From: dominick.grift@gmail.com (Dominick Grift) Date: Thu, 26 Sep 2013 15:16:06 +0200 Subject: [refpolicy] [PATCH 08/20] ssh: sshd connects to avahi with a unix domain socket ssh: sshd gets and sets capabilities in debian In-Reply-To: <524431E4.5090805@tresys.com> References: <1380029975-25153-1-git-send-email-dominick.grift@gmail.com> <524431E4.5090805@tresys.com> Message-ID: <1380201366.2561.11.camel@d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, 2013-09-26 at 09:08 -0400, Christopher J. PeBenito wrote: > On Tue 24 Sep 2013 09:39:35 AM EDT, Dominick Grift wrote: > > Signed-off-by: Dominick Grift > > --- > > policy/modules/services/ssh.if | 2 +- > > policy/modules/services/ssh.te | 4 ++++ > > 2 files changed, 5 insertions(+), 1 deletion(-) > [...] > > diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te > > index eada65c..cbdfac7 100644 > > --- a/policy/modules/services/ssh.te > > +++ b/policy/modules/services/ssh.te > > @@ -253,6 +253,10 @@ tunable_policy(`ssh_sysadm_login',` > > ') > > > > optional_policy(` > > + avahi_stream_connect(sshd_t) > > +') > > Shouldn't this already be allowed by being a nsswitch_domain? Good point However, i am not able to confirm that sshd needs nsswitch support Also Fedora has not made sshd, or ssh server domains nsswitch domains. Therefore i suggest we allow this for now, and then if we later determine that sshd and ssh server domains need full nsswitch support that we change that then instead. > > -- > Chris PeBenito > Tresys Technology, LLC > www.tresys.com | oss.tresys.com