7.2.1.6. SELinux Policy Sources
policy_module(ssh, 2.4.2)
gen_tunable(allow_ssh_keysign, false)
gen_tunable(ssh_sysadm_login, false)
attribute ssh_server;
attribute ssh_agent_type;
type ssh_t;
type ssh_exec_t;
type ssh_home_t;
type sshd_exec_t;
...
allow ssh_t self:capability { setuid setgid ... };
allow ssh_t self:tcp_socket create_stream_socket_perms;
allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
...
allow ssh_t sshd_key_t:file read_file_perms;
allow ssh_t sshd_tmp_t:dir manage_dir_perms;
allow ssh_t sshd_tmp_t:file manage_file_perms;
...
tunable_policy (`allow_ssh_keysign',`
domain_auto_trans (ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
allow ssh_keysign_t ssh_t:fd use;
allow ssh_keysign_t ssh_t:process sigchld;
allow ssh_keysign_t ssh_t:fifo_file rw_file_perms;
')
...