--- sudo-1.6.7p5/Makefile.in.selinux 2003-04-15 20:39:10.000000000 -0400
-+++ sudo-1.6.7p5/Makefile.in 2003-10-27 16:57:47.000000000 -0500
++++ sudo-1.6.7p5/Makefile.in 2004-01-02 20:18:14.000000000 -0500
@@ -59,7 +59,8 @@
# Libraries
LIBS = @LIBS@
#### End of system configuration section. ####
--- sudo-1.6.7p5/sudo.c.selinux 2003-04-15 20:39:14.000000000 -0400
-+++ sudo-1.6.7p5/sudo.c 2003-12-16 22:39:27.611732931 -0500
-@@ -101,6 +101,22 @@
++++ sudo-1.6.7p5/sudo.c 2004-01-13 21:38:54.668372568 -0500
+@@ -101,6 +101,16 @@
#include "interfaces.h"
#include "version.h"
+#include <selinux/selinux.h> /* for is_selinux_enabled() */
+#include <selinux/context.h> /* for context-mangling functions */
+#include <selinux/get_default_type.h>
-+
-+char *role_s = NULL; /* role spec'd by user in argv[] */
-+char *type_s = NULL; /* type spec'd by user in argv[] */
-+security_context_t new_context; /* our target security ID ("sid") */
-+security_context_t old_context; /* our original securiy ID ("old_context") */
-+char *ttyn = NULL; /* tty path */
-+security_context_t tty_context; /* current sid of tty */
-+security_context_t new_tty_context; /* sid to change to while running command*/
-+struct stat statbuf;
++char *role_s = NULL; /* role spec'd by user in argv[] */
++char *type_s = NULL; /* type spec'd by user in argv[] */
++char *ttyn = NULL; /* tty path */
+#endif
+
#ifndef lint
static const char rcsid[] = "$Sudo: sudo.c,v 1.334 2003/04/01 15:02:49 millert Exp $";
#endif /* lint */
-@@ -358,6 +374,141 @@
- if (!(validated & FLAG_NOPASS))
- check_user();
+@@ -414,10 +424,195 @@
+ (void) sigaction(SIGCHLD, &saved_sa_chld, NULL);
+ #ifndef PROFILING
+- if ((sudo_mode & MODE_BACKGROUND) && fork() > 0)
++ if ((sudo_mode & MODE_BACKGROUND) && fork() > 0) {
++ exit(0);
++ }
+#ifdef WITH_SELINUX
-+ /*
-+ *
-+ * Step 1: Handle command-line arguments.
-+ *
-+ */
-+
++ if( is_selinux_enabled() >0) {
++ security_context_t old_context=NULL; /* our original securiy ID ("old_context") */
++ security_context_t new_context=NULL; /* our target security ID ("sid") */
++ security_context_t tty_context=NULL; /* current sid of tty */
++ security_context_t new_tty_context=NULL; /* sid to change to while running command*/
+
-+ if( is_selinux_enabled() ) {
++ /*
++ *
++ * Step 1: Handle command-line arguments.
++ *
++ */
+
-+ security_context_t context_s; /* our security context as a string */
-+ int context_length;
-+ context_t context; /* manipulatable form of context_s */
++ security_context_t context_s; /* our security context as a string */
++ int context_length;
++ context_t context; /* manipulatable form of context_s */
+
+
-+ /* Fill in a default type if one hasn't been specified */
-+ if( role_s && !type_s ) {
-+ if( get_default_type(role_s,&type_s) )
-+ {
-+ fprintf(stderr,"Couldn't get default type.\n");
-+ exit(-1);
-+ }
++ /* Fill in a default type if one hasn't been specified */
++ if( role_s && !type_s ) {
++ if( get_default_type(role_s,&type_s) )
++ {
++ fprintf(stderr,"Couldn't get default type.\n");
++ exit(-1);
++ }
+#ifdef CANTSPELLGDB
-+ printf( "Your type will be %s.\n", type_s );
++ printf( "Your type will be %s.\n", type_s );
+#endif
-+ }
++ }
+
+
-+ /*
-+ * Get the SID and context of the caller, and extract
-+ * the username from the context. Don't rely on the Linux
-+ * uid information - it isn't trustworthy.
-+ */
++ /*
++ * Get the SID and context of the caller, and extract
++ * the username from the context. Don't rely on the Linux
++ * uid information - it isn't trustworthy.
++ */
+
-+ /* Put the caller's SID into `old_context'. */
-+ if( 0!=(getprevcon(&old_context)) ) {
-+ fprintf(stderr,"failed to get old_context.\n");
-+ exit(-1);
-+ }
++ /* Put the caller's SID into `old_context'. */
++ if( 0!=(getprevcon(&old_context)) ) {
++ fprintf(stderr,"failed to get old_context.\n");
++ exit(-1);
++ }
+
+#ifdef CANTSPELLGDB
-+ printf( "Your old context was %s\n", old_context );
++ printf( "Your old context was %s\n", old_context );
+#endif
-+ /*
-+ * Create a context structure so that we extract and modify
-+ * components easily.
-+ */
-+ context=context_new(old_context);
++ /*
++ * Create a context structure so that we extract and modify
++ * components easily.
++ */
++ context=context_new(old_context);
+
-+ /*
-+ *
-+ * Step 3: Construct a new SID based on our old SID and the
-+ * arguments specified on the command line.
-+ *
-+ */
++ /*
++ *
++ * Step 3: Construct a new SID based on our old SID and the
++ * arguments specified on the command line.
++ *
++ */
+
-+ /* The first step in constructing a new SID for the new shell we *
-+ * plan to exec is to take our old context in `context' as a *
-+ * starting point, and modify it according to the options the user *
-+ * specified on the command line. */
++ /* The first step in constructing a new SID for the new shell we *
++ * plan to exec is to take our old context in `context' as a *
++ * starting point, and modify it according to the options the user *
++ * specified on the command line. */
+
-+ /* If the user specified a new role on the command line (if `role_s' *
-+ * is set), then replace the old role in `context' with this new role. */
-+ if( role_s ) {
-+ if( context_role_set(context,role_s)) {
-+ fprintf(stderr,"failed to set new role %s\n",role_s);
-+ exit(-1);
-+ }
++ /* If the user specified a new role on the command line (if `role_s' *
++ * is set), then replace the old role in `context' with this new role. */
++ if( role_s ) {
++ if( context_role_set(context,role_s)) {
++ fprintf(stderr,"failed to set new role %s\n",role_s);
++ exit(-1);
++ }
+#ifdef CANTSPELLGDB
-+ printf("Your new role is %s\n",context_role_get(context));
++ printf("Your new role is %s\n",context_role_get(context));
+#endif
-+ } /* if user specified new role */
++ } /* if user specified new role */
+
-+ /* If the user specified a new type on the command line (if `type_s' *
-+ * is set), then replace the old type in `context' with this new type. */
-+ if( type_s ) {
-+ if( context_type_set(context,type_s)) {
-+ fprintf(stderr,"failed to set new type %s\n",type_s);
-+ exit(-1);
-+ }
++ /* If the user specified a new type on the command line (if `type_s' *
++ * is set), then replace the old type in `context' with this new type. */
++ if( type_s ) {
++ if( context_type_set(context,type_s)) {
++ fprintf(stderr,"failed to set new type %s\n",type_s);
++ exit(-1);
++ }
+#ifdef CANTSPELLGDB
-+ printf("Your new type is %s\n",context_type_get(context));
++ printf("Your new type is %s\n",context_type_get(context));
+#endif
-+ } /* if user specified new type */
++ } /* if user specified new type */
+
-+ /* The second step in creating the new SID is to convert our modified *
-+ * `context' structure back to a context string and then to a SID. */
++ /* The second step in creating the new SID is to convert our modified *
++ * `context' structure back to a context string and then to a SID. */
+
-+ /* Make `context_s' point to a string version of the new `context'. */
-+ if( !(new_context=context_str(context))) {
-+ fprintf(stderr,"failed to convert new context to string\n" );
-+ exit(-1);
-+ }
++ /* Make `context_s' point to a string version of the new `context'. */
++ if( !(new_context=context_str(context))) {
++ fprintf(stderr,"failed to convert new context to string\n" );
++ exit(-1);
++ }
+
+#ifdef CANTSPELLGDB
-+ printf("Your new context is %s\n",new_context);
++ printf("Your new context is %s\n",new_context);
+#endif
+
-+ /*
-+ *
-+ * Step 4: Handle relabeling of the tty.
-+ *
-+ */
++ /*
++ *
++ * Step 4: Handle relabeling of the tty.
++ *
++ */
+
-+ /* Fetch TTY information */
-+ ttyn=ttyname(0);
-+ if (! ( ttyn==NULL || *ttyn=='\0')) {
-+ if (getfilecon(ttyn,&tty_context) <0 ) {
-+ fprintf(stderr, "Could not retrieve tty information.\n");
-+ } else {
++ /* Fetch TTY information */
++ ttyn=ttyname(0);
++ if (! ( ttyn==NULL || *ttyn=='\0')) {
++ if (getfilecon(ttyn,&tty_context) <0 ) {
++ fprintf(stderr, "Could not retrieve tty information.\n");
++ } else {
+
+#ifdef CANTSPELLGDB
-+ printf("Your tty %s was labeled with SID %d\n", ttyn, tty_context);
++ printf("Your tty %s was labeled with SID %d\n", ttyn, tty_context);
+#endif
+
-+ new_tty_context = NULL;
-+ if (security_compute_relabel(new_context,tty_context,SECCLASS_CHR_FILE,&new_tty_context) < 0)
-+ fprintf(stderr, "Warning! Could not get new context for %s, not relabeling.\n", ttyn);
-+ else
-+ {
++ new_tty_context = NULL;
++ if (security_compute_relabel(new_context,tty_context,SECCLASS_CHR_FILE,&new_tty_context) < 0)
++ fprintf(stderr, "Warning! Could not get new context for %s, not relabeling.\n", ttyn);
++ else
++ {
+
+#ifdef CANTSPELLGDB
-+ printf("Relabeling tty %s to context %s\n", ttyn, new_tty_context);
++ printf("Relabeling tty %s to context %s\n", ttyn, new_tty_context);
+#endif
+
-+ /* Relabel it */
-+ if( setfilecon(ttyn,new_tty_context)!=0 ) {
-+ fprintf(stderr,"sudo: error: setfilecon on %s to %s",ttyn,new_tty_context);
-+ }
-+ freecon(new_tty_context);
++ /* Relabel it */
++ if( setfilecon(ttyn,new_tty_context)!=0 ) {
++ fprintf(stderr,"sudo: error: setfilecon on %s to %s",ttyn,new_tty_context);
++ }
++ freecon(new_tty_context);
++ }
+ }
-+ }
-+ }
-+ }
-+#endif
- /* Build up custom environment that avoids any nasty bits. */
- new_environ = rebuild_env(sudo_mode, envp);
-
-@@ -414,10 +565,59 @@
- (void) sigaction(SIGCHLD, &saved_sa_chld, NULL);
-
- #ifndef PROFILING
-- if ((sudo_mode & MODE_BACKGROUND) && fork() > 0)
-+ if ((sudo_mode & MODE_BACKGROUND) && fork() > 0) {
-+ exit(0);
-+ }
-+#ifdef WITH_SELINUX
-+ if( is_selinux_enabled() ) {
++ }
+ /* Fork, allowing parent to clean up after shell has executed */
+ pid_t childPid=fork();
+ if( childPid<0 ) {
+ /* PARENT */
+ wait(NULL);
+
++ if (tty_context!=NULL) {
+#ifdef CANTSPELLGDB
-+ printf("Restoring tty %s back to SID %d\n", ttyn, tty_context);
++ printf("Restoring tty %s back to SID %d\n", ttyn, tty_context);
+#endif
+
-+ /* Cleanup TTY Context */
-+ setfilecon(ttyn,tty_context);
-+ freecon(tty_context);
++ /* Cleanup TTY Context */
++ setfilecon(ttyn,tty_context);
++ freecon(tty_context);
++ }
+
+ /* Done! */
exit(0);
#else
exit(0);
#endif /* PROFILING */
-@@ -693,6 +893,30 @@
+@@ -693,6 +888,30 @@
NewArgv++;
break;
#endif
#ifdef HAVE_LOGIN_CAP_H
case 'c':
/* Must have an associated login class. */
+@@ -1063,6 +1282,9 @@
+ #ifdef HAVE_BSD_AUTH_H
+ (void) fprintf(stderr, "[-a auth_type] ");
+ #endif
++#ifdef WITH_SELINUX
++ (void) fprintf(stderr, "[-r role] [-t type] ");
++#endif
+ (void) fprintf(stderr, "-s | <command>\n");
+ exit(exit_val);
+ }
--- sudo-1.6.7p5/sudo.man.in.selinux 2003-04-15 20:39:14.000000000 -0400
-+++ sudo-1.6.7p5/sudo.man.in 2003-12-11 17:35:52.000000000 -0500
++++ sudo-1.6.7p5/sudo.man.in 2004-01-02 20:18:14.000000000 -0500
@@ -174,7 +174,7 @@
.IX Header "SYNOPSIS"
\&\fBsudo\fR \fB\-V\fR | \fB\-h\fR | \fB\-l\fR | \fB\-L\fR | \fB\-v\fR | \fB\-k\fR | \fB\-K\fR | \fB\-s\fR |
.IX Item "-S"
The \fB\-S\fR (\fIstdin\fR) option causes \fBsudo\fR to read the password from
--- sudo-1.6.7p5/sudoers.selinux 2001-12-16 23:45:52.000000000 -0500
-+++ sudo-1.6.7p5/sudoers 2003-10-27 16:57:47.000000000 -0500
++++ sudo-1.6.7p5/sudoers 2004-01-02 20:18:14.000000000 -0500
@@ -14,7 +14,8 @@
# Defaults specification