Created attachment 557700 [details] do not call do_setusercontext() twice The latest patch looks good but I get non-fatal AVC: type=SYSCALL msg=audit(1327588018.854:570): arch=c000003e syscall=1 success=no exit=-13 a0=4 a1=7f9e2e0be890 a2=1b a3=6e65727275632f72 items=0 ppid=8950 pid=8951 auid=1002 uid=1002 gid=1002 euid=1002 suid=1002 fsuid=1002 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=22 comm="sshd" exe="/usr/sbin/sshd" subj=staff_u:staff_r:staff_t:s0 key=(null) type=AVC msg=audit(1327588018.854:570): avc: denied { setcurrent } for pid=8951 comm="sshd" scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:staff_r:staff_t:s0 tclass=process There are 2 do_setusercontext() calls if use_privsep is set. First in privsep_postauth() in sshd.c and second in do_child() in session.c. I think that we should avoid calling do_setusercontext() in do_child() if we have already separated privileges.
I agree, This should only be called once. I would like to get this out to Rawhide to make sure we don't break anything before we go into RHEL6. I want to see if this works with X Forwarding as well as port forwarding.
It's built in Rawhide now. Since this version, SELinux sshd_forward_ports boolean has no effect and ssh port forwarding is confined with SELinux users rights.
Excellent, we will remove the boolean.