Bug 781634

Summary: We are currently running the privsep parent process as sshd_t, I believe we should run this as the users context.
Product: [Fedora] Fedora Reporter: Daniel Walsh <dwalsh>
Component: opensshAssignee: Petr Lautrbach <plautrba>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: eparis, gl041188, mattias.ellert, mgrepl, mmcgrath, plautrba, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openssh-5.9p1-17.fc17 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 798241 (view as bug list) Environment:
Last Closed: 2012-01-31 14:04:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 798241, 798534    
Attachments:
Description Flags
change SELinux context for unprivileged sshd process too
none
This was my latest patch.
none
do not call do_setusercontext() twice none

Comment 15 Petr Lautrbach 2012-01-26 16:07:41 UTC 
Created attachment 557700 [details]
do not call do_setusercontext() twice

The latest patch looks good but I get non-fatal AVC:

type=SYSCALL msg=audit(1327588018.854:570): arch=c000003e syscall=1 success=no exit=-13 a0=4 a1=7f9e2e0be890 a2=1b a3=6e65727275632f72 items=0 ppid=8950 pid=8951 auid=1002 uid=1002 gid=1002 euid=1002 suid=1002 fsuid=1002 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=22 comm="sshd" exe="/usr/sbin/sshd" subj=staff_u:staff_r:staff_t:s0 key=(null)
type=AVC msg=audit(1327588018.854:570): avc:  denied  { setcurrent } for  pid=8951 comm="sshd" scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:staff_r:staff_t:s0 tclass=process

There are 2 do_setusercontext() calls if use_privsep is set. First in  privsep_postauth() in sshd.c and second in do_child() in session.c.

I think that we should avoid calling do_setusercontext() in do_child() if we have already separated privileges.
Comment 16 Daniel Walsh 2012-01-26 18:19:28 UTC 
I agree, This should only be called once.  I would like to get this out to Rawhide to make sure we don't break anything before we go into RHEL6.

I want to see if this works with X Forwarding as well as port forwarding.
Comment 19 Petr Lautrbach 2012-01-31 14:04:52 UTC 
It's built in Rawhide now. 

Since this version, SELinux sshd_forward_ports boolean has no effect and ssh port forwarding is confined with SELinux users rights.
Comment 20 Daniel Walsh 2012-01-31 14:51:24 UTC 
Excellent, we will remove the boolean.