diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index 1e0480ab..ef79d3fb 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -262,6 +262,10 @@ template(`ssh_per_userdomain_template',` userdom_user_home_dir_filetrans($1,$1_ssh_t,$1_home_ssh_t,{ dir sock_file }) # Allow the ssh program to communicate with ssh-agent. + allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto; + allow $1_ssh_t $1_ssh_agent_tmp_t:sock_file write; + allow $1_ssh_t $1_ssh_agent_tmp_t:dir search; + allow $1_ssh_t sshd_t:unix_stream_socket connectto; userdom_use_unpriv_users_fds($1_ssh_t) @@ -320,9 +324,7 @@ template(`ssh_per_userdomain_template',` allow $1_ssh_agent_t { $1_ssh_agent_t $2 }:process signull; - allow $1_ssh_agent_t self:unix_stream_socket { connectto rw_socket_perms }; - - allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto; + allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow $1_ssh_agent_t $1_ssh_agent_tmp_t:dir manage_dir_perms; allow $1_ssh_agent_t $1_ssh_agent_tmp_t:sock_file manage_file_perms; @@ -330,6 +332,7 @@ template(`ssh_per_userdomain_template',` # for ssh-add allow $2 $1_ssh_agent_t:unix_stream_socket connectto; + allow $2 $1_ssh_agent_tmp_t:sock_file write; # Allow the user shell to signal the ssh program. allow $2 $1_ssh_agent_t:process signal; @@ -405,12 +408,6 @@ template(`ssh_per_userdomain_template',` ') dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read }; - - allow $1_ssh_t $1_tmp_t:sock_file write; - - # Allow the ssh program to communicate with ssh-agent. - allow $1_ssh_t $1_tmp_t:sock_file write; - allow $1_ssh_t $2:unix_stream_socket connectto; ') dnl endif TODO ##############################