From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 25 Jan 2010 08:34:53 -0500
Subject: [refpolicy] services_ssh.patch
In-Reply-To: <4B54C4A8.8020604@redhat.com>
References: <4AFC860D.1020606@redhat.com>
	<1263587328.2570.39.camel@gorn.columbia.tresys.com>
	<4B54C4A8.8020604@redhat.com>
Message-ID: <1264426493.2570.4392.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, 2010-01-18 at 15:29 -0500, Daniel J Walsh wrote:
> On 01/15/2010 03:28 PM, Christopher J. PeBenito wrote:
> > On Thu, 2009-11-12 at 17:02 -0500, Daniel J Walsh wrote:
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_ssh.patch

> >> Handle /root/.ssh directory
> >>
> >>
> >> Lots of other fixes.
> > 
> > Moved tmpfs to server template to go along with the sem usage.
> > 
> > Since the tunnel support apparently needs net_admin capability, it needs
> > to be put in a conditional.  The capability definitely shouldn't be
> > allowed in general use.
> > 
> > Dropped home dir changes to the client template.  It shouldn't be using
> > the user's ssh home dir.
> > 
> > Moved the "Required for FreeNX" /var/lib rules into the NX optional.
> > 
> > Otherwise merged.
> > 
> You still have places in your ssh.te that use home_ssh_t as opposed to ssh_home_t.
> 
> Which should we use?

ssh_home_t.  I've fixed the usage.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150