[Bug 237557] [NEW] chroot fails if compiled with SELinux support

peterh peter at holik.at
Thu Jun 5 08:43:54 BST 2008 

Public bug reported:

i am using openssh with libpam_chroot to have a chrooted login but
following error message denies access for chrooted uses

sshd[14644]: fatal: ssh_selinux_getctxbyname: ssh_selinux_getctxbyname:
security_getenforce() failed


Please include this fix: http://marc.info/?l=openssh-unix-dev&m=120615000019541&w=2

Index: session.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh/session.c,v
retrieving revision 1.364
diff -u -p -r1.364 session.c
--- session.c	15 Mar 2008 06:27:58 -0000	1.364
+++ session.c	22 Mar 2008 01:23:48 -0000
@@ -1350,6 +1350,10 @@ do_setusercontext(struct passwd *pw)
 #endif /* HAVE_CYGWIN */
 	{
 
+#ifdef WITH_SELINUX
+	/* Cache selinux status for later use */
+	(void)ssh_selinux_enabled();
+#endif
 #ifdef HAVE_SETPCRED
 		if (setpcred(pw->pw_name, (char **)NULL) == -1)
 			fatal("Failed to set process credentials");
Index: openbsd-compat/port-linux.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh/openbsd-compat/port-linux.c,v
retrieving revision 1.4
diff -u -p -r1.4 port-linux.c
--- openbsd-compat/port-linux.c	27 Jun 2007 22:48:03 -0000	1.4
+++ openbsd-compat/port-linux.c	22 Mar 2008 01:24:06 -0000
@@ -36,7 +36,7 @@
 #include <selinux/get_context_list.h>
 
 /* Wrapper around is_selinux_enabled() to log its return value once only */
-static int
+int
 ssh_selinux_enabled(void)
 {
 	static int enabled = -1;
Index: openbsd-compat/port-linux.h
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh/openbsd-compat/port-linux.h,v
retrieving revision 1.1
diff -u -p -r1.1 port-linux.h
--- openbsd-compat/port-linux.h	22 Apr 2006 11:26:08 -0000	1.1
+++ openbsd-compat/port-linux.h	22 Mar 2008 01:28:06 -0000
@@ -20,6 +20,7 @@
 #define _PORT_LINUX_H
 
 #ifdef WITH_SELINUX
+int ssh_selinux_enabled(void);
 void ssh_selinux_setup_pty(char *, const char *);
 void ssh_selinux_setup_exec_context(char *);
 #endif

** Affects: openssh (Ubuntu)
     Importance: Undecided
         Status: New

-- 
chroot fails if compiled with SELinux support
https://bugs.launchpad.net/bugs/237557
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in ubuntu.

More information about the Ubuntu-server-bugs mailing list