ssh: fix for polyinstantiation

If using polyinstantiation, sshd needs to be able to create a new tmp directory for remote users. Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-11-06 21:35:24 -04:00 · 2021-11-06 21:35:24 -04:00 · 397d4a379f
commit 397d4a379f
parent 19d787597f
1 changed files with 5 additions and 0 deletions
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@ -289,6 +289,11 @@ tunable_policy(`ssh_sysadm_login',`
 	userdom_signal_unpriv_users(sshd_t)
 ')

+tunable_policy(`allow_polyinstantiation',`
+	allow sshd_t self:capability dac_override;
+	files_relabel_generic_tmp_dirs(sshd_t)
+')
+
 optional_policy(`
 	daemontools_service_domain(sshd_t, sshd_exec_t)
 ')