| 1 | # Last Modified: Wed Jan 18 10:55:22 2012 |
| 2 | # ------------------------------------------------------------------ |
| 3 | # |
| 4 | # Copyright (C) 2002-2005 Novell/SUSE |
| 5 | # |
| 6 | # This program is free software; you can redistribute it and/or |
| 7 | # modify it under the terms of version 2 of the GNU General Public |
| 8 | # License published by the Free Software Foundation. |
| 9 | # |
| 10 | # ------------------------------------------------------------------ |
| 11 | # will need to revalidate this profile once we finish re-architecting |
| 12 | # the change_hat patch. |
| 13 | # |
| 14 | |
| 15 | #include <tunables/global> |
| 16 | |
| 17 | /usr/sbin/sshd { |
| 18 | #include <abstractions/authentication> |
| 19 | #include <abstractions/base> |
| 20 | #include <abstractions/consoles> |
| 21 | #include <abstractions/nameservice> |
| 22 | #include <abstractions/wutmp> |
| 23 | |
| 24 | |
| 25 | capability audit_control, |
| 26 | capability chown, |
| 27 | capability dac_override, |
| 28 | capability fowner, |
| 29 | capability fsetid, |
| 30 | capability kill, |
| 31 | capability net_bind_service, |
| 32 | capability setgid, |
| 33 | capability setuid, |
| 34 | capability sys_chroot, |
| 35 | capability sys_resource, |
| 36 | capability sys_tty_config, |
| 37 | |
| 38 | |
| 39 | /bin/ash rUx, |
| 40 | /bin/bash rUx, |
| 41 | /bin/bash2 rUx, |
| 42 | /bin/bsh rUx, |
| 43 | /bin/csh rUx, |
| 44 | /bin/ksh rUx, |
| 45 | /bin/sh rUx, |
| 46 | /bin/tcsh rUx, |
| 47 | /bin/zsh rUx, |
| 48 | /dev/ptmx rw, |
| 49 | /dev/pts/[0-9]* rw, |
| 50 | /dev/urandom r, |
| 51 | /etc/** r, |
| 52 | /proc/*/oom_adj rw, |
| 53 | /proc/*/oom_score_adj rw, |
| 54 | /sbin/nologin rUx, |
| 55 | /tmp/ssh-*/agent.[0-9]* rwl, |
| 56 | /tmp/ssh-*[0-9]*/ w, |
| 57 | /usr/sbin/sshd mrix, |
| 58 | /var/log/* rw, |
| 59 | /{,var/}run w, |
| 60 | /{,var/}run/sshd{,.init}.pid wl, |
| 61 | @{HOME}/.ssh/authorized_keys{,2} r, |
| 62 | @{PROC}/[0-9]*/fd/ r, |
| 63 | @{PROC}/[0-9]*/loginuid w, |
| 64 | @{PROC}/[0-9]*/mounts r, |
| 65 | |
| 66 | |
| 67 | ^AUTHENTICATED { |
| 68 | #include <abstractions/authentication> |
| 69 | #include <abstractions/consoles> |
| 70 | #include <abstractions/nameservice> |
| 71 | #include <abstractions/wutmp> |
| 72 | |
| 73 | capability setgid, |
| 74 | capability setuid, |
| 75 | capability sys_tty_config, |
| 76 | |
| 77 | |
| 78 | /dev/log w, |
| 79 | /dev/ptmx rw, |
| 80 | /etc/default/passwd r, |
| 81 | /etc/localtime r, |
| 82 | /etc/login.defs r, |
| 83 | /etc/motd r, |
| 84 | /tmp/ssh-*/agent.[0-9]* rwl, |
| 85 | /tmp/ssh-*[0-9]*/ w, |
| 86 | |
| 87 | } |
| 88 | |
| 89 | ^EXEC { |
| 90 | #include <abstractions/base> |
| 91 | |
| 92 | |
| 93 | /bin/ash Ux, |
| 94 | /bin/bash Ux, |
| 95 | /bin/bash2 Ux, |
| 96 | /bin/bsh Ux, |
| 97 | /bin/csh Ux, |
| 98 | /bin/ksh Ux, |
| 99 | /bin/sh Ux, |
| 100 | /bin/tcsh Ux, |
| 101 | /bin/zsh Ux, |
| 102 | /sbin/nologin Ux, |
| 103 | |
| 104 | } |
| 105 | |
| 106 | ^PRIVSEP { |
| 107 | #include <abstractions/base> |
| 108 | #include <abstractions/nameservice> |
| 109 | |
| 110 | capability setgid, |
| 111 | capability setuid, |
| 112 | capability sys_chroot, |
| 113 | |
| 114 | |
| 115 | |
| 116 | } |
| 117 | |
| 118 | ^PRIVSEP_MONITOR { |
| 119 | #include <abstractions/authentication> |
| 120 | #include <abstractions/base> |
| 121 | #include <abstractions/nameservice> |
| 122 | #include <abstractions/wutmp> |
| 123 | |
| 124 | capability chown, |
| 125 | capability setgid, |
| 126 | capability setuid, |
| 127 | |
| 128 | |
| 129 | /dev/ptmx rw, |
| 130 | /dev/pts/[0-9]* rw, |
| 131 | /dev/urandom r, |
| 132 | /etc/hosts.allow r, |
| 133 | /etc/hosts.deny r, |
| 134 | /etc/ssh/moduli r, |
| 135 | @{HOME}/.ssh/authorized_keys{,2} r, |
| 136 | @{PROC}/[0-9]*/mounts r, |
| 137 | |
| 138 | } |
| 139 | } |