openssh/openssh-5.9p1-privsep-selinux.patch

diff --git a/session.c b/session.c
index 436ea48..49c9321 100644
--- a/session.c
+++ b/session.c
@@ -1561,6 +1561,13 @@ do_setusercontext(struct passwd *pw)
 #endif
 	}
 
+#ifdef WITH_SELINUX
+	if (options.chroot_directory == NULL ||
+	    strcasecmp(options.chroot_directory, "none") == 0) {
+		ssh_selinux_copy_context();
+	}
+#endif
+
 	if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
 		fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
 }
@@ -1693,7 +1700,9 @@ do_child(Session *s, const char *command)
 		/* When PAM is enabled we rely on it to do the nologin check */
 		if (!options.use_pam)
 			do_nologin(pw);
-		do_setusercontext(pw);
+		/* We are already separated */
+		if (!use_privsep)
+			do_setusercontext(pw);
 		/*
 		 * PAM session modules in do_setusercontext may have
 		 * generated messages, so if this in an interactive
run privsep slave process as the users SELinux context (#781634) 2012-01-31 13:09:00 +00:00			`diff --git a/session.c b/session.c`
			`index 436ea48..49c9321 100644`
			`--- a/session.c`
			`+++ b/session.c`
			`@@ -1561,6 +1561,13 @@ do_setusercontext(struct passwd *pw)`
			`#endif`
			`}`

			`+#ifdef WITH_SELINUX`
			`+ if (options.chroot_directory == NULL \|\|`
			`+ strcasecmp(options.chroot_directory, "none") == 0) {`
			`+ ssh_selinux_copy_context();`
			`+ }`
			`+#endif`
			`+`
			`if (getuid() != pw->pw_uid \|\| geteuid() != pw->pw_uid)`
			`fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);`
			`}`
			`@@ -1693,7 +1700,9 @@ do_child(Session s, const char command)`
			`/* When PAM is enabled we rely on it to do the nologin check */`
			`if (!options.use_pam)`
			`do_nologin(pw);`
			`- do_setusercontext(pw);`
			`+ /* We are already separated */`
			`+ if (!use_privsep)`
			`+ do_setusercontext(pw);`
			`/*`
			`* PAM session modules in do_setusercontext may have`
			`* generated messages, so if this in an interactive`