Bug 1811

Summary:

ssh_selinux_enabled() fails without mounted /proc

Product:

Portable OpenSSH

Reporter:

openssh

Component:

sshd

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

CLOSED FIXED

Severity:

normal

CC:

dtucker

Priority:

Version:

5.5p1

Hardware:

All

OS:

Linux

Bug Depends on:

Bug Blocks:

1803

Attachments:

Description	Flags
openssh-selinux-enabled.patch	djm: ok+

Description openssh 2010-08-28 07:45:41 AEST

is_selinux_enabled() may return -1, if it cannot open /proc/filesystems as you can see in the code: http://userspace.selinuxproject.org/trac/browser/libselinux/src/enabled.c

unfortunately the function ssh_selinux_enabled() does not check against failure (maybe due bad documentation of is_selinux_enabled() ), but use any non-0-value as enabled. further calls to any selinux-function will fail and no login is possible!

so please change the line "enabled = is_selinux_enabled();" in openbsd-compat/port-linux.c to something like "enabled = (1 == is_selinux_enabled());" or - if you think that a selinux-failure at this point have to lead to denied login - add an option to config to disable selinux-usage of sshd.

Comment 1 Darren Tucker 2010-09-10 10:20:40 AEST

Created attachment 1921 [details]
openssh-selinux-enabled.patch

Check return value of is_selinux_enabled for exact success value.

Comment 2 Darren Tucker 2010-09-10 10:31:32 AEST

patch has been committed and will be in the 5.7p1 release.  Thanks!

Comment 3 Damien Miller 2011-01-24 12:33:42 AEDT

Move resolved bugs to CLOSED after 5.7 release