[Bug 2482] New: SELinux integration
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Fri Oct 23 03:47:57 AEDT 2015
https://bugzilla.mindrot.org/show_bug.cgi?id=2482
Bug ID: 2482
Summary: SELinux integration
Product: Portable OpenSSH
Version: 7.1p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: jjelen at redhat.com
Created attachment 2733
--> https://bugzilla.mindrot.org/attachment.cgi?id=2733&action=edit
selinux patches (1 - 4)
Our bugzilla [1] was another impulse to review SELinux integration in
openssh and preferably contribute the changes back to upstream in some
understandable format after the years:
1) Usage of hard-coded constant (SECCLASS_CHR_FILE) is not advised
anymore, we should use string_to_security_class instead. This is
related to removal of selinux/flash header file. [2]
2) The second part is about context handling. We get new context as
exec context, from PAM or from ssh_selinux_setup_exec_context. We can't
(and don't want to) wait for next fork/exec to change the context for
us, since it can be after chroot (which needs to be handled in special
way). Therefore we want to do this context swap with other capabilities
swap. This adds the context switches in do_setusercontext() function.
This will avoid us from need to call additional setexeccon from user
context (and the need of this capability) if the user needs to switch
password. Also the sftpd_t context is not used anymore (sftp runs under
context of the actual user). [1]
3) The last bits so far are related to the privilege separation SELinux
context (the net child is confined as sshd_net_t).
4) root logins can be also confined by SELinux, so we should not skip
privilege separation in postauth phase (skipping also requires
additional permissions to be available for selinux context of this
user). [1]
Sorry for posting all patches in one, but they are quire closely
related. If there is something not clear from description, I am free to
explain further the reasons behind each line.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1269072
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1261496
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list