From 804b0bbba3ea71c1932102ddf19c7c24a3f1e823 Mon Sep 17 00:00:00 2001
From: doublez13 <zakraise@eng.utah.edu>
Date: Fri, 12 Sep 2025 12:25:55 -0600
Subject: [PATCH] ssh: allow ssh to write to the kerberos CC when it picks up a
 ticket

---
 apparmor.d/groups/ssh/ssh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh
index c2926a3a4..0d6826490 100644
--- a/apparmor.d/groups/ssh/ssh
+++ b/apparmor.d/groups/ssh/ssh
@@ -44,6 +44,8 @@ profile ssh @{exec_path} {
   owner @{user_projects_dirs}/**/ssh/{,*} r,
   owner @{user_projects_dirs}/**/config r,
 
+  owner @{tmp}/krb5cc_* rwk,
+
   audit owner @{tmp}/ssh-*/{,agent.@{int}} rwkl,
 
   owner @{run}/user/@{uid}/gvfsd-sftp/@{hex} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand},