bugzilla-daemon at bugzilla.mindrot.org
2011-Apr-15 10:18 UTC
[Bug 1891] New: selinux policy does not like to exec passwd from sshd directly
https://bugzilla.mindrot.org/show_bug.cgi?id=1891
Summary: selinux policy does not like to exec passwd from sshd
directly
Product: Portable OpenSSH
Version: 5.8p1
Platform: All
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy: jchadima at redhat.com
there should be intermediate shell to satisfy the policy
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Apr-15 10:20 UTC
[Bug 1891] selinux policy does not like to exec passwd from sshd directly
https://bugzilla.mindrot.org/show_bug.cgi?id=1891 --- Comment #1 from jchadima at redhat.com 2011-04-15 20:20:05 EST --- Created attachment 2030 --> https://bugzilla.mindrot.org/attachment.cgi?id=2030 patch solving the problem -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Apr-15 10:22 UTC
[Bug 1891] selinux policy does not like to exec passwd from sshd directly
https://bugzilla.mindrot.org/show_bug.cgi?id=1891
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #2 from Damien Miller <djm at mindrot.org> 2011-04-15 20:22:29
EST ---
Surely you can just change the policy? Using a shell means that we will
have to audit the environment that it runs in; executing directly
provides fewer opportunities for attack.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Apr-20 20:34 UTC
[Bug 1891] selinux policy does not like to exec passwd from sshd directly
https://bugzilla.mindrot.org/show_bug.cgi?id=1891
jchadima at redhat.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2030|0 |1
is obsolete| |
--- Comment #3 from jchadima at redhat.com 2011-04-21 06:34:31 EST ---
Created attachment 2034
--> https://bugzilla.mindrot.org/attachment.cgi?id=2034
The new patch
Another possibility how to solve the selinux problem.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Apr-20 21:39 UTC
[Bug 1891] selinux policy does not like to exec passwd from sshd directly
https://bugzilla.mindrot.org/show_bug.cgi?id=1891 --- Comment #4 from Damien Miller <djm at mindrot.org> 2011-04-21 07:39:57 EST --- So, you still haven't answered my question from comment #2. Also, why is the fork() necessary? Can't you just do setexeccon(NULL) before the execl()? -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Apr-21 21:26 UTC
[Bug 1891] selinux policy does not like to exec passwd from sshd directly
https://bugzilla.mindrot.org/show_bug.cgi?id=1891
jchadima at redhat.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jchadima at redhat.com
--- Comment #5 from jchadima at redhat.com 2011-04-22 07:26:07 EST ---
You are true, in this consideration setexeccon(NULL) is enough.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-May-06 00:26 UTC
[Bug 1891] selinux policy does not like to exec passwd from sshd directly
https://bugzilla.mindrot.org/show_bug.cgi?id=1891 --- Comment #6 from Damien Miller <djm at mindrot.org> 2011-05-06 10:26:21 EST --- Created attachment 2039 --> https://bugzilla.mindrot.org/attachment.cgi?id=2039 /tmp/pwchange-selinux.diff setexeccon() before exec() -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-May-06 00:26 UTC
[Bug 1891] selinux policy does not like to exec passwd from sshd directly
https://bugzilla.mindrot.org/show_bug.cgi?id=1891 --- Comment #7 from Damien Miller <djm at mindrot.org> 2011-05-06 10:26:59 EST --- So attachment #2039 is sufficient? -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-May-06 11:21 UTC
[Bug 1891] selinux policy does not like to exec passwd from sshd directly
https://bugzilla.mindrot.org/show_bug.cgi?id=1891 --- Comment #8 from jchadima at redhat.com 2011-05-06 21:21:40 EST --- yes, it is OK -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-May-20 01:23 UTC
[Bug 1891] selinux policy does not like to exec passwd from sshd directly
https://bugzilla.mindrot.org/show_bug.cgi?id=1891
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2039| |ok+
Flags| |
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-May-20 01:24 UTC
[Bug 1891] selinux policy does not like to exec passwd from sshd directly
https://bugzilla.mindrot.org/show_bug.cgi?id=1891
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |1845
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #9 from Damien Miller <djm at mindrot.org> 2011-05-20 11:24:56
EST ---
patch applied - thanks
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-06 05:33 UTC
[Bug 1891] selinux policy does not like to exec passwd from sshd directly
https://bugzilla.mindrot.org/show_bug.cgi?id=1891
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #10 from Damien Miller <djm at mindrot.org> 2011-09-06
15:33:03 EST ---
close resolved bugs now that openssh-5.9 has been released
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
Apparently Analagous Threads
- [Bug 1789] New: On linux use abstract socket for X11 connections if possible
- [Bug 1614] New: ssh-copy-id doesn't seem to set correct selinux permissions
- [Bug 1640] New: Add patchlevel info to the sshd binary.
- interpolation
- [Bug 1402] New: [RFE] Support auditing through Linux Audit subsystem