Bug 1811 - ssh_selinux_enabled() fails without mounted /proc
Summary: ssh_selinux_enabled() fails without mounted /proc
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: 5.5p1
Hardware: All Linux
: P3 normal
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks: V_5_7
  Show dependency treegraph
 
Reported: 2010-08-28 07:45 AEST by openssh
Modified: 2011-01-24 12:33 AEDT (History)
1 user (show)

See Also:

Attachments
openssh-selinux-enabled.patch (588 bytes, text/plain)
2010-09-10 10:20 AEST, Darren Tucker 		djm: ok+
Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description openssh 2010-08-28 07:45:41 AEST 
is_selinux_enabled() may return -1, if it cannot open /proc/filesystems as you can see in the code: http://userspace.selinuxproject.org/trac/browser/libselinux/src/enabled.c

unfortunately the function ssh_selinux_enabled() does not check against failure (maybe due bad documentation of is_selinux_enabled() ), but use any non-0-value as enabled. further calls to any selinux-function will fail and no login is possible!

so please change the line "enabled = is_selinux_enabled();" in openbsd-compat/port-linux.c to something like "enabled = (1 == is_selinux_enabled());" or - if you think that a selinux-failure at this point have to lead to denied login - add an option to config to disable selinux-usage of sshd.
Comment 1 Darren Tucker 2010-09-10 10:20:40 AEST 
Created attachment 1921 [details]
openssh-selinux-enabled.patch

Check return value of is_selinux_enabled for exact success value.
Comment 2 Darren Tucker 2010-09-10 10:31:32 AEST 
patch has been committed and will be in the 5.7p1 release.  Thanks!
Comment 3 Damien Miller 2011-01-24 12:33:42 AEDT 
Move resolved bugs to CLOSED after 5.7 release