From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 22 Mar 2010 10:52:28 -0400
Subject: [refpolicy] services_ssh.patch
In-Reply-To: <4B845362.2000909@redhat.com>
References: <4B845362.2000909@redhat.com>
Message-ID: <1269269548.565.15.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, 2010-02-23 at 17:14 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_ssh.patch
> 
> Handle ssh-copy-id
> 
> ssh_home_t should not be per domain.

The template you're changing is not used for user home dirs.
ssh_role_template() does not call ssh_basic_client_template().
ssh_basic_client_template() is only called from nx and xen, where it
makes sense to have separate ssh keys.

> ssh needs to ask kernel to load modules
> 
> Handle tunnels
> 
> Allow sshd_t to transition to sftpd_t
> 
> 

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150