Bug#454076: marked as done (sshd executed in chroot-environment refuses connections if SELinux is disabled by boot option selinux=0)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Thu, 25 Jun 2009 16:41:54 +0100
with message-id <20090625154153.GP25892@riva.ucam.org>
and subject line Re: Patch submitted to openssh upstream works around this
has caused the Debian Bug report #454076,
regarding sshd executed in chroot-environment refuses connections if SELinux is disabled by boot option selinux=0
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
454076: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=454076
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: sshd executed in chroot-environment refuses connections if SELinux is disabled by boot option selinux=0
• From: Roland Eggner <roland.edv@eggner.at>
• Date: Sun, 2 Dec 2007 22:31:44 +0100
• Message-id: <200712022231.44916.roland.edv@eggner.at>
• Reply-to: "Roland Eggner" <roland.edv@eggner.at>

Package: openssh-server
Version: 1:4.6p1-5
Severity: normal

--- Please enter the report below this line. ---

sshd executed in chroot-environment refuses connections if SELinux is
disabled by boot option selinux=0, whereas with sshd executed in
"regular" environment same ssh-login works flawless.

chroot-environment is built "manually" using cdebootstrap and strace,
I tried hardly to append all files used by sshd.


$  ssh -l tamino 127.0.0.1
#-------------------------
tamino@127.0.0.1's password:
Read from remote host 127.0.0.1: Connection reset by peer
Connection to 127.0.0.1 closed.


#  /var/log/messages
#-------------------
Dec  2 22:09:08 roland sshd[15879]: Accepted password for tamino from 127.0.0.1 port 3325 ssh2
Dec  2 22:09:08 roland sshd[15881]: (pam_unix) session opened for user tamino by (uid=0)
Dec  2 22:09:08 roland sshd[15881]: fatal: ssh_selinux_getctxbyname: ssh_selinux_getctxbyname: security_getenforce() failed
Dec  2 22:09:08 roland sshd[15881]: (pam_unix) session closed for user tamino
..


#  kernel compiled with SELinux,
#  SELinux disabled by boot option selinux=0,
#  SELinux policy not yet installed
$  zgrep SELINUX /proc/config.gz
#-------------------------------
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
# CONFIG_SECURITY_SELINUX_DISABLE is not set
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=y


--- System information. ---
Architecture: i386
Kernel:       Linux 2.6.18.5roland2

Debian Release: 4.0
  500 unstable        gd.tuwien.ac.at 
  500 testing         security.debian.org 
  500 testing         gd.tuwien.ac.at 
  500 oldstable       gd.tuwien.ac.at 
  500 edgy            wine.budgetdedicated.com 
    1 experimental    gd.tuwien.ac.at 

--- Package information. ---
Depends                        (Version) | Installed
========================================-+-======================
libc6                         (>= 2.6-1) | 2.6.1-1
libcomerr2                   (>= 1.33-3) | 1.39+1.40-WIP-2006.11.14+dfsg-1
libkrb53                 (>= 1.6.dfsg.1) | 1.6.dfsg.1-4
libpam0g                       (>= 0.76) | 0.79-4
libselinux1                  (>= 2.0.15) | 2.0.15-2+b1
libssl0.9.8                (>= 0.9.8e-1) | 0.9.8e-5
libwrap0                                 | 7.6.dbs-12
zlib1g             (>= 1:1.2.3.3.dfsg-1) | 1:1.2.3.3.dfsg-5
debconf                      (>= 1.2.0)  | 1.5.11
 OR debconf-2.0                          | 
libpam-runtime              (>= 0.76-14) | 0.79-4
libpam-modules               (>= 0.72-9) | 0.79-4
adduser                         (>= 3.9) | 3.102
dpkg                          (>= 1.9.0) | 1.13.25
openssh-client             (= 1:4.6p1-5) | 1:4.6p1-5
lsb-base                      (>= 3.0-6) | 3.1-23


-- 
Roland Eggner

--- End Message ---

--- Begin Message ---

• To: Manoj Srivastava <srivasta@golden-gryphon.com>
• Cc: Udo Rader <udo.rader@bestsolution.at>, Peter Mogensen <apm@one.com>, Mitar <mmitar@gmail.com>, 454076-done@bugs.debian.org
• Subject: Re: Patch submitted to openssh upstream works around this
• From: Colin Watson <cjwatson@debian.org>
• Date: Thu, 25 Jun 2009 16:41:54 +0100
• Message-id: <20090625154153.GP25892@riva.ucam.org>
• In-reply-to: <[🔎] 87ws70iffm.fsf@anzu.internal.golden-gryphon.com>
• References: <[🔎] 87ws70iffm.fsf@anzu.internal.golden-gryphon.com>

Source: openssh
Version: 1:5.1p1-1

On Thu, Jun 25, 2009 at 08:57:49AM -0500, Manoj Srivastava wrote:
>         There has been a patch submitted to openssh-unix-dev
>   http://marc.info/?l=openssh-unix-dev&m=120615000019541&w=2
>  which will allow ssh (with SELinux compiled in) to work in the chroot
>  where selinux is not enabled. This fix has already been incorporated by
>  Ubuntu.

Well, speaking as somebody who uploads openssh to both Debian and Ubuntu
:-), it was only incorporated by Ubuntu by virtue of being incorporated
by Debian, which in turn was by virtue of being incorporated by
upstream. If that patch was what fixed this bug, then it's fixed in
version 1:5.1p1-1, which is in Debian stable.

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]

--- End Message ---