diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index 6e2d2fe..938d34e 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -108,6 +108,8 @@ template(`ssh_per_userdomain_template',`
 	allow $2 sshd_t:unix_stream_socket rw_stream_socket_perms;
 
 	# ssh client can manage the keys and config
+	userdom_search_user_home($1,$1_ssh_t)
+	allow $1_ssh_t $1_home_ssh_t:dir r_dir_perms;
 	allow $1_ssh_t $1_home_ssh_t:file create_file_perms;
 	allow $1_ssh_t $1_home_ssh_t:lnk_file { getattr read };
 
@@ -497,6 +499,7 @@ template(`ssh_server_template', `
 
 	sysnet_read_config($1_t)
 
+	userdom_dontaudit_relabelfrom_unpriv_user_pty($1_t)
 	userdom_search_all_users_home($1_t)
 
 	# Allow checking users mail at login
@@ -540,17 +543,6 @@ template(`ssh_server_template', `
 	optional_policy(`nscd',`
 		nscd_use_socket($1_t)
 	')
-
-	ifdef(`TODO',`
-
-	# Read /var.
-	allow $1_t var_t:dir getattr;
-
-	allow $1_t home_dir_type:dir getattr;
-
-	dontaudit sshd_t userpty_type:chr_file relabelfrom;
-
-	') dnl end TODO
 ')
 
 ########################################
diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te
index c4da5ce..7f20b44 100644
--- a/refpolicy/policy/modules/services/ssh.te
+++ b/refpolicy/policy/modules/services/ssh.te
@@ -111,6 +111,10 @@ ifdef(`targeted_policy',`',`
 	',`
 		userdom_spec_domtrans_unpriv_users(sshd_t)
 		userdom_signal_unpriv_users(sshd_t)
+
+		userdom_setattr_unpriv_user_pty(sshd_t)
+		userdom_relabelto_unpriv_user_pty(sshd_t)
+		userdom_use_unpriv_user_pty(sshd_t)
 	')
 
 	optional_policy(`daemontools',`
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index defee59..ddc25ba 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -3692,6 +3692,39 @@ interface(`userdom_dontaudit_use_unpriv_user_pty',`
 
 ########################################
 ## <summary>
+##	Relabel files to unprivileged user pty types.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_relabelto_unpriv_user_pty',`
+	gen_require(`
+		attribute user_ptynode;
+	')
+
+	allow $1 user_ptynode:chr_file relabelto;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to relabel files from
+##	unprivileged user pty types.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_dontaudit_relabelfrom_unpriv_user_pty',`
+	gen_require(`
+		attribute user_ptynode;
+	')
+
+	dontaudit $1 user_ptynode:chr_file relabelfrom;
+')
+
+########################################
+## <summary>
 ##	Read all unprivileged users temporary directories.
 ## </summary>
 ## <param name="domain">