selinux sandbox not useful [preauth] : 211 time(s)

Thu Dec 27 22:07:38 UTC 2012

On Wed, 26 Dec 2012 21:44:15 +0100, Frantisek Hanzlik wrote:

> openssh-5.9p1 (-28.fc17) seems be patched by some openssh-5.9p1-sesandbox.patch
> which hardly print this message (if selinux disabled):
> 
> ...
> diff -up openssh-5.9p1/openbsd-compat/port-linux.c.sesandbox openssh-5.9p1/openbsd-compat/port-linux.c
> --- openssh-5.9p1/openbsd-compat/port-linux.c.sesandbox 2011-09-19 04:10:14.731521450 +0200
> +++ openssh-5.9p1/openbsd-compat/port-linux.c   2011-09-19 04:10:15.292521265 +0200
> ...
> int ssh_selinux_change_context(const char *newname)
>  {
> ...
>         if (!ssh_selinux_enabled())
> -               return;
> +               return -2;
> 
> ....
> +void ssh_sandbox_privileged_child(struct ssh_sandbox *box)
> +{
> +       switch (ssh_selinux_change_context("sshd_sandbox_t")) {
> +       case 0:
> +               debug3("selinux sandbox child sucessfully enabled");
> +               break;
> +       case -2:
> +               logit("selinux sandbox not useful");
> +               break;
> ...
> 
> Thus right way perhaps is improve this patch (bugzilla?)

Sounds plausible to report it, since you've actually examined the source
to show that it's the enhanced sandbox implementation. A temporary
work-around seems to be to rebuild the package with "--define noselinux 1".