Current File : //proc/thread-self/root/kunden/usr/share/selinux/devel/html/ssh_keysign.html

<!-- Creator     : groff version 1.22.4 -->
<!-- CreationDate: Thu Apr 10 20:00:00 2025 -->
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta name="generator" content="groff -Thtml, see www.gnu.org">
<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII">
<meta name="Content-Style" content="text/css">
<style type="text/css">
       p       { margin-top: 0; margin-bottom: 0; vertical-align: top }
       pre     { margin-top: 0; margin-bottom: 0; vertical-align: top }
       table   { margin-top: 0; margin-bottom: 0; vertical-align: top }
       h1      { text-align: center }
</style>
<title>ssh_keysign_selinux</title>

</head>
<body>

<h1 align="center">ssh_keysign_selinux</h1>

<a href="#NAME">NAME</a><br>
<a href="#DESCRIPTION">DESCRIPTION</a><br>
<a href="#ENTRYPOINTS">ENTRYPOINTS</a><br>
<a href="#PROCESS TYPES">PROCESS TYPES</a><br>
<a href="#BOOLEANS">BOOLEANS</a><br>
<a href="#FILE CONTEXTS">FILE CONTEXTS</a><br>
<a href="#COMMANDS">COMMANDS</a><br>
<a href="#AUTHOR">AUTHOR</a><br>
<a href="#SEE ALSO">SEE ALSO</a><br>

<hr>


<h2>NAME
<a name="NAME"></a>
</h2>



<p style="margin-left:11%; margin-top: 1em">ssh_keysign_selinux
&minus; Security Enhanced Linux Policy for the ssh_keysign
processes</p>

<h2>DESCRIPTION
<a name="DESCRIPTION"></a>
</h2>



<p style="margin-left:11%; margin-top: 1em">Security-Enhanced
Linux secures the ssh_keysign processes via flexible
mandatory access control.</p>

<p style="margin-left:11%; margin-top: 1em">The ssh_keysign
processes execute with the ssh_keysign_t SELinux type. You
can check if you have these processes running by executing
the <b>ps</b> command with the <b>&minus;Z</b>
qualifier.</p>

<p style="margin-left:11%; margin-top: 1em">For
example:</p>

<p style="margin-left:11%; margin-top: 1em"><b>ps -eZ |
grep ssh_keysign_t</b></p>

<h2>ENTRYPOINTS
<a name="ENTRYPOINTS"></a>
</h2>


<p style="margin-left:11%; margin-top: 1em">The
ssh_keysign_t SELinux type can be entered via the
<b>ssh_keysign_exec_t</b> file type.</p>

<p style="margin-left:11%; margin-top: 1em">The default
entrypoint paths for the ssh_keysign_t domain are the
following:</p>


<p style="margin-left:11%; margin-top: 1em">/usr/lib/openssh/ssh-keysign,
/usr/libexec/openssh/ssh-keysign</p>

<h2>PROCESS TYPES
<a name="PROCESS TYPES"></a>
</h2>


<p style="margin-left:11%; margin-top: 1em">SELinux defines
process types (domains) for each process running on the
system</p>

<p style="margin-left:11%; margin-top: 1em">You can see the
context of a process using the <b>&minus;Z</b> option to
<b>ps</b></p>

<p style="margin-left:11%; margin-top: 1em">Policy governs
the access confined processes have to files. SELinux
ssh_keysign policy is very flexible allowing users to setup
their ssh_keysign processes in as secure a method as
possible.</p>

<p style="margin-left:11%; margin-top: 1em">The following
process types are defined for ssh_keysign:</p>


<p style="margin-left:11%; margin-top: 1em"><b>ssh_keysign_t</b></p>

<p style="margin-left:11%; margin-top: 1em">Note:
<b>semanage permissive -a ssh_keysign_t</b> can be used to
make the process type ssh_keysign_t permissive. SELinux does
not deny access to permissive process types, but the AVC
(SELinux denials) messages are still generated.</p>

<h2>BOOLEANS
<a name="BOOLEANS"></a>
</h2>


<p style="margin-left:11%; margin-top: 1em">SELinux policy
is customizable based on least access required. ssh_keysign
policy is extremely flexible and has several booleans that
allow you to manipulate the policy and run ssh_keysign with
the tightest access possible.</p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow host key based authentication, you must turn on the
ssh_keysign boolean. Disabled by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
ssh_keysign 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow all domains to execute in fips_mode, you must turn on
the fips_mode boolean. Enabled by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
fips_mode 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow confined applications to use nscd shared memory, you
must turn on the nscd_use_shm boolean. Enabled by
default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
nscd_use_shm 1</b></p>

<h2>FILE CONTEXTS
<a name="FILE CONTEXTS"></a>
</h2>


<p style="margin-left:11%; margin-top: 1em">SELinux
requires files to have an extended attribute to define the
file type.</p>

<p style="margin-left:11%; margin-top: 1em">You can see the
context of a file using the <b>&minus;Z</b> option to
<b>ls</b></p>

<p style="margin-left:11%; margin-top: 1em">Policy governs
the access confined processes have to these files. SELinux
ssh_keysign policy is very flexible allowing users to setup
their ssh_keysign processes in as secure a method as
possible.</p>

<p style="margin-left:11%; margin-top: 1em"><i>The
following file types are defined for ssh_keysign:</i></p>


<p style="margin-left:11%; margin-top: 1em"><b>ssh_keysign_exec_t</b></p>

<p style="margin-left:11%; margin-top: 1em">- Set files
with the ssh_keysign_exec_t type, if you want to transition
an executable to the ssh_keysign_t domain. <br>
Paths:</p>

<p style="margin-left:18%;">/usr/lib/openssh/ssh-keysign,
/usr/libexec/openssh/ssh-keysign</p>

<p style="margin-left:11%; margin-top: 1em">Note: File
context can be temporarily modified with the chcon command.
If you want to permanently change the file context you need
to use the <b>semanage fcontext</b> command. This will
modify the SELinux labeling database. You will need to use
<b>restorecon</b> to apply the labels.</p>

<h2>COMMANDS
<a name="COMMANDS"></a>
</h2>


<p style="margin-left:11%; margin-top: 1em"><b>semanage
fcontext</b> can also be used to manipulate default file
context mappings.</p>

<p style="margin-left:11%; margin-top: 1em"><b>semanage
permissive</b> can also be used to manipulate whether or not
a process type is permissive.</p>

<p style="margin-left:11%; margin-top: 1em"><b>semanage
module</b> can also be used to enable/disable/install/remove
policy modules.</p>

<p style="margin-left:11%; margin-top: 1em"><b>semanage
boolean</b> can also be used to manipulate the booleans</p>


<p style="margin-left:11%; margin-top: 1em"><b>system-config-selinux</b>
is a GUI tool available to customize SELinux policy
settings.</p>

<h2>AUTHOR
<a name="AUTHOR"></a>
</h2>


<p style="margin-left:11%; margin-top: 1em">This manual
page was auto-generated using <b>sepolicy manpage .</b></p>

<h2>SEE ALSO
<a name="SEE ALSO"></a>
</h2>


<p style="margin-left:11%; margin-top: 1em">selinux(8),
ssh_keysign(8), semanage(8), restorecon(8), chcon(1),
sepolicy(8), setsebool(8)</p>
<hr>
</body>
</html>