[Bug 1325] New: SELinux support broken when SELinux is in permissive mode

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Thu Jun 28 02:54:19 EST 2007


http://bugzilla.mindrot.org/show_bug.cgi?id=1325

           Summary: SELinux support broken when SELinux is in permissive
                    mode
           Product: Portable OpenSSH
           Version: 4.6p1
          Platform: Other
               URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=430838
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: cjwatson at debian.org


Created an attachment (id=1313)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1313)
add missing break statements

This bug was originally reported as Debian bug #430838. (Please ignore
the information about OpenSSH 4.3 there, as the SELinux support at that
point was due to a Debian patch.)

When SELinux is configured in permissive mode, failure to get the
security context should (from the code) result in an error() but not a
fatal(). However, the following appears in syslog:

Jun 27 09:56:07 teleri sshd[12293]: pam_selinux: Open Session
Jun 27 09:56:07 teleri sshd[12293]: Unable to get valid context for
bts, No valid tty
Jun 27 09:56:07 teleri sshd[12293]: error: PAM: pam_open_session():
Authentication failure
Jun 27 09:56:07 teleri sshd[12293]: error: ssh_selinux_getctxbyname:
Failed to get default SELinux security context for bts
Jun 27 09:56:07 teleri sshd[12293]: fatal: ssh_selinux_getctxbyname:
Failed to get default SELinux security context for bts (in enforcing
mode)

This is due to missing break statements in the relevant switch, so the
code wrongly falls through from error() to fatal(). Patch attached.


-- 
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list