From 0ebe96b60455f29df424eac951a9002bdb9ea465 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 16 Oct 2015 09:41:20 +0200
Subject: [PATCH] Handle root logins the same way as other users (#1269072)

root users are unconfined by definition, but they can be limited by SELinux so having privilege separation still makes sense. As a consequence we can remove hunk that handled this condition if we skipped forking.
---
 openssh-6.6p1-privsep-selinux.patch | 22 +++++++++-------------
 1 file changed, 9 insertions(+), 13 deletions(-)

diff --git a/openssh-6.6p1-privsep-selinux.patch b/openssh-6.6p1-privsep-selinux.patch
index 14c9f28..9bf762b 100644
--- a/openssh-6.6p1-privsep-selinux.patch
+++ b/openssh-6.6p1-privsep-selinux.patch
@@ -122,17 +122,13 @@ index 07f9926..a97f8b7 100644
  	/* Change our root directory */
  	if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
  		fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
-@@ -768,6 +772,13 @@ privsep_postauth(Authctxt *authctxt)
- 	do_setusercontext(authctxt->pw);
- 
-  skip:
-+#ifdef WITH_SELINUX
-+	/* switch SELinux content for root too */
-+	if (authctxt->pw->pw_uid == 0) {
-+		sshd_selinux_copy_context();
-+	}
-+#endif
-+
- 	/* It is safe now to apply the key state */
- 	monitor_apply_keystate(pmonitor);
+@@ -755,6 +755,9 @@ privsep_postauth(Authctxt *authctxt)
  
+ #ifdef DISABLE_FD_PASSING
+ 	if (1) {
++#elif defined(WITH_SELINUX)
++	if (options.use_login) {
++		/* even root user can be confined by SELinux */
+ #else
+ 	if (authctxt->pw->pw_uid == 0 || options.use_login) {
+ #endif