92bc3717 |
1 | # Last Modified: Wed Jan 18 10:55:22 2012 |
2 | # ------------------------------------------------------------------ |
3 | # |
4 | # Copyright (C) 2002-2005 Novell/SUSE |
5 | # |
6 | # This program is free software; you can redistribute it and/or |
7 | # modify it under the terms of version 2 of the GNU General Public |
8 | # License published by the Free Software Foundation. |
9 | # |
10 | # ------------------------------------------------------------------ |
11 | # will need to revalidate this profile once we finish re-architecting |
12 | # the change_hat patch. |
13 | # |
14 | |
15 | #include <tunables/global> |
16 | |
17 | /usr/sbin/sshd { |
18 | #include <abstractions/authentication> |
19 | #include <abstractions/base> |
20 | #include <abstractions/consoles> |
21 | #include <abstractions/nameservice> |
22 | #include <abstractions/wutmp> |
23 | |
24 | |
25 | capability audit_control, |
26 | capability chown, |
27 | capability dac_override, |
28 | capability fowner, |
29 | capability fsetid, |
30 | capability kill, |
31 | capability net_bind_service, |
32 | capability setgid, |
33 | capability setuid, |
34 | capability sys_chroot, |
35 | capability sys_resource, |
36 | capability sys_tty_config, |
37 | |
38 | |
39 | /bin/ash rUx, |
40 | /bin/bash rUx, |
41 | /bin/bash2 rUx, |
42 | /bin/bsh rUx, |
43 | /bin/csh rUx, |
44 | /bin/ksh rUx, |
45 | /bin/sh rUx, |
46 | /bin/tcsh rUx, |
47 | /bin/zsh rUx, |
48 | /dev/ptmx rw, |
49 | /dev/pts/[0-9]* rw, |
50 | /dev/urandom r, |
51 | /etc/** r, |
52 | /proc/*/oom_adj rw, |
53 | /proc/*/oom_score_adj rw, |
54 | /sbin/nologin rUx, |
55 | /tmp/ssh-*/agent.[0-9]* rwl, |
56 | /tmp/ssh-*[0-9]*/ w, |
57 | /usr/sbin/sshd mrix, |
58 | /var/log/* rw, |
59 | /{,var/}run w, |
60 | /{,var/}run/sshd{,.init}.pid wl, |
61 | @{HOME}/.ssh/authorized_keys{,2} r, |
62 | @{PROC}/[0-9]*/fd/ r, |
63 | @{PROC}/[0-9]*/loginuid w, |
64 | @{PROC}/[0-9]*/mounts r, |
65 | |
66 | |
67 | ^AUTHENTICATED { |
68 | #include <abstractions/authentication> |
69 | #include <abstractions/consoles> |
70 | #include <abstractions/nameservice> |
71 | #include <abstractions/wutmp> |
72 | |
73 | capability setgid, |
74 | capability setuid, |
75 | capability sys_tty_config, |
76 | |
77 | |
78 | /dev/log w, |
79 | /dev/ptmx rw, |
80 | /etc/default/passwd r, |
81 | /etc/localtime r, |
82 | /etc/login.defs r, |
83 | /etc/motd r, |
84 | /tmp/ssh-*/agent.[0-9]* rwl, |
85 | /tmp/ssh-*[0-9]*/ w, |
86 | |
87 | } |
88 | |
89 | ^EXEC { |
90 | #include <abstractions/base> |
91 | |
92 | |
93 | /bin/ash Ux, |
94 | /bin/bash Ux, |
95 | /bin/bash2 Ux, |
96 | /bin/bsh Ux, |
97 | /bin/csh Ux, |
98 | /bin/ksh Ux, |
99 | /bin/sh Ux, |
100 | /bin/tcsh Ux, |
101 | /bin/zsh Ux, |
102 | /sbin/nologin Ux, |
103 | |
104 | } |
105 | |
106 | ^PRIVSEP { |
107 | #include <abstractions/base> |
108 | #include <abstractions/nameservice> |
109 | |
110 | capability setgid, |
111 | capability setuid, |
112 | capability sys_chroot, |
113 | |
114 | |
115 | |
116 | } |
117 | |
118 | ^PRIVSEP_MONITOR { |
119 | #include <abstractions/authentication> |
120 | #include <abstractions/base> |
121 | #include <abstractions/nameservice> |
122 | #include <abstractions/wutmp> |
123 | |
124 | capability chown, |
125 | capability setgid, |
126 | capability setuid, |
127 | |
128 | |
129 | /dev/ptmx rw, |
130 | /dev/pts/[0-9]* rw, |
131 | /dev/urandom r, |
132 | /etc/hosts.allow r, |
133 | /etc/hosts.deny r, |
134 | /etc/ssh/moduli r, |
135 | @{HOME}/.ssh/authorized_keys{,2} r, |
136 | @{PROC}/[0-9]*/mounts r, |
137 | |
138 | } |
139 | } |