From cd5891d0d562a322ff99237ffd18f3b457f242ce Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Tue, 31 Jan 2012 14:09:00 +0100 Subject: [PATCH] run privsep slave process as the users SELinux context (#781634) --- openssh-5.9p1-privsep-selinux.patch | 29 +++++++++++++++++++++++++++++ openssh.spec | 3 +++ 2 files changed, 32 insertions(+) create mode 100644 openssh-5.9p1-privsep-selinux.patch diff --git a/openssh-5.9p1-privsep-selinux.patch b/openssh-5.9p1-privsep-selinux.patch new file mode 100644 index 0000000..96143ed --- /dev/null +++ b/openssh-5.9p1-privsep-selinux.patch @@ -0,0 +1,29 @@ +diff --git a/session.c b/session.c +index 436ea48..49c9321 100644 +--- a/session.c ++++ b/session.c +@@ -1561,6 +1561,13 @@ do_setusercontext(struct passwd *pw) + #endif + } + ++#ifdef WITH_SELINUX ++ if (options.chroot_directory == NULL || ++ strcasecmp(options.chroot_directory, "none") == 0) { ++ ssh_selinux_copy_context(); ++ } ++#endif ++ + if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) + fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); + } +@@ -1693,7 +1700,9 @@ do_child(Session *s, const char *command) + /* When PAM is enabled we rely on it to do the nologin check */ + if (!options.use_pam) + do_nologin(pw); +- do_setusercontext(pw); ++ /* We are already separated */ ++ if (!use_privsep) ++ do_setusercontext(pw); + /* + * PAM session modules in do_setusercontext may have + * generated messages, so if this in an interactive diff --git a/openssh.spec b/openssh.spec index d1e87a2..9e7e776 100644 --- a/openssh.spec +++ b/openssh.spec @@ -143,6 +143,8 @@ Patch401: openssh-5.9p1-mls.patch Patch402: openssh-5.9p1-sftp-chroot.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1940 Patch403: openssh-5.9p1-sesandbox.patch +#https://bugzilla.redhat.com/show_bug.cgi?id=781634 +Patch404: openssh-5.9p1-privsep-selinux.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1663 Patch500: openssh-5.9p1-akc.patch @@ -416,6 +418,7 @@ popd %patch401 -p1 -b .mls %patch402 -p1 -b .sftp-chroot %patch403 -p1 -b .sesandbox +%patch404 -p1 -b .privsep-selinux %endif %patch500 -p1 -b .akc