diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 141ca93..567592d 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -181,7 +181,7 @@ template(`ssh_server_template', `
type $1_var_run_t;
files_pid_file($1_var_run_t)
- allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
+ allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
allow $1_t self:fifo_file rw_fifo_file_perms;
allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate };
allow $1_t self:tcp_socket create_stream_socket_perms;
@@ -237,6 +237,7 @@ template(`ssh_server_template', `
files_read_etc_files($1_t)
files_read_etc_runtime_files($1_t)
+ files_read_usr_files($1_t)
logging_search_logs($1_t)
@@ -265,7 +266,6 @@ template(`ssh_server_template', `
optional_policy(`
files_read_var_lib_symlinks($1_t)
-
nx_spec_domtrans_server($1_t)
')
')
@@ -388,6 +388,7 @@ template(`ssh_role_template',`
logging_send_syslog_msg($1_ssh_agent_t)
miscfiles_read_localization($1_ssh_agent_t)
+ miscfiles_read_certs($1_ssh_agent_t)
seutil_dontaudit_read_config($1_ssh_agent_t)
@@ -395,6 +396,7 @@ template(`ssh_role_template',`
userdom_use_user_terminals($1_ssh_agent_t)
# for the transition back to normal privs upon exec
+ userdom_search_user_home_content($1_ssh_agent_t)
userdom_user_home_domtrans($1_ssh_agent_t, $3)
allow $3 $1_ssh_agent_t:fd use;
allow $3 $1_ssh_agent_t:fifo_file rw_file_perms;
@@ -696,6 +698,25 @@ interface(`ssh_dontaudit_read_server_keys',`
dontaudit $1 sshd_key_t:file { getattr read };
')
+######################################
+##
+## Manage ssh home directory content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ssh_manage_home_files',`
+ gen_require(`
+ type ssh_home_t;
+ ')
+
+ manage_files_pattern($1, ssh_home_t, ssh_home_t)
+ userdom_search_user_home_dirs($1)
+')
+
#######################################
##
## Delete from the ssh temp files.
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index d44327b..1a9f7c5 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -1,5 +1,5 @@
-policy_module(ssh, 2.1.2)
+policy_module(ssh, 2.1.3)
########################################
#
@@ -311,15 +311,15 @@ tunable_policy(`ssh_sysadm_login',`
')
optional_policy(`
- kerberos_keytab_template(sshd, sshd_t)
+ daemontools_service_domain(sshd_t, sshd_exec_t)
')
optional_policy(`
- daemontools_service_domain(sshd_t, sshd_exec_t)
+ inetd_tcp_service_domain(sshd_t, sshd_exec_t)
')
optional_policy(`
- inetd_tcp_service_domain(sshd_t, sshd_exec_t)
+ kerberos_keytab_template(sshd, sshd_t)
')
optional_policy(`
@@ -333,10 +333,13 @@ optional_policy(`
')
optional_policy(`
- unconfined_domain(sshd_t)
unconfined_shell_domtrans(sshd_t)
')
+optional_policy(`
+ xserver_domtrans_xauth(sshd_t)
+')
+
ifdef(`TODO',`
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd