[packages/openssh.git] / openssh-selinux.patch

diff -urN openssh-3.9p1.org/Makefile.in openssh-3.9p1/Makefile.in
--- openssh-3.9p1.org/Makefile.in	2004-08-17 19:03:29.052607640 +0200
+++ openssh-3.9p1/Makefile.in	2004-08-17 19:07:48.572154672 +0200
@@ -40,7 +40,7 @@
 
 CC=@CC@
 LD=@LD@
-CFLAGS=@CFLAGS@
+CFLAGS=@CFLAGS@ -DWITH_SELINUX
 CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
 LIBS=@LIBS@
 LIBPAM=@LIBPAM@
@@ -134,7 +134,7 @@
 	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 
 sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
-	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS)
+	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS) -lselinux
 
 scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
 	$(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff -urN openssh-3.9p1.org/session.c openssh-3.9p1/session.c
--- openssh-3.9p1.org/session.c	2004-08-17 19:03:29.189586816 +0200
+++ openssh-3.9p1/session.c	2004-08-17 19:07:48.559156648 +0200
@@ -66,6 +66,11 @@
 #include "ssh-gss.h"
 #endif
 
+#ifdef WITH_SELINUX
+#include <selinux/get_context_list.h>
+#include <selinux/selinux.h>
+#endif
+
 /* func */
 
 Session *session_new(void);
@@ -1304,6 +1309,18 @@
 #endif
 	if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
 		fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
+#ifdef WITH_SELINUX
+	if (is_selinux_enabled()>0)
+	  {
+	    security_context_t scontext;
+	    if (get_default_context(pw->pw_name,NULL,&scontext))
+	      fatal("Failed to get default security context for %s.", pw->pw_name);
+	    if (setexeccon(scontext)) {
+	      fatal("Failed to set exec security context %s for %s.", scontext, pw->pw_name);
+	    }
+	    freecon(scontext);
+	  }
+#endif
 }
 
 static void
diff -urN openssh-3.9p1.org/sshpty.c openssh-3.9p1/sshpty.c
--- openssh-3.9p1.org/sshpty.c	2004-08-17 19:03:29.219582256 +0200
+++ openssh-3.9p1/sshpty.c	2004-08-17 19:15:00.180540224 +0200
@@ -22,6 +22,12 @@
 #include "log.h"
 #include "misc.h"
 
+#ifdef WITH_SELINUX
+#include <selinux/flask.h>
+#include <selinux/get_context_list.h>
+#include <selinux/selinux.h>
+#endif
+
 #ifdef HAVE_PTY_H
 # include <pty.h>
 #endif
@@ -196,6 +202,32 @@
 	 * Warn but continue if filesystem is read-only and the uids match/
 	 * tty is owned by root.
 	 */
+#ifdef WITH_SELINUX
+	if (is_selinux_enabled()>0) {
+		security_context_t	new_tty_context=NULL,
+					user_context=NULL,
+					old_tty_context=NULL;
+		if (get_default_context(pw->pw_name,NULL,&user_context))
+			fatal("Failed to get default security context for %s.", pw->pw_name);
+	
+		if (getfilecon(tty, &old_tty_context)<0) {
+			error("getfilecon(%.100s) failed: %.100s", tty, strerror(errno));
+		} else {
+			if ( security_compute_relabel(user_context,old_tty_context,SECCLASS_CHR_FILE,&new_tty_context)!=0) {
+				error("security_compute_relabel(%.100s) failed: %.100s", tty, strerror(errno));
+			} else {
+				if (setfilecon (tty, new_tty_context) != 0) {
+					error("setfilecon(%.100s, %s) failed: %.100s",
+						tty, new_tty_context, strerror(errno));
+				}
+				freecon(new_tty_context);
+			}
+			freecon(old_tty_context);
+		}
+		freecon(user_context);
+	}
+#endif
+					
 	if (stat(tty, &st))
 		fatal("stat(%.100s) failed: %.100s", tty,
 		    strerror(errno));
@@ -225,4 +257,5 @@
 				    tty, (u_int)mode, strerror(errno));
 		}
 	}
+
 }
Commit	Line	Data
99b5700c AM	1	diff -urN openssh-3.9p1.org/Makefile.in openssh-3.9p1/Makefile.in
	2	--- openssh-3.9p1.org/Makefile.in 2004-08-17 19:03:29.052607640 +0200
	3	+++ openssh-3.9p1/Makefile.in 2004-08-17 19:07:48.572154672 +0200
	4	@@ -40,7 +40,7 @@
	5
	6	CC=@CC@
	7	LD=@LD@
	8	-CFLAGS=@CFLAGS@
	9	+CFLAGS=@CFLAGS@ -DWITH_SELINUX
	10	CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
	11	LIBS=@LIBS@
	12	LIBPAM=@LIBPAM@
	13	@@ -134,7 +134,7 @@
	14	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
	15
	16	sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
	17	- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS)
	18	+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS) -lselinux
	19
	20	scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
	21	$(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
	22	diff -urN openssh-3.9p1.org/session.c openssh-3.9p1/session.c
	23	--- openssh-3.9p1.org/session.c 2004-08-17 19:03:29.189586816 +0200
	24	+++ openssh-3.9p1/session.c 2004-08-17 19:07:48.559156648 +0200
	25	@@ -66,6 +66,11 @@
166dad71 AM	26	#include "ssh-gss.h"
166dad71 AM	27	#endif
03ad15b9 AM	28
	29	+#ifdef WITH_SELINUX
	30	+#include <selinux/get_context_list.h>
	31	+#include <selinux/selinux.h>
	32	+#endif
	33	+
166dad71 AM	34	/* func */
	35
	36	Session *session_new(void);
99b5700c	37	@@ -1304,6 +1309,18 @@
03ad15b9 AM	38	#endif
	39	if (getuid() != pw->pw_uid \|\| geteuid() != pw->pw_uid)
	40	fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
	41	+#ifdef WITH_SELINUX
5725b29c	42	+ if (is_selinux_enabled()>0)
03ad15b9 AM	43	+ {
	44	+ security_context_t scontext;
	45	+ if (get_default_context(pw->pw_name,NULL,&scontext))
	46	+ fatal("Failed to get default security context for %s.", pw->pw_name);
	47	+ if (setexeccon(scontext)) {
	48	+ fatal("Failed to set exec security context %s for %s.", scontext, pw->pw_name);
	49	+ }
	50	+ freecon(scontext);
	51	+ }
	52	+#endif
	53	}
	54
	55	static void
99b5700c AM	56	diff -urN openssh-3.9p1.org/sshpty.c openssh-3.9p1/sshpty.c
	57	--- openssh-3.9p1.org/sshpty.c 2004-08-17 19:03:29.219582256 +0200
	58	+++ openssh-3.9p1/sshpty.c 2004-08-17 19:15:00.180540224 +0200
03ad15b9 AM	59	@@ -22,6 +22,12 @@
	60	#include "log.h"
	61	#include "misc.h"
	62
	63	+#ifdef WITH_SELINUX
	64	+#include <selinux/flask.h>
	65	+#include <selinux/get_context_list.h>
	66	+#include <selinux/selinux.h>
	67	+#endif
	68	+
1e68a739	69	#ifdef HAVE_PTY_H
	70	# include <pty.h>
	71	#endif
99b5700c	72	@@ -196,6 +202,32 @@
03ad15b9 AM	73	* Warn but continue if filesystem is read-only and the uids match/
	74	* tty is owned by root.
	75	*/
	76	+#ifdef WITH_SELINUX
5725b29c	77	+ if (is_selinux_enabled()>0) {
99b5700c AM	78	+ security_context_t new_tty_context=NULL,
	79	+ user_context=NULL,
	80	+ old_tty_context=NULL;
	81	+ if (get_default_context(pw->pw_name,NULL,&user_context))
	82	+ fatal("Failed to get default security context for %s.", pw->pw_name);
	83	+
	84	+ if (getfilecon(tty, &old_tty_context)<0) {
	85	+ error("getfilecon(%.100s) failed: %.100s", tty, strerror(errno));
	86	+ } else {
	87	+ if ( security_compute_relabel(user_context,old_tty_context,SECCLASS_CHR_FILE,&new_tty_context)!=0) {
	88	+ error("security_compute_relabel(%.100s) failed: %.100s", tty, strerror(errno));
	89	+ } else {
	90	+ if (setfilecon (tty, new_tty_context) != 0) {
	91	+ error("setfilecon(%.100s, %s) failed: %.100s",
	92	+ tty, new_tty_context, strerror(errno));
	93	+ }
	94	+ freecon(new_tty_context);
	95	+ }
	96	+ freecon(old_tty_context);
03ad15b9	97	+ }
99b5700c	98	+ freecon(user_context);
03ad15b9 AM	99	+ }
03ad15b9 AM	100	+#endif
99b5700c AM	101	+
	102	if (stat(tty, &st))
	103	fatal("stat(%.100s) failed: %.100s", tty,
03ad15b9	104	strerror(errno));
99b5700c AM	105	@@ -225,4 +257,5 @@
99b5700c AM	106	tty, (u_int)mode, strerror(errno));
03ad15b9 AM	107	}
	108	}
	109	+
	110	}