From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Mon, 27 Jan 2014 13:23:02 -0500 Subject: [refpolicy] [PATCH 1/2] Add fcontext for sshd pidfile and directory used for privsep In-Reply-To: <1390646637-20687-1-git-send-email-bigon@debian.org> References: <1390646637-20687-1-git-send-email-bigon@debian.org> Message-ID: <52E6A406.3020305@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 01/25/14 05:43, Laurent Bigonville wrote: > diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te > index 30726f2..a19c9f9 100644 > --- a/policy/modules/services/ssh.te > +++ b/policy/modules/services/ssh.te > @@ -34,6 +34,7 @@ ssh_server_template(sshd) > init_daemon_domain(sshd_t, sshd_exec_t) > > ifdef(`distro_debian',` > + allow sshd_t sshd_var_run_t:dir { getattr search }; > init_daemon_run_dir(sshd_var_run_t, "sshd") > ') This looks like it should be in ssh_server_template(). Also please use search_dir_perms permission set. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com