diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
index b3a45404..07b18929 100644
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@@ -366,6 +366,44 @@ interface(`term_dontaudit_getattr_all_user_ptys',`
dontaudit $1 ptynode:chr_file getattr;
')
+########################################
+##
+## Set the attributes of all user
+## pty device nodes.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`term_setattr_all_user_ptys',`
+ gen_require(`
+ attribute ptynode;
+ class dir r_dir_perms;
+ class chr_file setattr;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:dir r_dir_perms;
+ allow $1 ptynode:chr_file setattr;
+')
+
+########################################
+##
+## Relabel to all user ptys.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`term_relabelto_all_user_ptys',`
+ gen_require(`
+ attribute ptynode;
+ class chr_file relabelto;
+ ')
+
+ allow $1 ptynode:chr_file relabelto;
+')
+
########################################
##
## Read and write all user ptys.
diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index 24770b87..ff92d99f 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -77,6 +77,12 @@ template(`ssh_per_userdomain_template',`
allow $1_t $1_home_ssh_t:lnk_file create_lnk_perms;
allow $1_t $1_home_ssh_t:sock_file create_file_perms;
+ # inheriting stream sockets is needed for "ssh host command" as no pty
+ # is allocated
+ # cjp: should probably fix target to be an attribute for ssh servers
+ # or "regular" (not special like sshd_extern_t) servers
+ allow $1_t sshd_t:unix_stream_socket rw_stream_socket_perms;
+
# ssh client can manage the keys and config
allow $1_ssh_t $1_home_ssh_t:file create_file_perms;
allow $1_ssh_t $1_home_ssh_t:lnk_file { getattr read };
diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te
index 3e2fffcc..a04588d3 100644
--- a/refpolicy/policy/modules/services/ssh.te
+++ b/refpolicy/policy/modules/services/ssh.te
@@ -72,30 +72,33 @@ seutil_read_config(sshd_t)
# Allow checking users mail at login
mta_getattr_spool(sshd_t)
+tunable_policy(`ssh_sysadm_login',`
+ # Relabel and access ptys created by sshd
+ # ioctl is necessary for logout() processing for utmp entry and for w to
+ # display the tty.
+ # some versions of sshd on the new SE Linux require setattr
+ allow sshd_t ptyfile:chr_file relabelto;
+ term_use_all_user_ptys(sshd_t)
+ term_setattr_all_user_ptys(sshd_t)
+ term_relabelto_all_user_ptys(sshd_t)
+
+ userdom_spec_domtrans_all_users(sshd_t)
+ userdom_signal_all_users(sshd_t)
+',`
+ userdom_spec_domtrans_unpriv_users(sshd_t)
+ userdom_signal_unpriv_users(sshd_t)
+')
+
optional_policy(`rpm.te',`
rpm_use_script_fd(sshd_t)
')
ifdef(`TODO',`
tunable_policy(`ssh_sysadm_login',`
- userdom_spec_domtrans_all_users(sshd_t)
- userdom_signal_all_users(sshd_t)
-
optional_policy(`xauth.te',`
domain_trans(sshd_t, xauth_exec_t, userdomain)
')
- # Relabel and access ptys created by sshd
- # ioctl is necessary for logout() processing for utmp entry and for w to
- # display the tty.
- # some versions of sshd on the new SE Linux require setattr
- allow sshd_t ptyfile:chr_file { relabelto read write getattr ioctl setattr };
- # inheriting stream sockets is needed for "ssh host command" as no pty
- # is allocated
- allow userdomain sshd_t:unix_stream_socket rw_stream_socket_perms;
',`
- userdom_spec_domtrans_unpriv_users(sshd_t)
- userdom_signal_unpriv_users(sshd_t)
-
optional_policy(`xauth.te',`
domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
')
@@ -104,14 +107,7 @@ tunable_policy(`ssh_sysadm_login',`
# display the tty.
# some versions of sshd on the new SE Linux require setattr
allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr };
- # inheriting stream sockets is needed for "ssh host command" as no pty
- # is allocated
- allow userdomain sshd_t:unix_stream_socket rw_stream_socket_perms;
')
-
-# for when the network connection breaks after running newrole -r sysadm_r
-dontaudit sshd_t sysadm_devpts_t:chr_file setattr;
-
') dnl endif TODO
#################################