bugzilla-daemon at bugzilla.mindrot.org
2011-Jul-21 13:30 UTC
[Bug 1919] New: do not change the context from unconfined_t
https://bugzilla.mindrot.org/show_bug.cgi?id=1919
Bug #: 1919
Summary: do not change the context from unconfined_t
Classification: Unclassified
Product: Portable OpenSSH
Version: 5.8p1
Platform: All
OS/Version: Linux
Status: NEW
Severity: minor
Priority: P2
Component: sshd
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy: jchadima at redhat.com
When sshd is running with the context unconfined_t (unprivileged
default) selinux policy prohibits changing this context to another.
Trying to change it is logged as an error.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Jul-21 13:33 UTC
[Bug 1919] do not change the context from unconfined_t
https://bugzilla.mindrot.org/show_bug.cgi?id=1919 --- Comment #1 from jchadima at redhat.com 2011-07-21 23:33:15 EST --- Created attachment 2066 --> https://bugzilla.mindrot.org/attachment.cgi?id=2066 patch solving the problem -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Aug-12 01:17 UTC
[Bug 1919] do not change the context from unconfined_t
https://bugzilla.mindrot.org/show_bug.cgi?id=1919
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #2 from Damien Miller <djm at mindrot.org> 2011-08-12 11:17:42
EST ---
Is the restriction of changing away from unconfined_t just a matter of
policy? If so, then introducing a short-circuit like this could
severely break people who have modified this policy.
Would it be better to attempt the change in policy but just downgrade
the logit() to a debug3() if the previous type was unconfined_t?
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Aug-12 03:05 UTC
[Bug 1919] do not change the context from unconfined_t
https://bugzilla.mindrot.org/show_bug.cgi?id=1919
jchadima at redhat.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jchadima at redhat.com
--- Comment #3 from jchadima at redhat.com 2011-08-12 13:05:47 EST ---
Unconfined is unprivileged default, something like database NULL. There
should be no operations on it in the policy. Unconfined thing should
stay unconfined forever.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Aug-15 14:35 UTC
[Bug 1919] do not change the context from unconfined_t
https://bugzilla.mindrot.org/show_bug.cgi?id=1919
Tomas Mraz <t8m at centrum.cz> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |t8m at centrum.cz
--- Comment #4 from Tomas Mraz <t8m at centrum.cz> 2011-08-16 00:35:35 EST
---
Jan, in arbitrary policies the unconfined_t might mean just anything.
So I agree with Damien, that just downgrading the log messages to
debug3 if transition from unconfined_t is involved is more appropriate.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Aug-29 05:49 UTC
[Bug 1919] do not change the context from unconfined_t
https://bugzilla.mindrot.org/show_bug.cgi?id=1919 --- Comment #5 from Damien Miller <djm at mindrot.org> 2011-08-29 15:49:16 EST --- Created attachment 2077 --> https://bugzilla.mindrot.org/attachment.cgi?id=2077 selinux-unconfined.diff revised patch -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Aug-29 05:50 UTC
[Bug 1919] do not change the context from unconfined_t
https://bugzilla.mindrot.org/show_bug.cgi?id=1919
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2077| |ok?(dtucker at zip.com.au)
Flags| |
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Aug-29 05:53 UTC
[Bug 1919] do not change the context from unconfined_t
https://bugzilla.mindrot.org/show_bug.cgi?id=1919
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2077|ok?(dtucker at zip.com.au) |ok+
Flags| |
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Aug-29 06:10 UTC
[Bug 1919] do not change the context from unconfined_t
https://bugzilla.mindrot.org/show_bug.cgi?id=1919
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #6 from Damien Miller <djm at mindrot.org> 2011-08-29 16:10:39
EST ---
applied - this will be in 5.9, due in a few days
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-06 05:33 UTC
[Bug 1919] do not change the context from unconfined_t
https://bugzilla.mindrot.org/show_bug.cgi?id=1919
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #7 from Damien Miller <djm at mindrot.org> 2011-09-06 15:33:10
EST ---
close resolved bugs now that openssh-5.9 has been released
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.