@@ -38,6 +38,7 @@ F: package/flutter-engine/
F: package/flutter-gallery/
F: package/flutter-pi/
F: package/flutter-sdk-bin/
+F: package/openssh/selinux/
F: package/refpolicy/selinux/
F: package/systemd/selinux/
F: package/sysvinit/selinux/
new file mode 100644
new file mode 100644
@@ -0,0 +1 @@
+## <summary>Buildroot openssh rules</summary>
new file mode 100644
@@ -0,0 +1,23 @@
+policy_module(buildroot-openssh, 1.0.0)
+
+#============= sshd_t ==============
+allow sshd_t device_t:chr_file { getattr open read write };
+allow sshd_t kernel_t:fd use;
+allow sshd_t root_t:chr_file { read write };
+allow sshd_t sysadm_t:process { noatsecure rlimitinh siginh };
+allow sshd_t sysadm_t:process transition;
+allow sshd_t var_t:lnk_file read;
+
+#============= ssh_keygen_t ==============
+allow ssh_keygen_t cert_t:dir search;
+allow ssh_keygen_t cert_t:file { getattr open read };
+allow ssh_keygen_t device_t:chr_file { open read write };
+allow ssh_keygen_t kernel_t:fd use;
+allow ssh_keygen_t root_t:chr_file { getattr ioctl read write };
+allow ssh_keygen_t security_t:filesystem getattr;
+allow ssh_keygen_t selinux_config_t:dir search;
+allow ssh_keygen_t tmpfs_t:dir search;
+
+#============= restorecond_t ==============
+allow restorecond_t ssh_home_t:dir watch;
+
This is a basic policy necessary for OpenSSH to work properly in enforcing mode without any denials. Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com> --- DEVELOPERS | 1 + package/openssh/selinux/buildroot-openssh.fc | 0 package/openssh/selinux/buildroot-openssh.if | 1 + package/openssh/selinux/buildroot-openssh.te | 23 ++++++++++++++++++++ 4 files changed, 25 insertions(+) create mode 100644 package/openssh/selinux/buildroot-openssh.fc create mode 100644 package/openssh/selinux/buildroot-openssh.if create mode 100644 package/openssh/selinux/buildroot-openssh.te