-diff -urN openssh-3.7.1p2.org/session.c openssh-3.7.1p2/session.c
---- openssh-3.7.1p2.org/session.c 2004-01-05 14:23:20.406243719 +0100
-+++ openssh-3.7.1p2/session.c 2004-01-05 14:31:01.863306724 +0100
-@@ -1327,15 +1327,23 @@
+diff -urN openssh-3.9p1.org/session.c openssh-3.9p1/session.c
+--- openssh-3.9p1.org/session.c 2004-08-17 19:17:21.188103816 +0200
++++ openssh-3.9p1/session.c 2004-08-17 19:21:15.548475624 +0200
+@@ -1310,15 +1310,23 @@
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
#ifdef WITH_SELINUX
- if (setexeccon(scontext)) {
- fatal("Failed to set exec security context %s for %s.", scontext, pw->pw_name);
+ if (get_default_context(pw->pw_name,NULL,&scontext)) {
-+ if (security_getenforce())
++ if (security_getenforce() > 0)
+ fatal("Failed to get default security context for %s.", pw->pw_name);
+ else
+ error("Failed to get default security context for %s (SELinux in permissive mode, continuing).", pw->pw_name);
+ } else {
+ if (setexeccon(scontext)) {
-+ if (security_getenforce())
++ if (security_getenforce() > 0)
+ fatal("Failed to set exec security context %s for %s.", scontext, pw->pw_name);
+ else
+ error("Failed to set exec security context %s for %s (SELinux in permissive mode, continuing).", scontext, pw->pw_name);
}
#endif
}
-diff -urN openssh-3.7.1p2.org/sshpty.c openssh-3.7.1p2/sshpty.c
---- openssh-3.7.1p2.org/sshpty.c 2004-01-05 14:23:20.667189473 +0100
-+++ openssh-3.7.1p2/sshpty.c 2004-01-05 14:29:33.403698686 +0100
-@@ -397,8 +397,12 @@
- security_context_t new_tty_context=NULL,
- user_context=NULL, old_tty_context=NULL;
-
-- if (get_default_context(pw->pw_name,NULL,&user_context))
-- fatal("Failed to get default security context for %s.", pw->pw_name);
-+ if (get_default_context(pw->pw_name,NULL,&user_context)) {
-+ if (security_getenforce())
-+ fatal("Failed to get default security context for %s.", pw->pw_name);
-+ else
-+ error("Failed to get default security context for %s (SELinux in permissive mode, continuing).", pw->pw_name);
-+ } else {
-
- if (getfilecon(ttyname, &old_tty_context)<0) {
- error("getfilecon(%.100s) failed: %.100s", ttyname,
-@@ -421,6 +425,7 @@
- freecon(old_tty_context);
- }
- freecon(user_context);
-+ }
+diff -urN openssh-3.9p1.org/sshpty.c openssh-3.9p1/sshpty.c
+--- openssh-3.9p1.org/sshpty.c 2004-08-17 19:17:21.189103664 +0200
++++ openssh-3.9p1/sshpty.c 2004-08-17 19:20:59.265950944 +0200
+@@ -207,8 +207,12 @@
+ security_context_t new_tty_context=NULL,
+ user_context=NULL,
+ old_tty_context=NULL;
+- if (get_default_context(pw->pw_name,NULL,&user_context))
+- fatal("Failed to get default security context for %s.", pw->pw_name);
++ if (get_default_context(pw->pw_name,NULL,&user_context)) {
++ if (security_getenforce() > 0)
++ fatal("Failed to get default security context for %s.", pw->pw_name);
++ else
++ error("Failed to get default security context for %s (SELinux in permissive mode, continuing).", pw->pw_name);
++ } else {
+
+ if (getfilecon(tty, &old_tty_context)<0) {
+ error("getfilecon(%.100s) failed: %.100s", tty, strerror(errno));
+@@ -225,6 +229,7 @@
+ freecon(old_tty_context);
+ }
+ freecon(user_context);
++ }
}
#endif
- if (stat(ttyname, &st))
+
---- openssh-3.7.1p2.org/session.c 2003-12-26 20:14:53.000000000 +0100
-+++ openssh-3.7.1p2/session.c 2003-12-26 20:15:50.000000000 +0100
-@@ -62,6 +62,11 @@
+diff -urN openssh-3.9p1.org/Makefile.in openssh-3.9p1/Makefile.in
+--- openssh-3.9p1.org/Makefile.in 2004-08-17 19:03:29.052607640 +0200
++++ openssh-3.9p1/Makefile.in 2004-08-17 19:07:48.572154672 +0200
+@@ -40,7 +40,7 @@
+
+ CC=@CC@
+ LD=@LD@
+-CFLAGS=@CFLAGS@
++CFLAGS=@CFLAGS@ -DWITH_SELINUX
+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+ LIBS=@LIBS@
+ LIBPAM=@LIBPAM@
+@@ -134,7 +134,7 @@
+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+
+ sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
+- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS)
++ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS) -lselinux
+
+ scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
+ $(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+diff -urN openssh-3.9p1.org/session.c openssh-3.9p1/session.c
+--- openssh-3.9p1.org/session.c 2004-08-17 19:03:29.189586816 +0200
++++ openssh-3.9p1/session.c 2004-08-17 19:07:48.559156648 +0200
+@@ -66,6 +66,11 @@
#include "ssh-gss.h"
#endif
/* func */
Session *session_new(void);
-@@ -1295,6 +1300,18 @@
+@@ -1304,6 +1309,18 @@
#endif
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
}
static void
---- openssh-3.8p1/sshpty.c.orig 2004-01-21 07:07:17.000000000 +0100
-+++ openssh-3.8p1/sshpty.c 2004-02-25 21:19:57.000000000 +0100
+diff -urN openssh-3.9p1.org/sshpty.c openssh-3.9p1/sshpty.c
+--- openssh-3.9p1.org/sshpty.c 2004-08-17 19:03:29.219582256 +0200
++++ openssh-3.9p1/sshpty.c 2004-08-17 19:15:00.180540224 +0200
@@ -22,6 +22,12 @@
#include "log.h"
#include "misc.h"
#ifdef HAVE_PTY_H
# include <pty.h>
#endif
-@@ -196,6 +202,37 @@
+@@ -196,6 +202,32 @@
* Warn but continue if filesystem is read-only and the uids match/
* tty is owned by root.
*/
+#ifdef WITH_SELINUX
+ if (is_selinux_enabled()>0) {
-+ security_context_t new_tty_context=NULL,
-+ user_context=NULL, old_tty_context=NULL;
-+
-+ if (get_default_context(pw->pw_name,NULL,&user_context))
-+ fatal("Failed to get default security context for %s.", pw->pw_name);
-+
-+ if (getfilecon(ttyname, &old_tty_context)<0) {
-+ error("getfilecon(%.100s) failed: %.100s", ttyname,
-+ strerror(errno));
-+ }
-+ else
-+ {
-+ if ( security_compute_relabel(user_context,old_tty_context,SECCLASS_CHR_FILE,&new_tty_context)!=0) {
-+ error("security_compute_relabel(%.100s) failed: %.100s", ttyname,
-+ strerror(errno));
-+ }
-+ else
-+ {
-+ if (setfilecon (ttyname, new_tty_context) != 0) {
-+ error("setfilecon(%.100s, %s) failed: %.100s",
-+ ttyname, new_tty_context, strerror(errno));
-+ }
-+ freecon(new_tty_context);
++ security_context_t new_tty_context=NULL,
++ user_context=NULL,
++ old_tty_context=NULL;
++ if (get_default_context(pw->pw_name,NULL,&user_context))
++ fatal("Failed to get default security context for %s.", pw->pw_name);
++
++ if (getfilecon(tty, &old_tty_context)<0) {
++ error("getfilecon(%.100s) failed: %.100s", tty, strerror(errno));
++ } else {
++ if ( security_compute_relabel(user_context,old_tty_context,SECCLASS_CHR_FILE,&new_tty_context)!=0) {
++ error("security_compute_relabel(%.100s) failed: %.100s", tty, strerror(errno));
++ } else {
++ if (setfilecon (tty, new_tty_context) != 0) {
++ error("setfilecon(%.100s, %s) failed: %.100s",
++ tty, new_tty_context, strerror(errno));
++ }
++ freecon(new_tty_context);
++ }
++ freecon(old_tty_context);
+ }
-+ freecon(old_tty_context);
-+ }
-+ freecon(user_context);
++ freecon(user_context);
+ }
+#endif
- if (stat(ttyname, &st))
- fatal("stat(%.100s) failed: %.100s", ttyname,
++
+ if (stat(tty, &st))
+ fatal("stat(%.100s) failed: %.100s", tty,
strerror(errno));
-@@ -225,4 +262,5 @@
- ttyname, (u_int)mode, strerror(errno));
+@@ -225,4 +257,5 @@
+ tty, (u_int)mode, strerror(errno));
}
}
+
}
---- openssh-3.7.1p2.org/Makefile.in 2003-12-26 20:14:52.000000000 +0100
-+++ openssh-3.7.1p2/Makefile.in 2003-12-26 20:15:15.000000000 +0100
-@@ -40,7 +40,7 @@
-
- CC=@CC@
- LD=@LD@
--CFLAGS=@CFLAGS@
-+CFLAGS=@CFLAGS@ -DWITH_SELINUX
- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
- LIBS=@LIBS@
- LIBPAM=@LIBPAM@
-@@ -134,7 +134,7 @@
- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-
- sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
-- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS)
-+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS) -lselinux
-
- scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
- $(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)