run privsep slave process as the users SELinux context (#781634)

openssh-5.9p1-privsep-selinux.patch

@@ -0,0 +1,29 @@
+diff --git a/session.c b/session.c
+index 436ea48..49c9321 100644
+--- a/session.c
++++ b/session.c
+@@ -1561,6 +1561,13 @@ do_setusercontext(struct passwd *pw)
+ #endif
+ 	}
+ 
++#ifdef WITH_SELINUX
++	if (options.chroot_directory == NULL ||
++	    strcasecmp(options.chroot_directory, "none") == 0) {
++		ssh_selinux_copy_context();
++	}
++#endif
++
+ 	if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
+ 		fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
+ }
+@@ -1693,7 +1700,9 @@ do_child(Session *s, const char *command)
+ 		/* When PAM is enabled we rely on it to do the nologin check */
+ 		if (!options.use_pam)
+ 			do_nologin(pw);
+-		do_setusercontext(pw);
++		/* We are already separated */
++		if (!use_privsep)
++			do_setusercontext(pw);
+ 		/*
+ 		 * PAM session modules in do_setusercontext may have
+ 		 * generated messages, so if this in an interactive

openssh.spec

@@ -143,6 +143,8 @@ Patch401: openssh-5.9p1-mls.patch
 Patch402: openssh-5.9p1-sftp-chroot.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1940
 Patch403: openssh-5.9p1-sesandbox.patch
+#https://bugzilla.redhat.com/show_bug.cgi?id=781634
+Patch404: openssh-5.9p1-privsep-selinux.patch
 
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1663
 Patch500: openssh-5.9p1-akc.patch
@@ -416,6 +418,7 @@ popd
 %patch401 -p1 -b .mls
 %patch402 -p1 -b .sftp-chroot
 %patch403 -p1 -b .sesandbox
+%patch404 -p1 -b .privsep-selinux
 %endif
 
 %patch500 -p1 -b .akc