From: Jeff Mahoney <jeffm@suse.com>
Subject: Fix for sshd profile
References: bnc#457072

 Without this patch, sshd won't work in enforce mode.

 libselinux accesses /proc/filesystems to determine if it's enabled
 bash won't execute
 audit_control is probably from libselinux too
---
 profiles/apparmor/profiles/extras/usr.sbin.sshd |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/profiles/apparmor/profiles/extras/usr.sbin.sshd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.sshd
@@ -30,6 +30,8 @@
   capability kill,
   capability setgid,
   capability setuid,
+  capability audit_control,
+  capability sys_ptrace,
 
   /dev/ptmx rw,
   /dev/urandom r,
@@ -44,11 +46,12 @@
 
   @{PROC}/[0-9]*/fd/ r,
   @{PROC}/[0-9]*/loginuid w,
+  @{PROC}/filesystems r,
 
 # should only be here for use in non-change-hat openssh
 # duplicated from EXEC hat
   /bin/ash Ux,
-  /bin/bash Ux,
+  /bin/bash rUx,
   /bin/bash2 Ux,
   /bin/bsh Ux,
   /bin/csh Ux,