selinux sandbox not useful [preauth] : 211 time(s)
Frantisek Hanzlik
franta at hanzlici.cz
Wed Dec 26 20:44:15 UTC 2012
Reindl Harald wrote:
>
>
> Am 25.12.2012 10:34, schrieb Michael Schwendt:
>> On Tue, 25 Dec 2012 04:34:13 +0100, Reindl Harald wrote:
>>
>>> is it possible on systems with selinux completly disabled to
>>> get rid of this messages in /var/log/secure everytime a
>>> ssh-session is opened?
>>>
>>> Dec 25 04:33:28 localhost sshd[10980]: selinux sandbox not useful [preauth]
>>
>> What you haven't told:
>> Does it print that even if you disable the feature in sshd_config?
>
> how?
>
> i have not enabled anything selinux related
openssh-5.9p1 (-28.fc17) seems be patched by some openssh-5.9p1-sesandbox.patch
which hardly print this message (if selinux disabled):
...
diff -up openssh-5.9p1/openbsd-compat/port-linux.c.sesandbox openssh-5.9p1/openbsd-compat/port-linux.c
--- openssh-5.9p1/openbsd-compat/port-linux.c.sesandbox 2011-09-19 04:10:14.731521450 +0200
+++ openssh-5.9p1/openbsd-compat/port-linux.c 2011-09-19 04:10:15.292521265 +0200
...
int ssh_selinux_change_context(const char *newname)
{
...
if (!ssh_selinux_enabled())
- return;
+ return -2;
....
+void ssh_sandbox_privileged_child(struct ssh_sandbox *box)
+{
+ switch (ssh_selinux_change_context("sshd_sandbox_t")) {
+ case 0:
+ debug3("selinux sandbox child sucessfully enabled");
+ break;
+ case -2:
+ logit("selinux sandbox not useful");
+ break;
...
Thus right way perhaps is improve this patch (bugzilla?)
More information about the users
mailing list