[openssh] use SELinux type sshd_net_t for [net] childs (#915085)
plautrba
plautrba at fedoraproject.org
Wed Mar 6 11:44:19 UTC 2013
commit 338e71981de77f7d93026f9a01d1483984e29c2d
Author: Petr Lautrbach <plautrba at redhat.com>
Date: Sun Feb 24 16:36:18 2013 +0100
use SELinux type sshd_net_t for [net] childs (#915085)
openssh-5.9p1-sesandbox.patch | 2 +-
openssh-6.1p1-privsep-selinux.patch | 17 ++++++++++++++---
2 files changed, 15 insertions(+), 4 deletions(-)
---
diff --git a/openssh-5.9p1-sesandbox.patch b/openssh-5.9p1-sesandbox.patch
index ec84cef..6d60aff 100644
--- a/openssh-5.9p1-sesandbox.patch
+++ b/openssh-5.9p1-sesandbox.patch
@@ -247,7 +247,7 @@ diff -up openssh-5.9p1/sandbox-selinux.c.sesandbox openssh-5.9p1/sandbox-selinux
+void
+ssh_sandbox_privileged_child(struct ssh_sandbox *box)
+{
-+ switch (ssh_selinux_change_context("sshd_sandbox_t")) {
++ switch (ssh_selinux_change_context("sshd_net_t")) {
+ case 0:
+ debug3("selinux sandbox child sucessfully enabled");
+ break;
diff --git a/openssh-6.1p1-privsep-selinux.patch b/openssh-6.1p1-privsep-selinux.patch
index a2912f5..881c71a 100644
--- a/openssh-6.1p1-privsep-selinux.patch
+++ b/openssh-6.1p1-privsep-selinux.patch
@@ -75,9 +75,20 @@ diff -up openssh-6.1p1/session.c.privsep-selinux openssh-6.1p1/session.c
}
diff -up openssh-6.1p1/sshd.c.privsep-selinux openssh-6.1p1/sshd.c
---- openssh-6.1p1/sshd.c.privsep-selinux 2012-11-05 14:46:39.335809209 +0100
-+++ openssh-6.1p1/sshd.c 2012-11-05 14:46:39.341809247 +0100
-@@ -794,6 +794,13 @@ privsep_postauth(Authctxt *authctxt)
+--- openssh-6.1p1/sshd.c.privsep-selinux 2013-02-24 11:29:32.997823377 +0100
++++ openssh-6.1p1/sshd.c 2013-02-24 11:43:34.171182720 +0100
+@@ -653,6 +653,10 @@ privsep_preauth_child(void)
+ /* Demote the private keys to public keys. */
+ demote_sensitive_data();
+
++#ifdef WITH_SELINUX
++ ssh_selinux_change_context("sshd_net_t");
++#endif
++
+ /* Change our root directory */
+ if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
+ fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
+@@ -794,6 +798,13 @@ privsep_postauth(Authctxt *authctxt)
do_setusercontext(authctxt->pw);
skip:
More information about the scm-commits
mailing list