selinux sandbox not useful [preauth] : 211 time(s)

[Frantisek Hanzlik]

Reindl Harald wrote:
> 
> 
> Am 25.12.2012 10:34, schrieb Michael Schwendt:
>> On Tue, 25 Dec 2012 04:34:13 +0100, Reindl Harald wrote:
>>
>>> is it possible on systems with selinux completly disabled to
>>> get rid of this messages in /var/log/secure everytime a
>>> ssh-session is opened?
>>>
>>> Dec 25 04:33:28 localhost sshd[10980]: selinux sandbox not useful [preauth]
>>
>> What you haven't told:
>> Does it print that even if you disable the feature in sshd_config?
> 
> how?
> 
> i have not enabled anything selinux related

openssh-5.9p1 (-28.fc17) seems be patched by some openssh-5.9p1-sesandbox.patch
which hardly print this message (if selinux disabled):

...
diff -up openssh-5.9p1/openbsd-compat/port-linux.c.sesandbox openssh-5.9p1/openbsd-compat/port-linux.c
--- openssh-5.9p1/openbsd-compat/port-linux.c.sesandbox 2011-09-19 04:10:14.731521450 +0200
+++ openssh-5.9p1/openbsd-compat/port-linux.c   2011-09-19 04:10:15.292521265 +0200
...
int ssh_selinux_change_context(const char *newname)
 {
...
        if (!ssh_selinux_enabled())
-               return;
+               return -2;

....
+void ssh_sandbox_privileged_child(struct ssh_sandbox *box)
+{
+       switch (ssh_selinux_change_context("sshd_sandbox_t")) {
+       case 0:
+               debug3("selinux sandbox child sucessfully enabled");
+               break;
+       case -2:
+               logit("selinux sandbox not useful");
+               break;
...

Thus right way perhaps is improve this patch (bugzilla?)