diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if index ff92d99..c70680d 100644 --- a/refpolicy/policy/modules/services/ssh.if +++ b/refpolicy/policy/modules/services/ssh.if @@ -199,7 +199,6 @@ template(`ssh_per_userdomain_template',` dontaudit $1_ssh_t $1_home_t:dir { getattr search }; # for /bin/sh used to execute xauth - dontaudit $1_ssh_t proc_t:dir search; dontaudit $1_ssh_t proc_t:{ lnk_file file } { getattr read }; # Inherit and use descriptors from gnome-pty-helper. @@ -215,11 +214,9 @@ template(`ssh_per_userdomain_template',` ifdef(`xserver.te', ` # Communicate with the X server. - ifdef(`startx.te', ` can_unix_connect($1_ssh_t, $1_xserver_t) allow $1_ssh_t $1_xserver_tmp_t:sock_file rw_file_perms; allow $1_ssh_t $1_xserver_tmp_t:dir search; - ')dnl end if startx ifdef(`xdm.te', ` allow $1_ssh_t { xdm_xserver_tmp_t xdm_tmp_t }:dir search; allow $1_ssh_t { xdm_tmp_t }:sock_file write; @@ -281,6 +278,7 @@ template(`ssh_per_userdomain_template',` files_read_etc_files($1_ssh_agent_t) files_read_etc_runtime_files($1_ssh_agent_t) + files_search_home($1_ssh_agent_t) libs_read_lib($1_ssh_agent_t) libs_use_ld_so($1_ssh_agent_t) @@ -328,7 +326,6 @@ template(`ssh_per_userdomain_template',` # allow ps to show ssh can_ps($1_t, $1_ssh_agent_t) - allow $1_ssh_agent_t proc_t:dir search; dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read }; # Access the ssh temporary files. Should we have an own type here @@ -342,7 +339,7 @@ template(`ssh_per_userdomain_template',` # transition back to normal privs upon exec domain_auto_trans($1_ssh_agent_t, $1_home_t, $1_t) - allow $1_ssh_agent_t { home_root_t $1_home_dir_t }:dir search; + allow $1_ssh_agent_t $1_home_dir_t:dir search; allow $1_ssh_t $1_tmp_t:sock_file write;