[Bug 237557] Re: chroot fails if compiled with SELinux support

Bug Watch Updater 237557 at bugs.launchpad.net
Wed Aug 10 20:02:39 UTC 2011 

** Changed in: openssh (Debian)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/237557

Title:
  chroot fails if compiled with SELinux support

Status in “openssh” package in Ubuntu:
  Fix Released
Status in “openssh” package in Debian:
  Fix Released

Bug description:
  i am using openssh with libpam_chroot to have a chrooted login but
  following error message denies access for chrooted uses

  sshd[14644]: fatal: ssh_selinux_getctxbyname:
  ssh_selinux_getctxbyname: security_getenforce() failed

  
  Please include this fix: http://marc.info/?l=openssh-unix-dev&m=120615000019541&w=2

  Index: session.c
  ===================================================================
  RCS file: /usr/local/src/security/openssh/cvs/openssh/session.c,v
  retrieving revision 1.364
  diff -u -p -r1.364 session.c
  --- session.c	15 Mar 2008 06:27:58 -0000	1.364
  +++ session.c	22 Mar 2008 01:23:48 -0000
  @@ -1350,6 +1350,10 @@ do_setusercontext(struct passwd *pw)
   #endif /* HAVE_CYGWIN */
   	{
   
  +#ifdef WITH_SELINUX
  +	/* Cache selinux status for later use */
  +	(void)ssh_selinux_enabled();
  +#endif
   #ifdef HAVE_SETPCRED
   		if (setpcred(pw->pw_name, (char **)NULL) == -1)
   			fatal("Failed to set process credentials");
  Index: openbsd-compat/port-linux.c
  ===================================================================
  RCS file: /usr/local/src/security/openssh/cvs/openssh/openbsd-compat/port-linux.c,v
  retrieving revision 1.4
  diff -u -p -r1.4 port-linux.c
  --- openbsd-compat/port-linux.c	27 Jun 2007 22:48:03 -0000	1.4
  +++ openbsd-compat/port-linux.c	22 Mar 2008 01:24:06 -0000
  @@ -36,7 +36,7 @@
   #include <selinux/get_context_list.h>
   
   /* Wrapper around is_selinux_enabled() to log its return value once only */
  -static int
  +int
   ssh_selinux_enabled(void)
   {
   	static int enabled = -1;
  Index: openbsd-compat/port-linux.h
  ===================================================================
  RCS file: /usr/local/src/security/openssh/cvs/openssh/openbsd-compat/port-linux.h,v
  retrieving revision 1.1
  diff -u -p -r1.1 port-linux.h
  --- openbsd-compat/port-linux.h	22 Apr 2006 11:26:08 -0000	1.1
  +++ openbsd-compat/port-linux.h	22 Mar 2008 01:28:06 -0000
  @@ -20,6 +20,7 @@
   #define _PORT_LINUX_H
   
   #ifdef WITH_SELINUX
  +int ssh_selinux_enabled(void);
   void ssh_selinux_setup_pty(char *, const char *);
   void ssh_selinux_setup_exec_context(char *);
   #endif

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/237557/+subscriptions

More information about the foundations-bugs mailing list