SSH patch from Dan Walsh.

policy/modules/services/ssh.if

@@ -181,7 +181,7 @@ template(`ssh_server_template', `
 	type $1_var_run_t;
 	files_pid_file($1_var_run_t)
 
-	allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
+	allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
 	allow $1_t self:fifo_file rw_fifo_file_perms;
 	allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate };
 	allow $1_t self:tcp_socket create_stream_socket_perms;
@@ -237,6 +237,7 @@ template(`ssh_server_template', `
 
 	files_read_etc_files($1_t)
 	files_read_etc_runtime_files($1_t)
+	files_read_usr_files($1_t)
 
 	logging_search_logs($1_t)
 
@@ -265,7 +266,6 @@ template(`ssh_server_template', `
 
 	optional_policy(`
 		files_read_var_lib_symlinks($1_t)
-
 		nx_spec_domtrans_server($1_t)
 	')
 ')
@@ -388,6 +388,7 @@ template(`ssh_role_template',`
 	logging_send_syslog_msg($1_ssh_agent_t)
 
 	miscfiles_read_localization($1_ssh_agent_t)
+	miscfiles_read_certs($1_ssh_agent_t)
 
 	seutil_dontaudit_read_config($1_ssh_agent_t)
 
@@ -395,6 +396,7 @@ template(`ssh_role_template',`
 	userdom_use_user_terminals($1_ssh_agent_t)
 
 	# for the transition back to normal privs upon exec
+	userdom_search_user_home_content($1_ssh_agent_t)
 	userdom_user_home_domtrans($1_ssh_agent_t, $3)
 	allow $3 $1_ssh_agent_t:fd use;
 	allow $3 $1_ssh_agent_t:fifo_file rw_file_perms;
@@ -696,6 +698,25 @@ interface(`ssh_dontaudit_read_server_keys',`
 	dontaudit $1 sshd_key_t:file { getattr read };
 ')
 
+######################################
+## <summary>
+##	Manage ssh home directory content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_manage_home_files',`
+	gen_require(`
+		type ssh_home_t;
+	')
+
+	manage_files_pattern($1, ssh_home_t, ssh_home_t)
+	userdom_search_user_home_dirs($1)
+')
+
 #######################################
 ## <summary>
 ##	Delete from the ssh temp files.

policy/modules/services/ssh.te

@@ -1,5 +1,5 @@
 
-policy_module(ssh, 2.1.2)
+policy_module(ssh, 2.1.3)
 
 ########################################
 #
@@ -310,10 +310,6 @@ tunable_policy(`ssh_sysadm_login',`
 	userdom_signal_unpriv_users(sshd_t)
 ')
 
-optional_policy(`
-	kerberos_keytab_template(sshd, sshd_t)
-')
-
 optional_policy(`
 	daemontools_service_domain(sshd_t, sshd_exec_t)
 ')
@@ -322,6 +318,10 @@ optional_policy(`
 	inetd_tcp_service_domain(sshd_t, sshd_exec_t)
 ')
 
+optional_policy(`
+	kerberos_keytab_template(sshd, sshd_t)
+')
+
 optional_policy(`
 	rpm_use_script_fds(sshd_t)
 ')
@@ -333,10 +333,13 @@ optional_policy(`
 ')
 
 optional_policy(`
-	unconfined_domain(sshd_t)
 	unconfined_shell_domtrans(sshd_t)
 ')
 
+optional_policy(`
+	xserver_domtrans_xauth(sshd_t)
+')
+
 ifdef(`TODO',`
 tunable_policy(`ssh_sysadm_login',`
 	# Relabel and access ptys created by sshd