]>
Commit | Line | Data |
---|---|---|
99b5700c AM |
1 | diff -urN openssh-3.9p1.org/Makefile.in openssh-3.9p1/Makefile.in |
2 | --- openssh-3.9p1.org/Makefile.in 2004-08-17 19:03:29.052607640 +0200 | |
3 | +++ openssh-3.9p1/Makefile.in 2004-08-17 19:07:48.572154672 +0200 | |
4 | @@ -40,7 +40,7 @@ | |
5 | ||
6 | CC=@CC@ | |
7 | LD=@LD@ | |
8 | -CFLAGS=@CFLAGS@ | |
9 | +CFLAGS=@CFLAGS@ -DWITH_SELINUX | |
10 | CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ | |
11 | LIBS=@LIBS@ | |
12 | LIBPAM=@LIBPAM@ | |
13 | @@ -134,7 +134,7 @@ | |
14 | $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) | |
15 | ||
16 | sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) | |
17 | - $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS) | |
18 | + $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS) -lselinux | |
19 | ||
20 | scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o | |
21 | $(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) | |
22 | diff -urN openssh-3.9p1.org/session.c openssh-3.9p1/session.c | |
23 | --- openssh-3.9p1.org/session.c 2004-08-17 19:03:29.189586816 +0200 | |
24 | +++ openssh-3.9p1/session.c 2004-08-17 19:07:48.559156648 +0200 | |
25 | @@ -66,6 +66,11 @@ | |
166dad71 AM |
26 | #include "ssh-gss.h" |
27 | #endif | |
03ad15b9 AM |
28 | |
29 | +#ifdef WITH_SELINUX | |
30 | +#include <selinux/get_context_list.h> | |
31 | +#include <selinux/selinux.h> | |
32 | +#endif | |
33 | + | |
166dad71 AM |
34 | /* func */ |
35 | ||
36 | Session *session_new(void); | |
99b5700c | 37 | @@ -1304,6 +1309,18 @@ |
03ad15b9 AM |
38 | #endif |
39 | if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) | |
40 | fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); | |
41 | +#ifdef WITH_SELINUX | |
5725b29c | 42 | + if (is_selinux_enabled()>0) |
03ad15b9 AM |
43 | + { |
44 | + security_context_t scontext; | |
45 | + if (get_default_context(pw->pw_name,NULL,&scontext)) | |
46 | + fatal("Failed to get default security context for %s.", pw->pw_name); | |
47 | + if (setexeccon(scontext)) { | |
48 | + fatal("Failed to set exec security context %s for %s.", scontext, pw->pw_name); | |
49 | + } | |
50 | + freecon(scontext); | |
51 | + } | |
52 | +#endif | |
53 | } | |
54 | ||
55 | static void | |
99b5700c AM |
56 | diff -urN openssh-3.9p1.org/sshpty.c openssh-3.9p1/sshpty.c |
57 | --- openssh-3.9p1.org/sshpty.c 2004-08-17 19:03:29.219582256 +0200 | |
58 | +++ openssh-3.9p1/sshpty.c 2004-08-17 19:15:00.180540224 +0200 | |
03ad15b9 AM |
59 | @@ -22,6 +22,12 @@ |
60 | #include "log.h" | |
61 | #include "misc.h" | |
62 | ||
63 | +#ifdef WITH_SELINUX | |
64 | +#include <selinux/flask.h> | |
65 | +#include <selinux/get_context_list.h> | |
66 | +#include <selinux/selinux.h> | |
67 | +#endif | |
68 | + | |
1e68a739 | 69 | #ifdef HAVE_PTY_H |
70 | # include <pty.h> | |
71 | #endif | |
99b5700c | 72 | @@ -196,6 +202,32 @@ |
03ad15b9 AM |
73 | * Warn but continue if filesystem is read-only and the uids match/ |
74 | * tty is owned by root. | |
75 | */ | |
76 | +#ifdef WITH_SELINUX | |
5725b29c | 77 | + if (is_selinux_enabled()>0) { |
99b5700c AM |
78 | + security_context_t new_tty_context=NULL, |
79 | + user_context=NULL, | |
80 | + old_tty_context=NULL; | |
81 | + if (get_default_context(pw->pw_name,NULL,&user_context)) | |
82 | + fatal("Failed to get default security context for %s.", pw->pw_name); | |
83 | + | |
84 | + if (getfilecon(tty, &old_tty_context)<0) { | |
85 | + error("getfilecon(%.100s) failed: %.100s", tty, strerror(errno)); | |
86 | + } else { | |
87 | + if ( security_compute_relabel(user_context,old_tty_context,SECCLASS_CHR_FILE,&new_tty_context)!=0) { | |
88 | + error("security_compute_relabel(%.100s) failed: %.100s", tty, strerror(errno)); | |
89 | + } else { | |
90 | + if (setfilecon (tty, new_tty_context) != 0) { | |
91 | + error("setfilecon(%.100s, %s) failed: %.100s", | |
92 | + tty, new_tty_context, strerror(errno)); | |
93 | + } | |
94 | + freecon(new_tty_context); | |
95 | + } | |
96 | + freecon(old_tty_context); | |
03ad15b9 | 97 | + } |
99b5700c | 98 | + freecon(user_context); |
03ad15b9 AM |
99 | + } |
100 | +#endif | |
99b5700c AM |
101 | + |
102 | if (stat(tty, &st)) | |
103 | fatal("stat(%.100s) failed: %.100s", tty, | |
03ad15b9 | 104 | strerror(errno)); |
99b5700c AM |
105 | @@ -225,4 +257,5 @@ |
106 | tty, (u_int)mode, strerror(errno)); | |
03ad15b9 AM |
107 | } |
108 | } | |
109 | + | |
110 | } |