Bug 1891

Summary: selinux policy does not like to exec passwd from sshd directly
Product: Portable OpenSSH Reporter: jchadima
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: normal CC: djm, jchadima
Priority: P2    
Version: 5.8p1   
Hardware: All   
OS: Linux   
Bug Depends on:    
Bug Blocks: 1845    
Attachments:
Description Flags
patch solving the problem
none
The new patch
none
/tmp/pwchange-selinux.diff dtucker: ok+

Description jchadima 2011-04-15 20:18:56 AEST 
there should be intermediate shell to satisfy the policy
Comment 1 jchadima 2011-04-15 20:20:05 AEST 
Created attachment 2030 [details]
patch solving the problem
Comment 2 Damien Miller 2011-04-15 20:22:29 AEST 
Surely you can just change the policy? Using a shell means that we will have to audit the environment that it runs in; executing directly provides fewer opportunities for attack.
Comment 3 jchadima 2011-04-21 06:34:31 AEST 
Created attachment 2034 [details]
The new patch

Another possibility how to solve the selinux problem.
Comment 4 Damien Miller 2011-04-21 07:39:57 AEST 
So, you still haven't answered my question from comment #2.

Also, why is the fork() necessary? Can't you just do setexeccon(NULL) before the execl()?
Comment 5 jchadima 2011-04-22 07:26:07 AEST 
You are true, in this consideration setexeccon(NULL) is enough.
Comment 6 Damien Miller 2011-05-06 10:26:21 AEST 
Created attachment 2039 [details]
/tmp/pwchange-selinux.diff

setexeccon() before exec()
Comment 7 Damien Miller 2011-05-06 10:26:59 AEST 
So attachment #2039 [details] is sufficient?
Comment 8 jchadima 2011-05-06 21:21:40 AEST 
yes, it is OK
Comment 9 Damien Miller 2011-05-20 11:24:56 AEST 
patch applied - thanks
Comment 10 Damien Miller 2011-09-06 15:33:03 AEST 
close resolved bugs now that openssh-5.9 has been released