- updated

[packages/openssh.git] / openssh-selinux.patch

diff -urN openssh-3.7.1p2.org/Makefile.in openssh-3.7.1p2/Makefile.in
--- openssh-3.7.1p2.org/Makefile.in     2003-12-26 20:14:52.000000000 +0100
+++ openssh-3.7.1p2/Makefile.in 2003-12-26 20:15:15.000000000 +0100
@@ -40,7 +40,7 @@
 
 CC=@CC@
 LD=@LD@
-CFLAGS=@CFLAGS@
+CFLAGS=@CFLAGS@ -DWITH_SELINUX
 CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
 LIBS=@LIBS@
 LIBPAM=@LIBPAM@
@@ -53,7 +53,7 @@
 SED=@SED@
 ENT=@ENT@
 XAUTH_PATH=@XAUTH_PATH@
-LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
+LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@ -lselinux 
 EXEEXT=@EXEEXT@
 
 INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@
diff -urN openssh-3.7.1p2.org/session.c openssh-3.7.1p2/session.c
--- openssh-3.7.1p2.org/session.c       2003-12-26 20:14:53.000000000 +0100
+++ openssh-3.7.1p2/session.c   2003-12-26 20:15:50.000000000 +0100
@@ -62,6 +62,11 @@
 #include "ssh-gss.h"
 #endif
 
+#ifdef WITH_SELINUX
+#include <selinux/get_context_list.h>
+#include <selinux/selinux.h>
+#endif
+
 /* func */
 
 Session *session_new(void);
@@ -1295,6 +1300,18 @@
 #endif
        if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
                fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
+#ifdef WITH_SELINUX
+       if (is_selinux_enabled())
+         {
+           security_context_t scontext;
+           if (get_default_context(pw->pw_name,NULL,&scontext))
+             fatal("Failed to get default security context for %s.", pw->pw_name);
+           if (setexeccon(scontext)) {
+             fatal("Failed to set exec security context %s for %s.", scontext, pw->pw_name);
+           }
+           freecon(scontext);
+         }
+#endif
 }
 
 static void
diff -urN openssh-3.7.1p2.org/sshpty.c openssh-3.7.1p2/sshpty.c
--- openssh-3.7.1p2.org/sshpty.c        2003-12-26 20:14:53.000000000 +0100
+++ openssh-3.7.1p2/sshpty.c    2003-12-26 20:15:14.000000000 +0100
@@ -22,6 +22,12 @@
 #include "log.h"
 #include "misc.h"
 
+#ifdef WITH_SELINUX
+#include <selinux/flask.h>
+#include <selinux/get_context_list.h>
+#include <selinux/selinux.h>
+#endif
+
 /* Pty allocated with _getpty gets broken if we do I_PUSH:es to it. */
 #if defined(HAVE__GETPTY) || defined(HAVE_OPENPTY)
 #undef HAVE_DEV_PTMX
@@ -386,6 +392,37 @@
         * Warn but continue if filesystem is read-only and the uids match/
         * tty is owned by root.
         */
+#ifdef WITH_SELINUX
+       if (is_selinux_enabled()) {
+         security_context_t      new_tty_context=NULL,
+           user_context=NULL, old_tty_context=NULL; 
+
+         if (get_default_context(pw->pw_name,NULL,&user_context))
+             fatal("Failed to get default security context for %s.", pw->pw_name);
+
+         if (getfilecon(ttyname, &old_tty_context)<0) {
+           error("getfilecon(%.100s) failed: %.100s", ttyname,
+                 strerror(errno));
+         }
+         else 
+           {
+             if ( security_compute_relabel(user_context,old_tty_context,SECCLASS_CHR_FILE,&new_tty_context)!=0) {
+               error("security_compute_relabel(%.100s) failed: %.100s", ttyname,
+                     strerror(errno));
+             } 
+             else 
+               {
+                 if (setfilecon (ttyname, new_tty_context) != 0) {
+                   error("setfilecon(%.100s, %s) failed: %.100s",
+                         ttyname, new_tty_context, strerror(errno));
+                 }
+                 freecon(new_tty_context);
+               }
+             freecon(old_tty_context);
+           }
+         freecon(user_context);
+       }
+#endif
        if (stat(ttyname, &st))
                fatal("stat(%.100s) failed: %.100s", ttyname,
                    strerror(errno));
@@ -415,4 +452,5 @@
                                    ttyname, (u_int)mode, strerror(errno));
                }
        }
+
 }