[Bug 3641] New: Improved SELinux support for openssh

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Dec 7 21:26:48 AEDT 2023


https://bugzilla.mindrot.org/show_bug.cgi?id=3641

            Bug ID: 3641
           Summary: Improved SELinux support for openssh
           Product: Portable OpenSSH
           Version: 9.5p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Miscellaneous
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jsegitz at suse.de

We (openSUSE) recently added patches for openssh that Fedora already
carried for a long time:
https://build.opensuse.org/package/show/openSUSE:Factory/openssh

We added five patches:
* openssh-7.8p1-role-mls.patch
  Proper handling of MLS systems and basis for other SELinux
  improvements
* openssh-6.6p1-privsep-selinux.patch
  Properly set contexts during privilege separation
* openssh-6.6p1-keycat.patch
  Add ssh-keycat command to allow retrival of authorized_keys
  on MLS setups with polyinstantiation
* openssh-6.6.1p1-selinux-contexts.patch
  Additional changes to set the proper context during privilege
  separation
* openssh-7.6p1-cleanup-selinux.patch
  Various changes and putting the pieces together

I would like to get these changes upstream. SELinux is now pretty
common on Linux systems and without these patches some functionality
(e.g. proxy jump doesn't work).

I want to see if you're in general willing to take this. Because the
current state would need to be reworked to have this split up a bit
better, but I would not do this if you don't want to take it.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list