From 397d4a379f23c23bcfd0e208b97351e4ec718bff Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sat, 6 Nov 2021 21:35:24 -0400
Subject: [PATCH] ssh: fix for polyinstantiation

If using polyinstantiation, sshd needs to be able to create a new tmp
directory for remote users.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/ssh.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index dabd52c2f..6d7971df9 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -289,6 +289,11 @@ tunable_policy(`ssh_sysadm_login',`
 	userdom_signal_unpriv_users(sshd_t)
 ')
 
+tunable_policy(`allow_polyinstantiation',`
+	allow sshd_t self:capability dac_override;
+	files_relabel_generic_tmp_dirs(sshd_t)
+')
+
 optional_policy(`
 	daemontools_service_domain(sshd_t, sshd_exec_t)
 ')