[openssh] don't use chroot_user_t for chrooted users (#830237)
plautrba
plautrba at fedoraproject.org
Sat Sep 15 12:19:46 UTC 2012
commit 581bf30d076027e5ce2216cc4ff690f6f2d7730b
Author: Petr Lautrbach <plautrba at redhat.com>
Date: Sat Sep 15 12:26:36 2012 +0200
don't use chroot_user_t for chrooted users (#830237)
openssh-5.9p1-privsep-selinux.patch | 35 -------------------------------
openssh-6.1p1-privsep-selinux.patch | 39 +++++++++++++++++++++++++++++++++++
openssh.spec | 2 +-
3 files changed, 40 insertions(+), 36 deletions(-)
---
diff --git a/openssh-6.1p1-privsep-selinux.patch b/openssh-6.1p1-privsep-selinux.patch
new file mode 100644
index 0000000..b3f96c4
--- /dev/null
+++ b/openssh-6.1p1-privsep-selinux.patch
@@ -0,0 +1,39 @@
+diff -up openssh-6.1p1/session.c.privsep-selinux openssh-6.1p1/session.c
+--- openssh-6.1p1/session.c.privsep-selinux 2012-09-15 13:45:26.079476022 +0200
++++ openssh-6.1p1/session.c 2012-09-15 13:45:28.460522390 +0200
+@@ -1513,6 +1513,7 @@ do_setusercontext(struct passwd *pw)
+
+ platform_setusercontext_post_groups(pw);
+
++
+ if (options.chroot_directory != NULL &&
+ strcasecmp(options.chroot_directory, "none") != 0) {
+ tmp = tilde_expand_filename(options.chroot_directory,
+@@ -1536,6 +1537,10 @@ do_setusercontext(struct passwd *pw)
+ /* Permanently switch to the desired uid. */
+ permanently_set_uid(pw);
+ #endif
++
++#ifdef WITH_SELINUX
++ ssh_selinux_copy_context();
++#endif
+ }
+
+ if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
+diff -up openssh-6.1p1/sshd.c.privsep-selinux openssh-6.1p1/sshd.c
+--- openssh-6.1p1/sshd.c.privsep-selinux 2012-09-15 13:45:26.062475676 +0200
++++ openssh-6.1p1/sshd.c 2012-09-15 13:45:28.467522539 +0200
+@@ -794,6 +794,13 @@ privsep_postauth(Authctxt *authctxt)
+ do_setusercontext(authctxt->pw);
+
+ skip:
++#ifdef WITH_SELINUX
++ /* switch SELinux content for root too */
++ if (authctxt->pw->pw_uid == 0) {
++ ssh_selinux_copy_context();
++ }
++#endif
++
+ /* It is safe now to apply the key state */
+ monitor_apply_keystate(pmonitor);
+
diff --git a/openssh.spec b/openssh.spec
index 87f8fe5..4c126e9 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -147,7 +147,7 @@ Patch402: openssh-5.9p1-sftp-chroot.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1940
#Patch403: openssh-5.9p1-sesandbox.patch
#https://bugzilla.redhat.com/show_bug.cgi?id=781634
-Patch404: openssh-5.9p1-privsep-selinux.patch
+Patch404: openssh-6.1p1-privsep-selinux.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1663
Patch500: openssh-6.1p1-akc.patch
More information about the scm-commits
mailing list