1891 – selinux policy does not like to exec passwd from sshd directly

Bug 1891 - selinux policy does not like to exec passwd from sshd directly

Summary: selinux policy does not like to exec passwd from sshd directly

Status:	CLOSED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sshd (show other bugs)
Version:	5.8p1
Hardware:	All Linux

Importance:	P2 normal
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:	V_5_9
	Show dependency tree / graph

Reported:	2011-04-15 20:18 AEST by jchadima
Modified:	2011-09-06 15:33 AEST (History)
CC List:	2 users (show)

See Also:

Attachments
patch solving the problem (705 bytes, patch) 2011-04-15 20:20 AEST, jchadima	no flags	Details \| Diff
The new patch (841 bytes, patch) 2011-04-21 06:34 AEST, jchadima	no flags	Details \| Diff
/tmp/pwchange-selinux.diff (574 bytes, patch) 2011-05-06 10:26 AEST, Damien Miller	dtucker: ok+	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description jchadima 2011-04-15 20:18:56 AEST

there should be intermediate shell to satisfy the policy

Comment 1 jchadima 2011-04-15 20:20:05 AEST

Created attachment 2030 [details]
patch solving the problem

Comment 2 Damien Miller 2011-04-15 20:22:29 AEST

Surely you can just change the policy? Using a shell means that we will have to audit the environment that it runs in; executing directly provides fewer opportunities for attack.

Comment 3 jchadima 2011-04-21 06:34:31 AEST

Created attachment 2034 [details]
The new patch

Another possibility how to solve the selinux problem.

Comment 4 Damien Miller 2011-04-21 07:39:57 AEST

So, you still haven't answered my question from comment #2.

Also, why is the fork() necessary? Can't you just do setexeccon(NULL) before the execl()?

Comment 5 jchadima 2011-04-22 07:26:07 AEST

You are true, in this consideration setexeccon(NULL) is enough.

Comment 6 Damien Miller 2011-05-06 10:26:21 AEST

Created attachment 2039 [details]
/tmp/pwchange-selinux.diff

setexeccon() before exec()

Comment 7 Damien Miller 2011-05-06 10:26:59 AEST

So attachment #2039 [details] is sufficient?

Comment 8 jchadima 2011-05-06 21:21:40 AEST

yes, it is OK

Comment 9 Damien Miller 2011-05-20 11:24:56 AEST

patch applied - thanks

Comment 10 Damien Miller 2011-09-06 15:33:03 AEST

close resolved bugs now that openssh-5.9 has been released