From: bigon@debian.org (Laurent Bigonville)
Date: Thu, 26 Sep 2013 17:07:28 +0200
Subject: [refpolicy] [PATCH 08/20] ssh: sshd connects to avahi with a
 unix domain socket ssh: sshd gets and sets capabilities in debian
In-Reply-To: <1380201366.2561.11.camel@d30>
References: <1380029975-25153-1-git-send-email-dominick.grift@gmail.com>
	<524431E4.5090805@tresys.com> <1380201366.2561.11.camel@d30>
Message-ID: <20130926170728.5150d925@soldur.bigon.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Le Thu, 26 Sep 2013 15:16:06 +0200,
Dominick Grift <dominick.grift@gmail.com> a ?crit :

> On Thu, 2013-09-26 at 09:08 -0400, Christopher J. PeBenito wrote:
[...]
> > Shouldn't this already be allowed by being a nsswitch_domain?
> 
> Good point
> 
> However, i am not able to confirm that sshd needs nsswitch support
> Also Fedora has not made sshd, or ssh server domains nsswitch domains.
> 
> Therefore i suggest we allow this for now, and then if we later
> determine that sshd and ssh server domains need full nsswitch support
> that we change that then instead.

I've the feeling that sshd is trying to connect to avahi due to the
following configuration in nsswitch.conf:

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4

this is not the default configuration, but this is automatically added
when the libnss-mdns package is installed (this package might be pulled
by the "desktop" task/metapackage).

my 2?

Laurent Bigonville