> <div id="interface"> <div id="codeblock"> <b>ssh_sigchld</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Send a SIGCHLD signal to the ssh server. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_ssh_signal"></a> <div id="interface"> <div id="codeblock"> <b>ssh_signal</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Send a generic signal to the ssh server. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_ssh_signull"></a> <div id="interface"> <div id="codeblock"> <b>ssh_signull</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Send a null signal to sshd processes. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_ssh_systemctl"></a> <div id="interface"> <div id="codeblock"> <b>ssh_systemctl</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Execute sshd server in the sshd domain. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed to transition. </p> </td></tr> </table> </div> </div> <a name="link_ssh_tcp_connect"></a> <div id="interface"> <div id="codeblock"> <b>ssh_tcp_connect</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Connect to SSH daemons over TCP sockets. (Deprecated) </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_ssh_use_ptys"></a> <div id="interface"> <div id="codeblock"> <b>ssh_use_ptys</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Read and write inherited sshd pty type. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain to not audit. </p> </td></tr> </table> </div> </div> <a href=#top>Return</a> <a name="templates"></a> <h3>Templates: </h3> <a name="link_ssh_basic_client_template"></a> <div id="template"> <div id="codeblock"> <b>ssh_basic_client_template</b>( userdomain_prefix , user_domain , user_role )<br> </div> <div id="description"> <h5>Summary</h5> <p> Basic SSH client template. </p> <h5>Description</h5> <p> </p><p> This template creates a derived domains which are used for ssh client sessions. A derived type is also created to protect the user ssh keys. </p><p> </p><p> This template was added for NX. </p><p> </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> userdomain_prefix </td><td> <p> The prefix of the domain (e.g., user is the prefix for user_t). </p> </td></tr> <tr><td> user_domain </td><td> <p> The type of the domain. </p> </td></tr> <tr><td> user_role </td><td> <p> The role associated with the user domain. </p> </td></tr> </table> </div> </div> <a name="link_ssh_dyntransition_domain_template"></a> <div id="template"> <div id="codeblock"> <b>ssh_dyntransition_domain_template</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> The template to define a domain to which sshd dyntransition. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> The prefix of the dyntransition domain </p> </td></tr> </table> </div> </div> <a name="link_ssh_role_template"></a> <div id="template"> <div id="codeblock"> <b>ssh_role_template</b>( role_prefix , role , domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Role access for ssh </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> role_prefix </td><td> <p> The prefix of the role (e.g., user is the prefix for user_r). </p> </td></tr> <tr><td> role </td><td> <p> Role allowed access </p> </td></tr> <tr><td> domain </td><td> <p> User domain for the role </p> </td></tr> </table> </div> </div> <a name="link_ssh_server_template"></a> <div id="template"> <div id="codeblock"> <b>ssh_server_template</b>( userdomain_prefix )<br> </div> <div id="description"> <h5>Summary</h5> <p> The template to define a ssh server. </p> <h5>Description</h5> <p> </p><p> This template creates a domains to be used for creating a ssh server. This is typically done to have multiple ssh servers of different sensitivities, such as for an internal network-facing ssh server, and a external network-facing ssh server. </p><p> </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> userdomain_prefix </td><td> <p> The prefix of the server domain (e.g., sshd is the prefix for sshd_t). </p> </td></tr> </table> </div> </div> <a href=#top>Return</a> </div> </body> </html>
