From 1ef1ca2342e7a0cab4716ff54ccde983146f9865 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <concord@gentoo.org>
Date: Fri, 5 Jul 2024 14:47:47 -0400
Subject: sshd: label sshd-session as sshd_exec_t

OpenSSH 9.8 splits out much of the session code from the main sshd
binary into a new sshd-session binary. Allow the sshd server to execute
this binary by labeling it as sshd_exec_t.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
---
 policy/modules/services/ssh.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 5c512e97..a30d01af 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -8,6 +8,7 @@ HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 /usr/bin/ssh-keygen		--	gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
 /usr/bin/sshd			--	gen_context(system_u:object_r:sshd_exec_t,s0)
 
+/usr/lib/misc/sshd-session	--	gen_context(system_u:object_r:sshd_exec_t,s0)
 /usr/lib/openssh/ssh-keysign	--	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
 /usr/lib/ssh/ssh-keysign	--	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
 
-- 
cgit v1.2.3-65-gdbad