Bug 781634 - We are currently running the privsep parent process as sshd_t, I believe we should run this as the users context.
We are currently running the privsep parent process as sshd_t, I believe we s...
Product: Fedora
Classification: Fedora
Component: openssh (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Petr Lautrbach
Fedora Extras Quality Assurance
Depends On:
Blocks: 798241 798534
  Show dependency treegraph
Reported: 2012-01-13 17:02 EST by Daniel Walsh
Modified: 2012-02-29 03:08 EST (History)
6 users (show)

See Also:
Fixed In Version: openssh-5.9p1-17.fc17
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 798241 (view as bug list)
Last Closed: 2012-01-31 09:04:52 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
change SELinux context for unprivileged sshd process too (354 bytes, patch)
2012-01-23 11:10 EST, Petr Lautrbach
no flags Details | Diff
This was my latest patch. (569 bytes, patch)
2012-01-25 15:29 EST, Daniel Walsh
no flags Details | Diff
do not call do_setusercontext() twice (858 bytes, patch)
2012-01-26 11:07 EST, Petr Lautrbach
no flags Details | Diff

  None (edit)
Comment 15 Petr Lautrbach 2012-01-26 11:07:41 EST
Created attachment 557700 [details]
do not call do_setusercontext() twice

The latest patch looks good but I get non-fatal AVC:

type=SYSCALL msg=audit(1327588018.854:570): arch=c000003e syscall=1 success=no exit=-13 a0=4 a1=7f9e2e0be890 a2=1b a3=6e65727275632f72 items=0 ppid=8950 pid=8951 auid=1002 uid=1002 gid=1002 euid=1002 suid=1002 fsuid=1002 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=22 comm="sshd" exe="/usr/sbin/sshd" subj=staff_u:staff_r:staff_t:s0 key=(null)
type=AVC msg=audit(1327588018.854:570): avc:  denied  { setcurrent } for  pid=8951 comm="sshd" scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:staff_r:staff_t:s0 tclass=process

There are 2 do_setusercontext() calls if use_privsep is set. First in  privsep_postauth() in sshd.c and second in do_child() in session.c.

I think that we should avoid calling do_setusercontext() in do_child() if we have already separated privileges.
Comment 16 Daniel Walsh 2012-01-26 13:19:28 EST
I agree, This should only be called once.  I would like to get this out to Rawhide to make sure we don't break anything before we go into RHEL6.

I want to see if this works with X Forwarding as well as port forwarding.
Comment 19 Petr Lautrbach 2012-01-31 09:04:52 EST
It's built in Rawhide now. 

Since this version, SELinux sshd_forward_ports boolean has no effect and ssh port forwarding is confined with SELinux users rights.
Comment 20 Daniel Walsh 2012-01-31 09:51:24 EST
Excellent, we will remove the boolean.

Note You need to log in before you can comment on or make changes to this bug.