diff -up openssh-6.1p1/session.c.privsep-selinux openssh-6.1p1/session.c
--- openssh-6.1p1/session.c.privsep-selinux 2012-09-15 13:45:26.079476022 +0200
+++ openssh-6.1p1/session.c 2012-09-15 13:45:28.460522390 +0200
@@ -1513,6 +1513,7 @@ do_setusercontext(struct passwd *pw)
platform_setusercontext_post_groups(pw);
+
if (options.chroot_directory != NULL &&
strcasecmp(options.chroot_directory, "none") != 0) {
tmp = tilde_expand_filename(options.chroot_directory,
@@ -1536,6 +1537,10 @@ do_setusercontext(struct passwd *pw)
/* Permanently switch to the desired uid. */
permanently_set_uid(pw);
#endif
+
+#ifdef WITH_SELINUX
+ ssh_selinux_copy_context();
+#endif
}
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
diff -up openssh-6.1p1/sshd.c.privsep-selinux openssh-6.1p1/sshd.c
--- openssh-6.1p1/sshd.c.privsep-selinux 2012-09-15 13:45:26.062475676 +0200
+++ openssh-6.1p1/sshd.c 2012-09-15 13:45:28.467522539 +0200
@@ -794,6 +794,13 @@ privsep_postauth(Authctxt *authctxt)
do_setusercontext(authctxt->pw);
skip:
+#ifdef WITH_SELINUX
+ /* switch SELinux content for root too */
+ if (authctxt->pw->pw_uid == 0) {
+ ssh_selinux_copy_context();
+ }
+#endif
+
/* It is safe now to apply the key state */
monitor_apply_keystate(pmonitor);