[Bug 1325] New: SELinux support broken when SELinux is in permissive mode
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Thu Jun 28 02:54:19 EST 2007
http://bugzilla.mindrot.org/show_bug.cgi?id=1325
Summary: SELinux support broken when SELinux is in permissive
mode
Product: Portable OpenSSH
Version: 4.6p1
Platform: Other
URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=430838
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo: bitbucket at mindrot.org
ReportedBy: cjwatson at debian.org
Created an attachment (id=1313)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=1313)
add missing break statements
This bug was originally reported as Debian bug #430838. (Please ignore
the information about OpenSSH 4.3 there, as the SELinux support at that
point was due to a Debian patch.)
When SELinux is configured in permissive mode, failure to get the
security context should (from the code) result in an error() but not a
fatal(). However, the following appears in syslog:
Jun 27 09:56:07 teleri sshd[12293]: pam_selinux: Open Session
Jun 27 09:56:07 teleri sshd[12293]: Unable to get valid context for
bts, No valid tty
Jun 27 09:56:07 teleri sshd[12293]: error: PAM: pam_open_session():
Authentication failure
Jun 27 09:56:07 teleri sshd[12293]: error: ssh_selinux_getctxbyname:
Failed to get default SELinux security context for bts
Jun 27 09:56:07 teleri sshd[12293]: fatal: ssh_selinux_getctxbyname:
Failed to get default SELinux security context for bts (in enforcing
mode)
This is due to missing break statements in the relevant switch, so the
code wrongly falls through from error() to fatal(). Patch attached.
--
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list