thr3ads.net - openssh bugs - [Bug 1325] New: SELinux support broken when SELinux is in permissive mode [Jun 2007]

If this information is useful, please help other people find it:
Share via:

bugzilla-daemon at bugzilla.mindrot.org

2007-Jun-27 16:54 UTC

[Bug 1325] New: SELinux support broken when SELinux is in permissive mode

http://bugzilla.mindrot.org/show_bug.cgi?id=1325

           Summary: SELinux support broken when SELinux is in permissive
                    mode
           Product: Portable OpenSSH
           Version: 4.6p1
          Platform: Other
               URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=430838
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: cjwatson at debian.org


Created an attachment (id=1313)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1313)
add missing break statements

This bug was originally reported as Debian bug #430838. (Please ignore
the information about OpenSSH 4.3 there, as the SELinux support at that
point was due to a Debian patch.)

When SELinux is configured in permissive mode, failure to get the
security context should (from the code) result in an error() but not a
fatal(). However, the following appears in syslog:

Jun 27 09:56:07 teleri sshd[12293]: pam_selinux: Open Session
Jun 27 09:56:07 teleri sshd[12293]: Unable to get valid context for
bts, No valid tty
Jun 27 09:56:07 teleri sshd[12293]: error: PAM: pam_open_session():
Authentication failure
Jun 27 09:56:07 teleri sshd[12293]: error: ssh_selinux_getctxbyname:
Failed to get default SELinux security context for bts
Jun 27 09:56:07 teleri sshd[12293]: fatal: ssh_selinux_getctxbyname:
Failed to get default SELinux security context for bts (in enforcing
mode)

This is due to missing break statements in the relevant switch, so the
code wrongly falls through from error() to fatal(). Patch attached.


-- 
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

bugzilla-daemon at bugzilla.mindrot.org

2007-Jun-27 21:50 UTC

head link

[Bug 1325] SELinux support broken when SELinux is in permissive mode

http://bugzilla.mindrot.org/show_bug.cgi?id=1325


Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #1313|                            |ok+
               Flag|                            |




-- 
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

bugzilla-daemon at bugzilla.mindrot.org

2007-Jun-27 21:51 UTC

head link

[Bug 1325] SELinux support broken when SELinux is in permissive mode

http://bugzilla.mindrot.org/show_bug.cgi?id=1325


Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
                 CC|                            |dtucker at zip.com.au
             Blocks|                            |1289, 1305




-- 
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

bugzilla-daemon at bugzilla.mindrot.org

2007-Jun-27 22:48 UTC

head link

[Bug 1325] SELinux support broken when SELinux is in permissive mode

http://bugzilla.mindrot.org/show_bug.cgi?id=1325


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|                            |FIXED
                 CC|                            |djm at mindrot.org




--- Comment #1 from Damien Miller <djm at mindrot.org>  2007-06-28
08:48:49 ---
This patch is embarrassingly correct. Applied - thanks!


-- 
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

bugzilla-daemon at bugzilla.mindrot.org

2008-Apr-03 23:00 UTC

head link

[Bug 1325] SELinux support broken when SELinux is in permissive mode

https://bugzilla.mindrot.org/show_bug.cgi?id=1325


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added                       
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED                      




--- Comment #2 from Damien Miller <djm at mindrot.org>  2008-04-04
10:00:03 ---
Close resolved bugs after release.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

Maybe Matching Threads

Search for more maybe matching threads

openssh bugs - Jun 2007 - [Bug 1325] New: SELinux support broken when SELinux is in permissive mode

[Bug 1325] New: SELinux support broken when SELinux is in permissive mode

[Bug 1325] SELinux support broken when SELinux is in permissive mode

[Bug 1325] SELinux support broken when SELinux is in permissive mode

[Bug 1325] SELinux support broken when SELinux is in permissive mode

[Bug 1325] SELinux support broken when SELinux is in permissive mode

Maybe Matching Threads