search for: ssh_selinux_setup_exec_context

...establishing credentials debug3: safely_chroot: checking '/' debug3: safely_chroot: checking '/home/' debug3: safely_chroot: checking '/home/user' Changed root directory to "/home/user" debug1: permanently_set_uid: 1002/1005 debug1: SELinux support enabled debug3: ssh_selinux_setup_exec_context: setting execution context ssh_selinux_getctxbyname: ssh_selinux_getctxbyname: security_getenforce() failed debug1: do_cleanup debug3: PAM: sshpam_thread_cleanup entering debug1: do_cleanup debug1: PAM: cleanup debug1: PAM: deleting credentials debug1: PAM: closing session debug3: PAM: sshpam_threa...

...compat/port-linux.c::ssh_selinux_getctxbyname() function. The call to get_default_context() will result in the return code -1, but "sc" is left untouched (and thus not a valid security_context_t instance). Later in the function, "sc" is returned to the calling function (which is ssh_selinux_setup_exec_context) which tries to free the context through freecon(user_ctx). This can be fixed by initializing sc to NULL to begin with (see line 59): 55 /* Return the default security context for the given username */ 56 static security_context_t 57 ssh_selinux_getctxbyname(char *pwname) 58 { 59 sec...

...er the years: 1) Usage of hard-coded constant (SECCLASS_CHR_FILE) is not advised anymore, we should use string_to_security_class instead. This is related to removal of selinux/flash header file. [2] 2) The second part is about context handling. We get new context as exec context, from PAM or from ssh_selinux_setup_exec_context. We can't (and don't want to) wait for next fork/exec to change the context for us, since it can be after chroot (which needs to be handled in special way). Therefore we want to do this context swap with other capabilities swap. This adds the context switches in do_setusercontext() function...

...Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: unassigned-bugs at mindrot.org ReportedBy: cjwatson at debian.org Created an attachment (id=1800) --> (https://bugzilla.mindrot.org/attachment.cgi?id=1800) call ssh_selinux_setup_exec_context before chrooting This patch is from Russell Coker <russell at coker.com.au>; I know little about SE Linux myself and defer to him for domain knowledge. He says: "The following patch allows the chroot functionality for sftp (and probably regular logins) work with SE Linux. After chroo...

...the ChrootDirectory feature. Instead, I am using the chroot patch from this location: http://chrootssh.sourceforge.net/ This patch works differently than the new ChrootDirectory, but does a similar thing. It calls chroot() (and modifies pw->pw_dir) before calling the SELinux function ssh_selinux_setup_exec_context(pw->pw_name) in session.c, in function do_setusercontext(). I get the error if I try to set up a user with a chroot'd home directory. (I do this by adding "/./" into a user's home dir, which is how that patch works... see the patch docs for details on usage.) One...