[Bug 2482] New: SELinux integration

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Fri Oct 23 03:47:57 AEDT 2015


https://bugzilla.mindrot.org/show_bug.cgi?id=2482

            Bug ID: 2482
           Summary: SELinux integration
           Product: Portable OpenSSH
           Version: 7.1p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jjelen at redhat.com

Created attachment 2733
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2733&action=edit
selinux patches (1 - 4)

Our bugzilla [1] was another impulse to review SELinux integration in
openssh and preferably contribute the changes back to upstream in some
understandable format after the years:

1) Usage of hard-coded constant (SECCLASS_CHR_FILE) is not advised
anymore, we should use string_to_security_class instead. This is
related to removal of selinux/flash header file. [2]

2) The second part is about context handling. We get new context as
exec context, from PAM or from ssh_selinux_setup_exec_context. We can't
(and don't want to) wait for next fork/exec to change the context for
us, since it can be after chroot (which needs to be handled in special
way). Therefore we want to do this context swap with other capabilities
swap. This adds the context switches in do_setusercontext() function.
This will avoid us from need to call additional setexeccon from user
context (and the need of this capability) if the user needs to switch
password. Also the sftpd_t context is not used anymore (sftp runs under
context of the actual user). [1]

3) The last bits so far are related to the privilege separation SELinux
context (the net child is confined as sshd_net_t).

4) root logins can be also confined by SELinux, so we should not skip
privilege separation in postauth phase (skipping also requires
additional permissions to be available for selinux context of this
user). [1]

Sorry for posting all patches in one, but they are quire closely
related. If there is something not clear from description, I am free to
explain further the reasons behind each line.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1269072
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1261496

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list