Created attachment 2733 [details]
selinux patches (1 - 4)

Our bugzilla [1] was another impulse to review SELinux integration in openssh and preferably contribute the changes back to upstream in some understandable format after the years:

1) Usage of hard-coded constant (SECCLASS_CHR_FILE) is not advised anymore, we should use string_to_security_class instead. This is related to removal of selinux/flash header file. [2]

2) The second part is about context handling. We get new context as exec context, from PAM or from ssh_selinux_setup_exec_context. We can't (and don't want to) wait for next fork/exec to change the context for us, since it can be after chroot (which needs to be handled in special way). Therefore we want to do this context swap with other capabilities swap. This adds the context switches in do_setusercontext() function. This will avoid us from need to call additional setexeccon from user context (and the need of this capability) if the user needs to switch password. Also the sftpd_t context is not used anymore (sftp runs under context of the actual user). [1]

3) The last bits so far are related to the privilege separation SELinux context (the net child is confined as sshd_net_t).

4) root logins can be also confined by SELinux, so we should not skip privilege separation in postauth phase (skipping also requires additional permissions to be available for selinux context of this user). [1]

Sorry for posting all patches in one, but they are quire closely related. If there is something not clear from description, I am free to explain further the reasons behind each line.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1269072
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1261496