From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 6 Feb 2014 09:03:47 -0500
Subject: [refpolicy] [PATCH 1/2] Add fcontext for sshd pidfile and
 directory used for privsep
In-Reply-To: <20140206125701.03228b71@soldur.bigon.be>
References: <1391635412-16253-1-git-send-email-bigon@debian.org>
	<20140206125701.03228b71@soldur.bigon.be>
Message-ID: <52F39643.3050908@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 02/06/14 06:57, Laurent Bigonville wrote:
> Le Wed,  5 Feb 2014 22:23:31 +0100,
> Laurent Bigonville <bigon@debian.org> a ?crit :
> 
> [...]
> 
> diff --git
>> a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
>> index fe0c682..48eb1c8 100644 --- a/policy/modules/services/ssh.if
>> +++ b/policy/modules/services/ssh.if @@ -196,6 +196,7 @@
>> template(`ssh_server_template', ` manage_files_pattern($1_t,
>> $1_tmpfs_t, $1_tmpfs_t) fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file)
>>  
>> +	allow $1_t $1_var_run_t:dir search_dir_perms;
>>  	allow $1_t $1_var_run_t:file manage_file_perms;
>>  	files_pid_filetrans($1_t, $1_var_run_t, file)
>>  
> 
> Or maybe this should be conditional for debian only?

No, its fine.  Actually I was thinking that perhaps the init_daemon_run_dir() should become unconditional instead, since we have the fc entries.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com