]>
Commit | Line | Data |
---|---|---|
166dad71 AM |
1 | diff -urN openssh-3.7.1p2.org/Makefile.in openssh-3.7.1p2/Makefile.in |
2 | --- openssh-3.7.1p2.org/Makefile.in 2003-12-26 20:14:52.000000000 +0100 | |
3 | +++ openssh-3.7.1p2/Makefile.in 2003-12-26 20:15:15.000000000 +0100 | |
4 | @@ -40,7 +40,7 @@ | |
5 | ||
6 | CC=@CC@ | |
7 | LD=@LD@ | |
8 | -CFLAGS=@CFLAGS@ | |
9 | +CFLAGS=@CFLAGS@ -DWITH_SELINUX | |
10 | CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ | |
11 | LIBS=@LIBS@ | |
12 | LIBPAM=@LIBPAM@ | |
13 | @@ -53,7 +53,7 @@ | |
14 | SED=@SED@ | |
15 | ENT=@ENT@ | |
16 | XAUTH_PATH=@XAUTH_PATH@ | |
17 | -LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@ | |
18 | +LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@ -lselinux | |
19 | EXEEXT=@EXEEXT@ | |
20 | ||
21 | INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@ | |
22 | diff -urN openssh-3.7.1p2.org/session.c openssh-3.7.1p2/session.c | |
23 | --- openssh-3.7.1p2.org/session.c 2003-12-26 20:14:53.000000000 +0100 | |
24 | +++ openssh-3.7.1p2/session.c 2003-12-26 20:15:50.000000000 +0100 | |
25 | @@ -62,6 +62,11 @@ | |
26 | #include "ssh-gss.h" | |
27 | #endif | |
03ad15b9 AM |
28 | |
29 | +#ifdef WITH_SELINUX | |
30 | +#include <selinux/get_context_list.h> | |
31 | +#include <selinux/selinux.h> | |
32 | +#endif | |
33 | + | |
166dad71 AM |
34 | /* func */ |
35 | ||
36 | Session *session_new(void); | |
37 | @@ -1295,6 +1300,18 @@ | |
03ad15b9 AM |
38 | #endif |
39 | if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) | |
40 | fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); | |
41 | +#ifdef WITH_SELINUX | |
42 | + if (is_selinux_enabled()) | |
43 | + { | |
44 | + security_context_t scontext; | |
45 | + if (get_default_context(pw->pw_name,NULL,&scontext)) | |
46 | + fatal("Failed to get default security context for %s.", pw->pw_name); | |
47 | + if (setexeccon(scontext)) { | |
48 | + fatal("Failed to set exec security context %s for %s.", scontext, pw->pw_name); | |
49 | + } | |
50 | + freecon(scontext); | |
51 | + } | |
52 | +#endif | |
53 | } | |
54 | ||
55 | static void | |
166dad71 AM |
56 | diff -urN openssh-3.7.1p2.org/sshpty.c openssh-3.7.1p2/sshpty.c |
57 | --- openssh-3.7.1p2.org/sshpty.c 2003-12-26 20:14:53.000000000 +0100 | |
58 | +++ openssh-3.7.1p2/sshpty.c 2003-12-26 20:15:14.000000000 +0100 | |
03ad15b9 AM |
59 | @@ -22,6 +22,12 @@ |
60 | #include "log.h" | |
61 | #include "misc.h" | |
62 | ||
63 | +#ifdef WITH_SELINUX | |
64 | +#include <selinux/flask.h> | |
65 | +#include <selinux/get_context_list.h> | |
66 | +#include <selinux/selinux.h> | |
67 | +#endif | |
68 | + | |
69 | /* Pty allocated with _getpty gets broken if we do I_PUSH:es to it. */ | |
70 | #if defined(HAVE__GETPTY) || defined(HAVE_OPENPTY) | |
71 | #undef HAVE_DEV_PTMX | |
72 | @@ -386,6 +392,37 @@ | |
73 | * Warn but continue if filesystem is read-only and the uids match/ | |
74 | * tty is owned by root. | |
75 | */ | |
76 | +#ifdef WITH_SELINUX | |
77 | + if (is_selinux_enabled()) { | |
78 | + security_context_t new_tty_context=NULL, | |
79 | + user_context=NULL, old_tty_context=NULL; | |
80 | + | |
81 | + if (get_default_context(pw->pw_name,NULL,&user_context)) | |
82 | + fatal("Failed to get default security context for %s.", pw->pw_name); | |
83 | + | |
84 | + if (getfilecon(ttyname, &old_tty_context)<0) { | |
85 | + error("getfilecon(%.100s) failed: %.100s", ttyname, | |
86 | + strerror(errno)); | |
87 | + } | |
88 | + else | |
89 | + { | |
90 | + if ( security_compute_relabel(user_context,old_tty_context,SECCLASS_CHR_FILE,&new_tty_context)!=0) { | |
91 | + error("security_compute_relabel(%.100s) failed: %.100s", ttyname, | |
92 | + strerror(errno)); | |
93 | + } | |
94 | + else | |
95 | + { | |
96 | + if (setfilecon (ttyname, new_tty_context) != 0) { | |
97 | + error("setfilecon(%.100s, %s) failed: %.100s", | |
98 | + ttyname, new_tty_context, strerror(errno)); | |
99 | + } | |
100 | + freecon(new_tty_context); | |
101 | + } | |
102 | + freecon(old_tty_context); | |
103 | + } | |
104 | + freecon(user_context); | |
105 | + } | |
106 | +#endif | |
107 | if (stat(ttyname, &st)) | |
108 | fatal("stat(%.100s) failed: %.100s", ttyname, | |
109 | strerror(errno)); | |
110 | @@ -415,4 +452,5 @@ | |
166dad71 | 111 | ttyname, (u_int)mode, strerror(errno)); |
03ad15b9 AM |
112 | } |
113 | } | |
114 | + | |
115 | } |