Hi,
The behaviour reported does not make sense to me. Looking at
sshd code, the only place ssh_selinux_getctxbyname is called is in
openbsd-compat/port-linux.c, and sshd takes care to see if selinux is
enabled:
--8<---------------cut here---------------start------------->8---
/* Wrapper around is_selinux_enabled() to log its return value once only */
int
ssh_selinux_enabled(void)
{
static int enabled = -1;
if (enabled == -1) {
enabled = is_selinux_enabled();
debug("SELinux support %s", enabled ? "enabled" : "disabled");
}
return (enabled);
}
/* Set the execution context to the default for the specified user */
void
ssh_selinux_setup_exec_context(char *pwname)
{
....
if (!ssh_selinux_enabled())
return;
....
user_ctx = ssh_selinux_getctxbyname(pwname);
if (setexeccon(user_ctx) != 0) {
switch (security_getenforce()) {
case -1:
fatal("%s: security_getenforce() failed", __func__);
....
--8<---------------cut here---------------end--------------->8---
So, the message should only be emitted if selinux is enabled,
which implies that /selinux is mounted. If /selinux is empty, the code
should never run.
There is something here that I do not understand.
manoj
--
I'm dressing up in an ill-fitting IVY-LEAGUE SUIT!! Too late...
Manoj Srivastava <[EMAIL PROTECTED]> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]