[openssh] use SELinux type sshd_net_t for [net] childs (#915085)

plautrba plautrba at fedoraproject.org
Wed Mar 6 11:44:19 UTC 2013 

commit 338e71981de77f7d93026f9a01d1483984e29c2d
Author: Petr Lautrbach <plautrba at redhat.com>
Date:   Sun Feb 24 16:36:18 2013 +0100

    use SELinux type sshd_net_t for [net] childs (#915085)

 openssh-5.9p1-sesandbox.patch       |    2 +-
 openssh-6.1p1-privsep-selinux.patch |   17 ++++++++++++++---
 2 files changed, 15 insertions(+), 4 deletions(-)
---
diff --git a/openssh-5.9p1-sesandbox.patch b/openssh-5.9p1-sesandbox.patch
index ec84cef..6d60aff 100644
--- a/openssh-5.9p1-sesandbox.patch
+++ b/openssh-5.9p1-sesandbox.patch
@@ -247,7 +247,7 @@ diff -up openssh-5.9p1/sandbox-selinux.c.sesandbox openssh-5.9p1/sandbox-selinux
 +void
 +ssh_sandbox_privileged_child(struct ssh_sandbox *box)
 +{
-+	switch (ssh_selinux_change_context("sshd_sandbox_t")) {
++	switch (ssh_selinux_change_context("sshd_net_t")) {
 +	case 0:
 +		debug3("selinux sandbox child sucessfully enabled");
 +		break;
diff --git a/openssh-6.1p1-privsep-selinux.patch b/openssh-6.1p1-privsep-selinux.patch
index a2912f5..881c71a 100644
--- a/openssh-6.1p1-privsep-selinux.patch
+++ b/openssh-6.1p1-privsep-selinux.patch
@@ -75,9 +75,20 @@ diff -up openssh-6.1p1/session.c.privsep-selinux openssh-6.1p1/session.c
  	}
  
 diff -up openssh-6.1p1/sshd.c.privsep-selinux openssh-6.1p1/sshd.c
---- openssh-6.1p1/sshd.c.privsep-selinux	2012-11-05 14:46:39.335809209 +0100
-+++ openssh-6.1p1/sshd.c	2012-11-05 14:46:39.341809247 +0100
-@@ -794,6 +794,13 @@ privsep_postauth(Authctxt *authctxt)
+--- openssh-6.1p1/sshd.c.privsep-selinux	2013-02-24 11:29:32.997823377 +0100
++++ openssh-6.1p1/sshd.c	2013-02-24 11:43:34.171182720 +0100
+@@ -653,6 +653,10 @@ privsep_preauth_child(void)
+ 	/* Demote the private keys to public keys. */
+ 	demote_sensitive_data();
+ 
++#ifdef WITH_SELINUX
++	ssh_selinux_change_context("sshd_net_t");
++#endif
++
+ 	/* Change our root directory */
+ 	if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
+ 		fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
+@@ -794,6 +798,13 @@ privsep_postauth(Authctxt *authctxt)
  	do_setusercontext(authctxt->pw);
  
   skip:

More information about the scm-commits mailing list