]>
Commit | Line | Data |
---|---|---|
166dad71 AM |
1 | --- openssh-3.7.1p2.org/session.c 2003-12-26 20:14:53.000000000 +0100 |
2 | +++ openssh-3.7.1p2/session.c 2003-12-26 20:15:50.000000000 +0100 | |
3 | @@ -62,6 +62,11 @@ | |
4 | #include "ssh-gss.h" | |
5 | #endif | |
03ad15b9 AM |
6 | |
7 | +#ifdef WITH_SELINUX | |
8 | +#include <selinux/get_context_list.h> | |
9 | +#include <selinux/selinux.h> | |
10 | +#endif | |
11 | + | |
166dad71 AM |
12 | /* func */ |
13 | ||
14 | Session *session_new(void); | |
15 | @@ -1295,6 +1300,18 @@ | |
03ad15b9 AM |
16 | #endif |
17 | if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) | |
18 | fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); | |
19 | +#ifdef WITH_SELINUX | |
5725b29c | 20 | + if (is_selinux_enabled()>0) |
03ad15b9 AM |
21 | + { |
22 | + security_context_t scontext; | |
23 | + if (get_default_context(pw->pw_name,NULL,&scontext)) | |
24 | + fatal("Failed to get default security context for %s.", pw->pw_name); | |
25 | + if (setexeccon(scontext)) { | |
26 | + fatal("Failed to set exec security context %s for %s.", scontext, pw->pw_name); | |
27 | + } | |
28 | + freecon(scontext); | |
29 | + } | |
30 | +#endif | |
31 | } | |
32 | ||
33 | static void | |
1e68a739 | 34 | --- openssh-3.8p1/sshpty.c.orig 2004-01-21 07:07:17.000000000 +0100 |
35 | +++ openssh-3.8p1/sshpty.c 2004-02-25 21:19:57.000000000 +0100 | |
03ad15b9 AM |
36 | @@ -22,6 +22,12 @@ |
37 | #include "log.h" | |
38 | #include "misc.h" | |
39 | ||
40 | +#ifdef WITH_SELINUX | |
41 | +#include <selinux/flask.h> | |
42 | +#include <selinux/get_context_list.h> | |
43 | +#include <selinux/selinux.h> | |
44 | +#endif | |
45 | + | |
1e68a739 | 46 | #ifdef HAVE_PTY_H |
47 | # include <pty.h> | |
48 | #endif | |
49 | @@ -196,6 +202,37 @@ | |
03ad15b9 AM |
50 | * Warn but continue if filesystem is read-only and the uids match/ |
51 | * tty is owned by root. | |
52 | */ | |
53 | +#ifdef WITH_SELINUX | |
5725b29c | 54 | + if (is_selinux_enabled()>0) { |
03ad15b9 AM |
55 | + security_context_t new_tty_context=NULL, |
56 | + user_context=NULL, old_tty_context=NULL; | |
57 | + | |
58 | + if (get_default_context(pw->pw_name,NULL,&user_context)) | |
59 | + fatal("Failed to get default security context for %s.", pw->pw_name); | |
60 | + | |
61 | + if (getfilecon(ttyname, &old_tty_context)<0) { | |
62 | + error("getfilecon(%.100s) failed: %.100s", ttyname, | |
63 | + strerror(errno)); | |
64 | + } | |
65 | + else | |
66 | + { | |
67 | + if ( security_compute_relabel(user_context,old_tty_context,SECCLASS_CHR_FILE,&new_tty_context)!=0) { | |
68 | + error("security_compute_relabel(%.100s) failed: %.100s", ttyname, | |
69 | + strerror(errno)); | |
70 | + } | |
71 | + else | |
72 | + { | |
73 | + if (setfilecon (ttyname, new_tty_context) != 0) { | |
74 | + error("setfilecon(%.100s, %s) failed: %.100s", | |
75 | + ttyname, new_tty_context, strerror(errno)); | |
76 | + } | |
77 | + freecon(new_tty_context); | |
78 | + } | |
79 | + freecon(old_tty_context); | |
80 | + } | |
81 | + freecon(user_context); | |
82 | + } | |
83 | +#endif | |
84 | if (stat(ttyname, &st)) | |
85 | fatal("stat(%.100s) failed: %.100s", ttyname, | |
86 | strerror(errno)); | |
1e68a739 | 87 | @@ -225,4 +262,5 @@ |
166dad71 | 88 | ttyname, (u_int)mode, strerror(errno)); |
03ad15b9 AM |
89 | } |
90 | } | |
91 | + | |
92 | } | |
5725b29c JB |
93 | --- openssh-3.7.1p2.org/Makefile.in 2003-12-26 20:14:52.000000000 +0100 |
94 | +++ openssh-3.7.1p2/Makefile.in 2003-12-26 20:15:15.000000000 +0100 | |
95 | @@ -40,7 +40,7 @@ | |
96 | ||
97 | CC=@CC@ | |
98 | LD=@LD@ | |
99 | -CFLAGS=@CFLAGS@ | |
100 | +CFLAGS=@CFLAGS@ -DWITH_SELINUX | |
101 | CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ | |
102 | LIBS=@LIBS@ | |
103 | LIBPAM=@LIBPAM@ | |
104 | @@ -134,7 +134,7 @@ | |
105 | $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) | |
106 | ||
107 | sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) | |
108 | - $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS) | |
109 | + $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS) -lselinux | |
110 | ||
111 | scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o | |
112 | $(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) |