diff -up openssh-5.9p1/session.c.privsep-selinux openssh-5.9p1/session.c
--- openssh-5.9p1/session.c.privsep-selinux 2012-08-01 15:36:33.397565915 +0200
+++ openssh-5.9p1/session.c 2012-08-02 18:18:15.038094629 +0200
@@ -1536,6 +1536,13 @@ do_setusercontext(struct passwd *pw)
/* Permanently switch to the desired uid. */
permanently_set_uid(pw);
#endif
+
+#ifdef WITH_SELINUX
+ if (options.chroot_directory == NULL ||
+ strcasecmp(options.chroot_directory, "none") == 0) {
+ ssh_selinux_copy_context();
+ }
+#endif
}
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
diff -up openssh-5.9p1/sshd.c.privsep-selinux openssh-5.9p1/sshd.c
--- openssh-5.9p1/sshd.c.privsep-selinux 2012-08-01 16:09:22.949423356 +0200
+++ openssh-5.9p1/sshd.c 2012-08-02 18:07:22.912225684 +0200
@@ -790,6 +790,14 @@ privsep_postauth(Authctxt *authctxt)
do_setusercontext(authctxt->pw);
skip:
+#ifdef WITH_SELINUX
+ /* switch SELinux content for root too */
+ if (authctxt->pw->pw_uid == 0 && (options.chroot_directory == NULL ||
+ strcasecmp(options.chroot_directory, "none") == 0)) {
+ ssh_selinux_copy_context();
+ }
+#endif
+
/* It is safe now to apply the key state */
monitor_apply_keystate(pmonitor);