Bug 1919 - do not change the context from unconfined_t
Summary: do not change the context from unconfined_t
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: 5.8p1
Hardware: All Linux
: P2 minor
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-07-21 23:30 AEST by jchadima
Modified: 2011-09-06 15:33 AEST (History)
3 users (show)

See Also:

Attachments
patch solving the problem (598 bytes, patch)
2011-07-21 23:33 AEST, jchadima 		no flags Details | Diff
selinux-unconfined.diff (2.09 KB, patch)
2011-08-29 15:49 AEST, Damien Miller 		dtucker: ok+
Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description jchadima 2011-07-21 23:30:27 AEST 
When sshd is running with the context unconfined_t (unprivileged default) selinux policy prohibits changing this context to another. Trying to change it is logged as an error.
Comment 1 jchadima 2011-07-21 23:33:15 AEST 
Created attachment 2066 [details]
patch solving the problem
Comment 2 Damien Miller 2011-08-12 11:17:42 AEST 
Is the restriction of changing away from unconfined_t just a matter of policy? If so, then introducing a short-circuit like this could severely break people who have modified this policy.

Would it be better to attempt the change in policy but just downgrade the logit() to a debug3() if the previous type was unconfined_t?
Comment 3 jchadima 2011-08-12 13:05:47 AEST 
Unconfined is unprivileged default, something like database NULL. There should be no operations on it in the policy. Unconfined thing should stay unconfined forever.
Comment 4 Tomas Mraz 2011-08-16 00:35:35 AEST 
Jan, in arbitrary policies the unconfined_t might mean just anything. So I agree with Damien, that just downgrading the log messages to debug3 if transition from unconfined_t is involved is more appropriate.
Comment 5 Damien Miller 2011-08-29 15:49:16 AEST 
Created attachment 2077 [details]
selinux-unconfined.diff

revised patch
Comment 6 Damien Miller 2011-08-29 16:10:39 AEST 
applied - this will be in 5.9, due in a few days
Comment 7 Damien Miller 2011-09-06 15:33:10 AEST 
close resolved bugs now that openssh-5.9 has been released