Current cdc-sshd does not correctly handle the ctxt transition for priv-separated login session. Typically this doesn't cause any issues in the shell, but may cause issues with using sftp/scp as the sshd_t context doesn't have access to write in other contexts.
When using Centrify openssh: rhargr1@dlbcansible1 ~]$ ps -axZ | grep sshd system_u:system_r:sshd_t:s0-s0:c0.c1023 9364 ? Ss 0:00 /usr/share/centrifydc/sbin/sshd -D system_u:system_r:sshd_t:s0-s0:c0.c1023 9448 ? Ss 0:00 sshd: rhargr1 [priv] system_u:system_r:sshd_t:s0-s0:c0.c1023 9452 ? S 0:00 sshd: rhargr1@pts/4 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 9708 pts/5 R+ 0:00 grep --color=auto sshd
When using RHEL's default openssh: [rhargr1@dlbcansible1 ~]$ ps -axZ | grep sshd system_u:system_r:sshd_t:s0-s0:c0.c1023 9989 ? Ss 0:00 /usr/sbin/sshd -D system_u:system_r:sshd_t:s0-s0:c0.c1023 9995 ? Ss 0:00 sshd: rhargr1 [priv] unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 9999 ? S 0:00 sshd: rhargr1@pts/0 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 10027 pts/2 S+ 0:00 grep --color=auto ssh
Cause:
The current cdc-sshd does not correctly handle the ctxt transition for priv-separated login session. This is a SELinux issue which exists in non patched stock openssh as well. This release of the Centrify Openssh does not include the latest redhat ssh selinux patch.
Resolution:
This will be fixed in the next release as it is planned to update our cdc-ssh to incorporate the redhat selinux patch for openssh.