more ssh agent fixes

policy/modules/services/ssh.if

@@ -262,6 +262,10 @@ template(`ssh_per_userdomain_template',`
 	userdom_user_home_dir_filetrans($1,$1_ssh_t,$1_home_ssh_t,{ dir sock_file })
 
 	# Allow the ssh program to communicate with ssh-agent.
+	allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto;
+	allow $1_ssh_t $1_ssh_agent_tmp_t:sock_file write;
+	allow $1_ssh_t $1_ssh_agent_tmp_t:dir search;
+
 	allow $1_ssh_t sshd_t:unix_stream_socket connectto;
 
 	userdom_use_unpriv_users_fds($1_ssh_t)
@@ -320,9 +324,7 @@ template(`ssh_per_userdomain_template',`
 
 	allow $1_ssh_agent_t { $1_ssh_agent_t $2 }:process signull;
 
-	allow $1_ssh_agent_t self:unix_stream_socket { connectto rw_socket_perms };
+	allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
-
-	allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto;
 
 	allow $1_ssh_agent_t $1_ssh_agent_tmp_t:dir manage_dir_perms;
 	allow $1_ssh_agent_t $1_ssh_agent_tmp_t:sock_file manage_file_perms;
@@ -330,6 +332,7 @@ template(`ssh_per_userdomain_template',`
 
 	# for ssh-add
 	allow $2 $1_ssh_agent_t:unix_stream_socket connectto;
+	allow $2 $1_ssh_agent_tmp_t:sock_file write;
 
 	# Allow the user shell to signal the ssh program.
 	allow $2 $1_ssh_agent_t:process signal;
@@ -405,12 +408,6 @@ template(`ssh_per_userdomain_template',`
 	')
 
 	dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read };
-
-	allow $1_ssh_t $1_tmp_t:sock_file write;
-
-	# Allow the ssh program to communicate with ssh-agent.
-	allow $1_ssh_t $1_tmp_t:sock_file write;
-	allow $1_ssh_t $2:unix_stream_socket connectto;
 	') dnl endif TODO
 
 	##############################