From: dominick.grift@gmail.com (Dominick Grift)
Date: Tue, 24 Sep 2013 15:39:35 +0200
Subject: [refpolicy] [PATCH 08/20] ssh: sshd connects to avahi with a unix
	domain socket ssh: sshd gets and sets capabilities in debian
Message-ID: <1380029975-25153-1-git-send-email-dominick.grift@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
 policy/modules/services/ssh.if | 2 +-
 policy/modules/services/ssh.te | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index fe0c682..78ce711 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -183,7 +183,7 @@ template(`ssh_server_template', `
 
 	allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
 	allow $1_t self:fifo_file rw_fifo_file_perms;
-	allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate };
+	allow $1_t self:process { signal getcap getsched setcap setsched setrlimit setexec setkeycreate };
 	allow $1_t self:tcp_socket create_stream_socket_perms;
 	allow $1_t self:udp_socket create_socket_perms;
 	# ssh agent connections:
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index eada65c..cbdfac7 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -253,6 +253,10 @@ tunable_policy(`ssh_sysadm_login',`
 ')
 
 optional_policy(`
+	avahi_stream_connect(sshd_t)
+')
+
+optional_policy(`
 	daemontools_service_domain(sshd_t, sshd_exec_t)
 ')
 
-- 
1.8.3.1