bugzilla-daemon at bugzilla.mindrot.org
2015-Oct-22 16:47 UTC
[Bug 2482] New: SELinux integration
https://bugzilla.mindrot.org/show_bug.cgi?id=2482 Bug ID: 2482 Summary: SELinux integration Product: Portable OpenSSH Version: 7.1p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: jjelen at redhat.com Created attachment 2733 --> https://bugzilla.mindrot.org/attachment.cgi?id=2733&action=edit selinux patches (1 - 4) Our bugzilla [1] was another impulse to review SELinux integration in openssh and preferably contribute the changes back to upstream in some understandable format after the years: 1) Usage of hard-coded constant (SECCLASS_CHR_FILE) is not advised anymore, we should use string_to_security_class instead. This is related to removal of selinux/flash header file. [2] 2) The second part is about context handling. We get new context as exec context, from PAM or from ssh_selinux_setup_exec_context. We can't (and don't want to) wait for next fork/exec to change the context for us, since it can be after chroot (which needs to be handled in special way). Therefore we want to do this context swap with other capabilities swap. This adds the context switches in do_setusercontext() function. This will avoid us from need to call additional setexeccon from user context (and the need of this capability) if the user needs to switch password. Also the sftpd_t context is not used anymore (sftp runs under context of the actual user). [1] 3) The last bits so far are related to the privilege separation SELinux context (the net child is confined as sshd_net_t). 4) root logins can be also confined by SELinux, so we should not skip privilege separation in postauth phase (skipping also requires additional permissions to be available for selinux context of this user). [1] Sorry for posting all patches in one, but they are quire closely related. If there is something not clear from description, I am free to explain further the reasons behind each line. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1269072 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1261496 -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Mar-27 14:37 UTC
[Bug 2482] SELinux integration
https://bugzilla.mindrot.org/show_bug.cgi?id=2482 --- Comment #1 from Jakub Jelen <jjelen at redhat.com> --- This was partially fixed by the following commit: https://github.com/openssh/openssh-portable/commit/bda709b Thank you. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2020-Jan-25 11:15 UTC
[Bug 2482] SELinux integration
https://bugzilla.mindrot.org/show_bug.cgi?id=2482 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |djm at mindrot.org Resolution|--- |FIXED -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
https://bugzilla.mindrot.org/show_bug.cgi?id=2482 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #2 from Damien Miller <djm at mindrot.org> --- closing resolved bugs as of 8.6p1 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Reasonably Related Threads
- ChrootDirectory fails if compiled with SELinux support (whether or not using SELinux)
- [Bug 1960] New: Running sshd in wrong SELinux context causes segmentation fault when a user logs in
- [Bug 1637] New: Change the context when starting internal-sftp
- [Bug 2681] New: postauth processes to log via monitor
- [Bug 1726] New: ChrootDirectory doesn't work with SE Linux