Hi,

        The behaviour reported does not make sense to me. Looking at
 sshd code, the only place ssh_selinux_getctxbyname is called is in
 openbsd-compat/port-linux.c, and sshd takes care to see if selinux is
 enabled:
--8<---------------cut here---------------start------------->8---

/* Wrapper around is_selinux_enabled() to log its return value once only */
int
ssh_selinux_enabled(void)
{
        static int enabled = -1;

        if (enabled == -1) {
                enabled = is_selinux_enabled();
                debug("SELinux support %s", enabled ? "enabled" : "disabled");
        }

        return (enabled);
}
/* Set the execution context to the default for the specified user */
void
ssh_selinux_setup_exec_context(char *pwname)
{
 ....
         if (!ssh_selinux_enabled())
                return;
 ....
         user_ctx = ssh_selinux_getctxbyname(pwname);
        if (setexeccon(user_ctx) != 0) {
                switch (security_getenforce()) {
                case -1:
                        fatal("%s: security_getenforce() failed", __func__);
....
--8<---------------cut here---------------end--------------->8---

        So, the message should only be emitted if selinux is enabled,
 which implies that /selinux is mounted. If /selinux  is empty, the code
 should never run.

        There is something here that I do not understand.

        manoj

-- 
I'm dressing up in an ill-fitting IVY-LEAGUE SUIT!!  Too late...
Manoj Srivastava <[EMAIL PROTECTED]> <http://www.debian.org/~srivasta/>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to