From 890f02e9fd6daa8f8a6562d2bd4b9ef2acae8094 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Thu, 8 Dec 2011 17:01:46 +0000
Subject: [PATCH] Allow ssh derived domain to execute ssh-keygen in the
 ssh_keygen_t domain  * needed for gridengine mpi jobs and for sge policy

---
 policy/modules/services/ssh.if | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index c2efd25d..6ec295a0 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -35,6 +35,7 @@ template(`ssh_basic_client_template',`
 	gen_require(`
 		attribute ssh_server;
 		type ssh_exec_t, sshd_key_t, sshd_tmp_t;
+		type ssh_keysign_exec_t, ssh_keysign_t;
 		type ssh_home_t;
 	')
 
@@ -85,6 +86,10 @@ template(`ssh_basic_client_template',`
 	# or "regular" (not special like sshd_extern_t) servers
 	allow $2 ssh_server:unix_stream_socket rw_stream_socket_perms;
 
+	# derived domain can execute ssh-keysign
+	domtrans_pattern($1_ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
+	role $3 types ssh_keysign_t;
+
 	# allow ps to show ssh
 	ps_process_pattern($2, $1_ssh_t)
 
-- 
2.47.3