Do not fallback to sshd_net_t SELinux context

openssh-6.6.1p1-selinux-contexts.patch

@@ -19,7 +19,7 @@ index 8f32464..18a2ca4 100644
  
  	if (!sshd_selinux_enabled())
  		return;
-@@ -461,6 +462,58 @@ sshd_selinux_copy_context(void)
+@@ -461,6 +462,72 @@ sshd_selinux_copy_context(void)
  	}
  }
  
@@ -30,13 +30,27 @@ index 8f32464..18a2ca4 100644
 +	char line[1024], *preauth_context = NULL, *cp, *arg;
 +	const char *contexts_path;
 +	FILE *contexts_file;
-+
-+	contexts_path = selinux_openssh_contexts_path();
-+	if (contexts_path != NULL) {
-+		if ((contexts_file = fopen(contexts_path, "r")) != NULL) {
 +	struct stat sb;
 +
-+			if (fstat(fileno(contexts_file), &sb) == 0 && ((sb.st_uid == 0) && ((sb.st_mode & 022) == 0))) {
++	contexts_path = selinux_openssh_contexts_path();
++	if (contexts_path == NULL) {
++		debug3("%s: Failed to get the path to SELinux context", __func__);
++		return;
++	}
++
++	if ((contexts_file = fopen(contexts_path, "r")) == NULL) {
++		debug("%s: Failed to open SELinux context file", __func__);
++		return;
++	}
++
++	if (fstat(fileno(contexts_file), &sb) != 0 ||
++	    sb.st_uid != 0 || (sb.st_mode & 022) != 0) {
++		logit("%s: SELinux context file needs to be owned by root"
++		    " and not writable by anyone else", __func__);
++		fclose(contexts_file);
++		return;
++	}
++
 +	while (fgets(line, sizeof(line), contexts_file)) {
 +		/* Strip trailing whitespace */
 +		for (len = strlen(line) - 1; len > 0; len--) {
@@ -63,13 +77,13 @@ index 8f32464..18a2ca4 100644
 +			preauth_context = xstrdup(arg);
 +		}
 +	}
-+			}
 +	fclose(contexts_file);
-+		}
-+	}
 +
-+	if (preauth_context == NULL)
-+		preauth_context = xstrdup("sshd_net_t");
++	if (preauth_context == NULL) {
++		debug("%s: Unable to find 'privsep_preauth' option in"
++		    " SELinux context file", __func__);
++		return;
++	}
 +
 +	ssh_selinux_change_context(preauth_context);
 +	free(preauth_context);