Bug 1919

Summary: do not change the context from unconfined_t
Product: Portable OpenSSH Reporter: jchadima
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: minor CC: djm, jchadima, t8m
Priority: P2    
Version: 5.8p1   
Hardware: All   
OS: Linux   
Attachments:
Description Flags
patch solving the problem
none
selinux-unconfined.diff dtucker: ok+

Description jchadima 2011-07-21 23:30:27 AEST 
When sshd is running with the context unconfined_t (unprivileged default) selinux policy prohibits changing this context to another. Trying to change it is logged as an error.
Comment 1 jchadima 2011-07-21 23:33:15 AEST 
Created attachment 2066 [details]
patch solving the problem
Comment 2 Damien Miller 2011-08-12 11:17:42 AEST 
Is the restriction of changing away from unconfined_t just a matter of policy? If so, then introducing a short-circuit like this could severely break people who have modified this policy.

Would it be better to attempt the change in policy but just downgrade the logit() to a debug3() if the previous type was unconfined_t?
Comment 3 jchadima 2011-08-12 13:05:47 AEST 
Unconfined is unprivileged default, something like database NULL. There should be no operations on it in the policy. Unconfined thing should stay unconfined forever.
Comment 4 Tomas Mraz 2011-08-16 00:35:35 AEST 
Jan, in arbitrary policies the unconfined_t might mean just anything. So I agree with Damien, that just downgrading the log messages to debug3 if transition from unconfined_t is involved is more appropriate.
Comment 5 Damien Miller 2011-08-29 15:49:16 AEST 
Created attachment 2077 [details]
selinux-unconfined.diff

revised patch
Comment 6 Damien Miller 2011-08-29 16:10:39 AEST 
applied - this will be in 5.9, due in a few days
Comment 7 Damien Miller 2011-09-06 15:33:10 AEST 
close resolved bugs now that openssh-5.9 has been released