diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index 6e2d2fe..938d34e 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -108,6 +108,8 @@ template(`ssh_per_userdomain_template',`
allow $2 sshd_t:unix_stream_socket rw_stream_socket_perms;
# ssh client can manage the keys and config
+ userdom_search_user_home($1,$1_ssh_t)
+ allow $1_ssh_t $1_home_ssh_t:dir r_dir_perms;
allow $1_ssh_t $1_home_ssh_t:file create_file_perms;
allow $1_ssh_t $1_home_ssh_t:lnk_file { getattr read };
@@ -497,6 +499,7 @@ template(`ssh_server_template', `
sysnet_read_config($1_t)
+ userdom_dontaudit_relabelfrom_unpriv_user_pty($1_t)
userdom_search_all_users_home($1_t)
# Allow checking users mail at login
@@ -540,17 +543,6 @@ template(`ssh_server_template', `
optional_policy(`nscd',`
nscd_use_socket($1_t)
')
-
- ifdef(`TODO',`
-
- # Read /var.
- allow $1_t var_t:dir getattr;
-
- allow $1_t home_dir_type:dir getattr;
-
- dontaudit sshd_t userpty_type:chr_file relabelfrom;
-
- ') dnl end TODO
')
########################################
diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te
index c4da5ce..7f20b44 100644
--- a/refpolicy/policy/modules/services/ssh.te
+++ b/refpolicy/policy/modules/services/ssh.te
@@ -111,6 +111,10 @@ ifdef(`targeted_policy',`',`
',`
userdom_spec_domtrans_unpriv_users(sshd_t)
userdom_signal_unpriv_users(sshd_t)
+
+ userdom_setattr_unpriv_user_pty(sshd_t)
+ userdom_relabelto_unpriv_user_pty(sshd_t)
+ userdom_use_unpriv_user_pty(sshd_t)
')
optional_policy(`daemontools',`
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index defee59..ddc25ba 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -3692,6 +3692,39 @@ interface(`userdom_dontaudit_use_unpriv_user_pty',`
########################################
##
+## Relabel files to unprivileged user pty types.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`userdom_relabelto_unpriv_user_pty',`
+ gen_require(`
+ attribute user_ptynode;
+ ')
+
+ allow $1 user_ptynode:chr_file relabelto;
+')
+
+########################################
+##
+## Do not audit attempts to relabel files from
+## unprivileged user pty types.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`userdom_dontaudit_relabelfrom_unpriv_user_pty',`
+ gen_require(`
+ attribute user_ptynode;
+ ')
+
+ dontaudit $1 user_ptynode:chr_file relabelfrom;
+')
+
+########################################
+##
## Read all unprivileged users temporary directories.
##
##