openssh-selinux.patch

   1 diff -urN openssh-3.9p1.org/Makefile.in openssh-3.9p1/Makefile.in
   2 --- openssh-3.9p1.org/Makefile.in       2004-08-17 19:03:29.052607640 +0200
   3 +++ openssh-3.9p1/Makefile.in   2004-08-17 19:07:48.572154672 +0200
   4 @@ -40,7 +40,7 @@
   5
   6  CC=@CC@
   7  LD=@LD@
   8 -CFLAGS=@CFLAGS@
   9 +CFLAGS=@CFLAGS@ -DWITH_SELINUX
  10  CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
  11  LIBS=@LIBS@
  12  LIBPAM=@LIBPAM@
  13 @@ -134,7 +134,7 @@
  14         $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
  15
  16  sshd$(EXEEXT): libssh.a        $(LIBCOMPAT) $(SSHDOBJS)
  17 -       $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS)
  18 +       $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS) -lselinux
  19
  20  scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
  21         $(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
  22 diff -urN openssh-3.9p1.org/session.c openssh-3.9p1/session.c
  23 --- openssh-3.9p1.org/session.c 2004-08-17 19:03:29.189586816 +0200
  24 +++ openssh-3.9p1/session.c     2004-08-17 19:07:48.559156648 +0200
  25 @@ -66,6 +66,11 @@
  26  #include "ssh-gss.h"
  27  #endif
  28
  29 +#ifdef WITH_SELINUX
  30 +#include <selinux/get_context_list.h>
  31 +#include <selinux/selinux.h>
  32 +#endif
  33 +
  34  /* func */
  35
  36  Session *session_new(void);
  37 @@ -1304,6 +1309,18 @@
  38  #endif
  39         if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
  40                 fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
  41 +#ifdef WITH_SELINUX
  42 +       if (is_selinux_enabled()>0)
  43 +         {
  44 +           security_context_t scontext;
  45 +           if (get_default_context(pw->pw_name,NULL,&scontext))
  46 +             fatal("Failed to get default security context for %s.", pw->pw_name);
  47 +           if (setexeccon(scontext)) {
  48 +             fatal("Failed to set exec security context %s for %s.", scontext, pw->pw_name);
  49 +           }
  50 +           freecon(scontext);
  51 +         }
  52 +#endif
  53  }
  54
  55  static void
  56 diff -urN openssh-3.9p1.org/sshpty.c openssh-3.9p1/sshpty.c
  57 --- openssh-3.9p1.org/sshpty.c  2004-08-17 19:03:29.219582256 +0200
  58 +++ openssh-3.9p1/sshpty.c      2004-08-17 19:15:00.180540224 +0200
  59 @@ -22,6 +22,12 @@
  60  #include "log.h"
  61  #include "misc.h"
  62
  63 +#ifdef WITH_SELINUX
  64 +#include <selinux/flask.h>
  65 +#include <selinux/get_context_list.h>
  66 +#include <selinux/selinux.h>
  67 +#endif
  68 +
  69  #ifdef HAVE_PTY_H
  70  # include <pty.h>
  71  #endif
  72 @@ -196,6 +202,32 @@
  73          * Warn but continue if filesystem is read-only and the uids match/
  74          * tty is owned by root.
  75          */
  76 +#ifdef WITH_SELINUX
  77 +       if (is_selinux_enabled()>0) {
  78 +               security_context_t      new_tty_context=NULL,
  79 +                                       user_context=NULL,
  80 +                                       old_tty_context=NULL;
  81 +               if (get_default_context(pw->pw_name,NULL,&user_context))
  82 +                       fatal("Failed to get default security context for %s.", pw->pw_name);
  83 +
  84 +               if (getfilecon(tty, &old_tty_context)<0) {
  85 +                       error("getfilecon(%.100s) failed: %.100s", tty, strerror(errno));
  86 +               } else {
  87 +                       if ( security_compute_relabel(user_context,old_tty_context,SECCLASS_CHR_FILE,&new_tty_context)!=0) {
  88 +                               error("security_compute_relabel(%.100s) failed: %.100s", tty, strerror(errno));
  89 +                       } else {
  90 +                               if (setfilecon (tty, new_tty_context) != 0) {
  91 +                                       error("setfilecon(%.100s, %s) failed: %.100s",
  92 +                                               tty, new_tty_context, strerror(errno));
  93 +                               }
  94 +                               freecon(new_tty_context);
  95 +                       }
  96 +                       freecon(old_tty_context);
  97 +               }
  98 +               freecon(user_context);
  99 +       }
 100 +#endif
 101 +
 102         if (stat(tty, &st))
 103                 fatal("stat(%.100s) failed: %.100s", tty,
 104                     strerror(errno));
 105 @@ -225,4 +257,5 @@
 106                                     tty, (u_int)mode, strerror(errno));
 107                 }
 108         }
 109 +
 110  }