diff --git a/openssh-5.9p1-privsep-selinux.patch b/openssh-5.9p1-privsep-selinux.patch deleted file mode 100644 index b81a604..0000000 --- a/openssh-5.9p1-privsep-selinux.patch +++ /dev/null @@ -1,35 +0,0 @@ -diff -up openssh-5.9p1/session.c.privsep-selinux openssh-5.9p1/session.c ---- openssh-5.9p1/session.c.privsep-selinux 2012-08-01 15:36:33.397565915 +0200 -+++ openssh-5.9p1/session.c 2012-08-02 18:18:15.038094629 +0200 -@@ -1536,6 +1536,13 @@ do_setusercontext(struct passwd *pw) - /* Permanently switch to the desired uid. */ - permanently_set_uid(pw); - #endif -+ -+#ifdef WITH_SELINUX -+ if (options.chroot_directory == NULL || -+ strcasecmp(options.chroot_directory, "none") == 0) { -+ ssh_selinux_copy_context(); -+ } -+#endif - } - - if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) -diff -up openssh-5.9p1/sshd.c.privsep-selinux openssh-5.9p1/sshd.c ---- openssh-5.9p1/sshd.c.privsep-selinux 2012-08-01 16:09:22.949423356 +0200 -+++ openssh-5.9p1/sshd.c 2012-08-02 18:07:22.912225684 +0200 -@@ -790,6 +790,14 @@ privsep_postauth(Authctxt *authctxt) - do_setusercontext(authctxt->pw); - - skip: -+#ifdef WITH_SELINUX -+ /* switch SELinux content for root too */ -+ if (authctxt->pw->pw_uid == 0 && (options.chroot_directory == NULL || -+ strcasecmp(options.chroot_directory, "none") == 0)) { -+ ssh_selinux_copy_context(); -+ } -+#endif -+ - /* It is safe now to apply the key state */ - monitor_apply_keystate(pmonitor); - diff --git a/openssh-6.1p1-privsep-selinux.patch b/openssh-6.1p1-privsep-selinux.patch new file mode 100644 index 0000000..b3f96c4 --- /dev/null +++ b/openssh-6.1p1-privsep-selinux.patch @@ -0,0 +1,39 @@ +diff -up openssh-6.1p1/session.c.privsep-selinux openssh-6.1p1/session.c +--- openssh-6.1p1/session.c.privsep-selinux 2012-09-15 13:45:26.079476022 +0200 ++++ openssh-6.1p1/session.c 2012-09-15 13:45:28.460522390 +0200 +@@ -1513,6 +1513,7 @@ do_setusercontext(struct passwd *pw) + + platform_setusercontext_post_groups(pw); + ++ + if (options.chroot_directory != NULL && + strcasecmp(options.chroot_directory, "none") != 0) { + tmp = tilde_expand_filename(options.chroot_directory, +@@ -1536,6 +1537,10 @@ do_setusercontext(struct passwd *pw) + /* Permanently switch to the desired uid. */ + permanently_set_uid(pw); + #endif ++ ++#ifdef WITH_SELINUX ++ ssh_selinux_copy_context(); ++#endif + } + + if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) +diff -up openssh-6.1p1/sshd.c.privsep-selinux openssh-6.1p1/sshd.c +--- openssh-6.1p1/sshd.c.privsep-selinux 2012-09-15 13:45:26.062475676 +0200 ++++ openssh-6.1p1/sshd.c 2012-09-15 13:45:28.467522539 +0200 +@@ -794,6 +794,13 @@ privsep_postauth(Authctxt *authctxt) + do_setusercontext(authctxt->pw); + + skip: ++#ifdef WITH_SELINUX ++ /* switch SELinux content for root too */ ++ if (authctxt->pw->pw_uid == 0) { ++ ssh_selinux_copy_context(); ++ } ++#endif ++ + /* It is safe now to apply the key state */ + monitor_apply_keystate(pmonitor); + diff --git a/openssh.spec b/openssh.spec index 87f8fe5..4c126e9 100644 --- a/openssh.spec +++ b/openssh.spec @@ -147,7 +147,7 @@ Patch402: openssh-5.9p1-sftp-chroot.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1940 #Patch403: openssh-5.9p1-sesandbox.patch #https://bugzilla.redhat.com/show_bug.cgi?id=781634 -Patch404: openssh-5.9p1-privsep-selinux.patch +Patch404: openssh-6.1p1-privsep-selinux.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1663 Patch500: openssh-6.1p1-akc.patch