From fc8bbe630ae18982f6d46c1e95df0b9f854585f3 Mon Sep 17 00:00:00 2001
From: Dominick Grift <dominick.grift@gmail.com>
Date: Fri, 27 Sep 2013 13:36:07 +0200
Subject: [PATCH] ssh: Debian sshd is configured to use capabilities

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
 policy/modules/services/ssh.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 6977e7a23..42a04006b 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -245,6 +245,10 @@ term_relabelto_all_ptys(sshd_t)
 corenet_tcp_bind_xserver_port(sshd_t)
 corenet_sendrecv_xserver_server_packets(sshd_t)
 
+ifdef(`distro_debian',`
+	allow sshd_t self:process { getcap setcap };
+')
+
 tunable_policy(`ssh_sysadm_login',`
 	# Relabel and access ptys created by sshd
 	# ioctl is necessary for logout() processing for utmp entry and for w to