From: dominick.grift@gmail.com (Dominick Grift)
Date: Thu, 26 Sep 2013 17:19:35 +0200
Subject: [refpolicy] [PATCH 08/20] ssh: sshd connects to avahi with a
 unix domain socket ssh: sshd gets and sets capabilities in debian
In-Reply-To: <20130926170728.5150d925@soldur.bigon.be>
References: <1380029975-25153-1-git-send-email-dominick.grift@gmail.com>
	<524431E4.5090805@tresys.com> <1380201366.2561.11.camel@d30>
	<20130926170728.5150d925@soldur.bigon.be>
Message-ID: <1380208775.2561.16.camel@d30>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Thu, 2013-09-26 at 17:07 +0200, Laurent Bigonville wrote:
> Le Thu, 26 Sep 2013 15:16:06 +0200,
> Dominick Grift <dominick.grift@gmail.com> a ?crit :
> 
> > On Thu, 2013-09-26 at 09:08 -0400, Christopher J. PeBenito wrote:
> [...]
> > > Shouldn't this already be allowed by being a nsswitch_domain?
> > 
> > Good point
> > 
> > However, i am not able to confirm that sshd needs nsswitch support
> > Also Fedora has not made sshd, or ssh server domains nsswitch domains.
> > 
> > Therefore i suggest we allow this for now, and then if we later
> > determine that sshd and ssh server domains need full nsswitch support
> > that we change that then instead.
> 
> I've the feeling that sshd is trying to connect to avahi due to the
> following configuration in nsswitch.conf:
> 
> hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
> 
> this is not the default configuration, but this is automatically added
> when the libnss-mdns package is installed (this package might be pulled
> by the "desktop" task/metapackage).
> 
> my 2?
> 

Yes please ignore this for now. I need to dig a little deeper into this
first

Seems sshd_t is already nsswitch_domain by auth_use_pam and
auth_login_pgm_domain

> Laurent Bigonville
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy