| Summary: | SELinux support broken when SELinux is in permissive mode | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Colin Watson <cjwatson> | ||||
| Component: | sshd | Assignee: | Assigned to nobody <unassigned-bugs> | ||||
| Status: | CLOSED FIXED | ||||||
| Severity: | normal | CC: | djm, dtucker | ||||
| Priority: | P2 | ||||||
| Version: | 4.6p1 | ||||||
| Hardware: | Other | ||||||
| OS: | Linux | ||||||
| URL: | http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=430838 | ||||||
| Bug Depends on: | |||||||
| Bug Blocks: | 1289, 1305 | ||||||
| Attachments: |
|
||||||
This patch is embarrassingly correct. Applied - thanks! Close resolved bugs after release. |
Created attachment 1313 [details] add missing break statements This bug was originally reported as Debian bug #430838. (Please ignore the information about OpenSSH 4.3 there, as the SELinux support at that point was due to a Debian patch.) When SELinux is configured in permissive mode, failure to get the security context should (from the code) result in an error() but not a fatal(). However, the following appears in syslog: Jun 27 09:56:07 teleri sshd[12293]: pam_selinux: Open Session Jun 27 09:56:07 teleri sshd[12293]: Unable to get valid context for bts, No valid tty Jun 27 09:56:07 teleri sshd[12293]: error: PAM: pam_open_session(): Authentication failure Jun 27 09:56:07 teleri sshd[12293]: error: ssh_selinux_getctxbyname: Failed to get default SELinux security context for bts Jun 27 09:56:07 teleri sshd[12293]: fatal: ssh_selinux_getctxbyname: Failed to get default SELinux security context for bts (in enforcing mode) This is due to missing break statements in the relevant switch, so the code wrongly falls through from error() to fatal(). Patch attached.