diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables index bfabd20d7..3571a4af8 100644 --- a/refpolicy/policy/global_tunables +++ b/refpolicy/policy/global_tunables @@ -40,6 +40,9 @@ gen_tunable(fcron_crond,false) ## gen_tunable(read_default_t,false) +## Allow ssh to run from inetd instead of as a daemon. +gen_tunable(run_ssh_inetd,false) + ## ## Enabling secure mode disallows programs, such as ## newrole, from transitioning to administrative @@ -47,6 +50,9 @@ gen_tunable(read_default_t,false) ## gen_bool(secure_mode,false) +## Allow ssh logins as sysadm_r:sysadm_t +gen_tunable(ssh_sysadm_login,false) + ## ## Allow staff_r users to search the sysadm home ## dir and read files (such as ~/.bashrc) diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te index 2c6e0de08..6ac892693 100644 --- a/refpolicy/policy/modules/services/ssh.te +++ b/refpolicy/policy/modules/services/ssh.te @@ -6,11 +6,7 @@ policy_module(ssh,1.0) # Declarations # -# Allow ssh logins as sysadm_r:sysadm_t -bool ssh_sysadm_login false; - -# Allow ssh to run from inetd instead of as a daemon. -bool run_ssh_inetd false; +attribute ssh_server; # Type for the ssh-agent executable. type ssh_agent_exec_t;