From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 26 Sep 2013 09:08:52 -0400
Subject: [refpolicy] [PATCH 08/20] ssh: sshd connects to avahi with a
 unix domain socket ssh: sshd gets and sets capabilities in debian
In-Reply-To: <1380029975-25153-1-git-send-email-dominick.grift@gmail.com>
References: <1380029975-25153-1-git-send-email-dominick.grift@gmail.com>
Message-ID: <524431E4.5090805@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue 24 Sep 2013 09:39:35 AM EDT, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
>  policy/modules/services/ssh.if | 2 +-
>  policy/modules/services/ssh.te | 4 ++++
>  2 files changed, 5 insertions(+), 1 deletion(-)
[...]
> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> index eada65c..cbdfac7 100644
> --- a/policy/modules/services/ssh.te
> +++ b/policy/modules/services/ssh.te
> @@ -253,6 +253,10 @@ tunable_policy(`ssh_sysadm_login',`
>  ')
>
>  optional_policy(`
> +	avahi_stream_connect(sshd_t)
> +')

Shouldn't this already be allowed by being a nsswitch_domain?

--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com