From f578f0ac161e53dddbb66360796de163d05dfeff Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Mon, 3 Dec 2012 10:25:26 +0100 Subject: [PATCH] fix privsep patch the selinux-policy removed rules which allow SELinux users to use setuid() so we can't do setcon() before setuid() --- openssh-6.1p1-privsep-selinux.patch | 34 +++++++++++++++++++---------- 1 file changed, 23 insertions(+), 11 deletions(-) diff --git a/openssh-6.1p1-privsep-selinux.patch b/openssh-6.1p1-privsep-selinux.patch index 136e9d3..a2912f5 100644 --- a/openssh-6.1p1-privsep-selinux.patch +++ b/openssh-6.1p1-privsep-selinux.patch @@ -39,20 +39,32 @@ diff -up openssh-6.1p1/openbsd-compat/port-linux.h.privsep-selinux openssh-6.1p1 #endif diff -up openssh-6.1p1/session.c.privsep-selinux openssh-6.1p1/session.c ---- openssh-6.1p1/session.c.privsep-selinux 2012-11-05 14:46:39.314809081 +0100 -+++ openssh-6.1p1/session.c 2012-11-05 14:46:39.340809241 +0100 -@@ -1513,6 +1513,10 @@ do_setusercontext(struct passwd *pw) - - platform_setusercontext_post_groups(pw); - +--- openssh-6.1p1/session.c.privsep-selinux 2012-12-03 09:43:11.727505761 +0100 ++++ openssh-6.1p1/session.c 2012-12-03 09:54:50.455688902 +0100 +@@ -1519,6 +1519,9 @@ do_setusercontext(struct passwd *pw) + pw->pw_uid); + chroot_path = percent_expand(tmp, "h", pw->pw_dir, + "u", pw->pw_name, (char *)NULL); ++#ifdef WITH_SELINUX ++ ssh_selinux_copy_context(); ++#endif + safely_chroot(chroot_path, pw->pw_uid); + free(tmp); + free(chroot_path); +@@ -1533,6 +1536,12 @@ do_setusercontext(struct passwd *pw) + /* Permanently switch to the desired uid. */ + permanently_set_uid(pw); + #endif + +#ifdef WITH_SELINUX -+ ssh_selinux_copy_context(); ++ if (options.chroot_directory == NULL || ++ strcasecmp(options.chroot_directory, "none") == 0) ++ ssh_selinux_copy_context(); +#endif - if (options.chroot_directory != NULL && - strcasecmp(options.chroot_directory, "none") != 0) { - tmp = tilde_expand_filename(options.chroot_directory, -@@ -1787,9 +1791,6 @@ do_child(Session *s, const char *command + } + + if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) +@@ -1787,9 +1796,6 @@ do_child(Session *s, const char *command argv[i] = NULL; optind = optreset = 1; __progname = argv[0];