781634 – We are currently running the privsep parent process as sshd_t, I believe we should run this as the users context.

Bug 781634 - We are currently running the privsep parent process as sshd_t, I believe we should run this as the users context.

Summary: We are currently running the privsep parent process as sshd_t, I believe we s...

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	openssh
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Petr Lautrbach
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	798241 798534
TreeView+	depends on / blocked

Reported:	2012-01-13 22:02 UTC by Daniel Walsh
Modified:	2021-07-04 00:03 UTC (History)
CC List:	7 users (show)
Fixed In Version:	openssh-5.9p1-17.fc17
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	798241 (view as bug list)
Environment:
Last Closed:	2012-01-31 14:04:52 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
change SELinux context for unprivileged sshd process too (354 bytes, patch) 2012-01-23 16:10 UTC, Petr Lautrbach	no flags	Details \| Diff
This was my latest patch. (569 bytes, patch) 2012-01-25 20:29 UTC, Daniel Walsh	no flags	Details \| Diff
do not call do_setusercontext() twice (858 bytes, patch) 2012-01-26 16:07 UTC, Petr Lautrbach	no flags	Details \| Diff
Show Obsolete (1) View All

Comment 15 Petr Lautrbach 2012-01-26 16:07:41 UTC

Created attachment 557700 [details]
do not call do_setusercontext() twice

The latest patch looks good but I get non-fatal AVC:

type=SYSCALL msg=audit(1327588018.854:570): arch=c000003e syscall=1 success=no exit=-13 a0=4 a1=7f9e2e0be890 a2=1b a3=6e65727275632f72 items=0 ppid=8950 pid=8951 auid=1002 uid=1002 gid=1002 euid=1002 suid=1002 fsuid=1002 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=22 comm="sshd" exe="/usr/sbin/sshd" subj=staff_u:staff_r:staff_t:s0 key=(null)
type=AVC msg=audit(1327588018.854:570): avc:  denied  { setcurrent } for  pid=8951 comm="sshd" scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:staff_r:staff_t:s0 tclass=process

There are 2 do_setusercontext() calls if use_privsep is set. First in  privsep_postauth() in sshd.c and second in do_child() in session.c.

I think that we should avoid calling do_setusercontext() in do_child() if we have already separated privileges.

Comment 16 Daniel Walsh 2012-01-26 18:19:28 UTC

I agree, This should only be called once.  I would like to get this out to Rawhide to make sure we don't break anything before we go into RHEL6.

I want to see if this works with X Forwarding as well as port forwarding.

Comment 19 Petr Lautrbach 2012-01-31 14:04:52 UTC

It's built in Rawhide now. 

Since this version, SELinux sshd_forward_ports boolean has no effect and ssh port forwarding is confined with SELinux users rights.

Comment 20 Daniel Walsh 2012-01-31 14:51:24 UTC

Excellent, we will remove the boolean.

Note You need to log in before you can comment on or make changes to this bug.