selinux sandbox not useful [preauth] : 211 time(s)
Michael Schwendt
mschwendt at gmail.com
Thu Dec 27 22:07:38 UTC 2012
On Wed, 26 Dec 2012 21:44:15 +0100, Frantisek Hanzlik wrote:
> openssh-5.9p1 (-28.fc17) seems be patched by some openssh-5.9p1-sesandbox.patch
> which hardly print this message (if selinux disabled):
>
> ...
> diff -up openssh-5.9p1/openbsd-compat/port-linux.c.sesandbox openssh-5.9p1/openbsd-compat/port-linux.c
> --- openssh-5.9p1/openbsd-compat/port-linux.c.sesandbox 2011-09-19 04:10:14.731521450 +0200
> +++ openssh-5.9p1/openbsd-compat/port-linux.c 2011-09-19 04:10:15.292521265 +0200
> ...
> int ssh_selinux_change_context(const char *newname)
> {
> ...
> if (!ssh_selinux_enabled())
> - return;
> + return -2;
>
> ....
> +void ssh_sandbox_privileged_child(struct ssh_sandbox *box)
> +{
> + switch (ssh_selinux_change_context("sshd_sandbox_t")) {
> + case 0:
> + debug3("selinux sandbox child sucessfully enabled");
> + break;
> + case -2:
> + logit("selinux sandbox not useful");
> + break;
> ...
>
> Thus right way perhaps is improve this patch (bugzilla?)
Sounds plausible to report it, since you've actually examined the source
to show that it's the enhanced sandbox implementation. A temporary
work-around seems to be to rebuild the package with "--define noselinux 1".
More information about the users
mailing list