[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#454076: marked as done (sshd executed in chroot-environment refuses connections if SELinux is disabled by boot option selinux=0)

Your message dated Thu, 25 Jun 2009 16:41:54 +0100
with message-id <20090625154153.GP25892@riva.ucam.org>
and subject line Re: Patch submitted to openssh upstream works around this
has caused the Debian Bug report #454076,
regarding sshd executed in chroot-environment refuses connections if SELinux is disabled by boot option selinux=0
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org

454076: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=454076
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: openssh-server
Version: 1:4.6p1-5
Severity: normal

--- Please enter the report below this line. ---

sshd executed in chroot-environment refuses connections if SELinux is
disabled by boot option selinux=0, whereas with sshd executed in
"regular" environment same ssh-login works flawless.

chroot-environment is built "manually" using cdebootstrap and strace,
I tried hardly to append all files used by sshd.

$  ssh -l tamino
tamino@'s password:
Read from remote host Connection reset by peer
Connection to closed.

#  /var/log/messages
Dec  2 22:09:08 roland sshd[15879]: Accepted password for tamino from port 3325 ssh2
Dec  2 22:09:08 roland sshd[15881]: (pam_unix) session opened for user tamino by (uid=0)
Dec  2 22:09:08 roland sshd[15881]: fatal: ssh_selinux_getctxbyname: ssh_selinux_getctxbyname: security_getenforce() failed
Dec  2 22:09:08 roland sshd[15881]: (pam_unix) session closed for user tamino

#  kernel compiled with SELinux,
#  SELinux disabled by boot option selinux=0,
#  SELinux policy not yet installed
$  zgrep SELINUX /proc/config.gz

--- System information. ---
Architecture: i386
Kernel:       Linux

Debian Release: 4.0
  500 unstable        gd.tuwien.ac.at 
  500 testing         security.debian.org 
  500 testing         gd.tuwien.ac.at 
  500 oldstable       gd.tuwien.ac.at 
  500 edgy            wine.budgetdedicated.com 
    1 experimental    gd.tuwien.ac.at 

--- Package information. ---
Depends                        (Version) | Installed
libc6                         (>= 2.6-1) | 2.6.1-1
libcomerr2                   (>= 1.33-3) | 1.39+1.40-WIP-2006.11.14+dfsg-1
libkrb53                 (>= 1.6.dfsg.1) | 1.6.dfsg.1-4
libpam0g                       (>= 0.76) | 0.79-4
libselinux1                  (>= 2.0.15) | 2.0.15-2+b1
libssl0.9.8                (>= 0.9.8e-1) | 0.9.8e-5
libwrap0                                 | 7.6.dbs-12
zlib1g             (>= 1: | 1:
debconf                      (>= 1.2.0)  | 1.5.11
 OR debconf-2.0                          | 
libpam-runtime              (>= 0.76-14) | 0.79-4
libpam-modules               (>= 0.72-9) | 0.79-4
adduser                         (>= 3.9) | 3.102
dpkg                          (>= 1.9.0) | 1.13.25
openssh-client             (= 1:4.6p1-5) | 1:4.6p1-5
lsb-base                      (>= 3.0-6) | 3.1-23

Roland Eggner

--- End Message ---
--- Begin Message ---
Source: openssh
Version: 1:5.1p1-1

On Thu, Jun 25, 2009 at 08:57:49AM -0500, Manoj Srivastava wrote:
>         There has been a patch submitted to openssh-unix-dev
>   http://marc.info/?l=openssh-unix-dev&m=120615000019541&w=2
>  which will allow ssh (with SELinux compiled in) to work in the chroot
>  where selinux is not enabled. This fix has already been incorporated by
>  Ubuntu.

Well, speaking as somebody who uploads openssh to both Debian and Ubuntu
:-), it was only incorporated by Ubuntu by virtue of being incorporated
by Debian, which in turn was by virtue of being incorporated by
upstream. If that patch was what fixed this bug, then it's fixed in
version 1:5.1p1-1, which is in Debian stable.


Colin Watson                                       [cjwatson@debian.org]

--- End Message ---

Reply to: