From: dwalsh@redhat.com (Daniel J Walsh)
Date: Mon, 18 Jan 2010 15:29:28 -0500
Subject: [refpolicy] services_ssh.patch
In-Reply-To: <1263587328.2570.39.camel@gorn.columbia.tresys.com>
References: <4AFC860D.1020606@redhat.com>
	<1263587328.2570.39.camel@gorn.columbia.tresys.com>
Message-ID: <4B54C4A8.8020604@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 01/15/2010 03:28 PM, Christopher J. PeBenito wrote:
> On Thu, 2009-11-12 at 17:02 -0500, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_ssh.patch
>>
>> Handle /root/.ssh directory
>>
>>
>> Lots of other fixes.
> 
> Moved tmpfs to server template to go along with the sem usage.
> 
> Since the tunnel support apparently needs net_admin capability, it needs
> to be put in a conditional.  The capability definitely shouldn't be
> allowed in general use.
> 
> Dropped home dir changes to the client template.  It shouldn't be using
> the user's ssh home dir.
> 
> Moved the "Required for FreeNX" /var/lib rules into the NX optional.
> 
> Otherwise merged.
> 
You still have places in your ssh.te that use home_ssh_t as opposed to ssh_home_t.

Which should we use?