What were you trying to do that didn't work?

When a confined user tries to start its ssh-agent.service unit, an AVC shows up because the agent cannot create its socket in /run/user/<UID> directory:

#============= staff_ssh_agent_t ==============
allow staff_ssh_agent_t user_tmp_t:dir write;

#============= user_ssh_agent_t ==============
allow user_ssh_agent_t user_tmp_t:dir write;

RHEL10 has the proper rules, which was introduced as:

userdom_user_tmp_filetrans(ssh_agent_type, ssh_agent_tmp_t, sock_file)

What is the impact of this issue to you?

Users cannot start the agent

Please provide the package NVR for which the bug is seen:

selinux-policy-38.1.53-5.el9_6

How reproducible is this bug?

Always

Steps to reproduce

1. Login as a confined user
2. Start the service

   # systemctl --user start ssh-agent

Expected results

Service starts.

Actual results

AVC and service doesn't start.