Attachment #648 for bug #880

Lines 35-40 Link Here

(-)openssh-3.8.1p1/contrib/redhat/sshd.init.selinux (+9 lines)
35	if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then	35	if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
36	chmod 600 $RSA1_KEY	36	chmod 600 $RSA1_KEY
37	chmod 644 $RSA1_KEY.pub	37	chmod 644 $RSA1_KEY.pub
		38	if [ -x /sbin/restorecon ]; then
		39	/sbin/restorecon $RSA1_KEY.pub
		40	fi
38	success $"RSA1 key generation"	41	success $"RSA1 key generation"
39	echo	42	echo
40	else	43	else
Lines 51-56 Link Here
51	if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then	54	if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
52	chmod 600 $RSA_KEY	55	chmod 600 $RSA_KEY
53	chmod 644 $RSA_KEY.pub	56	chmod 644 $RSA_KEY.pub
		57	if [ -x /sbin/restorecon ]; then
		58	/sbin/restorecon $RSA_KEY.pub
		59	fi
54	success $"RSA key generation"	60	success $"RSA key generation"
55	echo	61	echo
56	else	62	else
Lines 67-72 Link Here
67	if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then	73	if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
68	chmod 600 $DSA_KEY	74	chmod 600 $DSA_KEY
69	chmod 644 $DSA_KEY.pub	75	chmod 644 $DSA_KEY.pub
		76	if [ -x /sbin/restorecon ]; then
		77	/sbin/restorecon $DSA_KEY.pub
		78	fi
70	success $"DSA key generation"	79	success $"DSA key generation"
71	echo	80	echo
72	else	81	else




			[#include <arpa/nameser.h>])
	])

# Check whether user wants SELinux support
SELINUX_MSG="no"
AC_ARG_WITH(selinux,
	[  --with-selinux   Enable SELinux support],
	[ if test "x$withval" != "xno" ; then
		AC_DEFINE(WITH_SELINUX)
		SELINUX_MSG="yes"
		AC_CHECK_HEADERS(selinux.h)
		LIBS="$LIBS -lselinux"
	fi
	])

# Check whether user wants Kerberos 5 support
KRB5_MSG="no"
AC_ARG_WITH(kerberos5,

echo "                    Manpage format: $MANTYPE"
echo "                       PAM support: $PAM_MSG"
echo "                 KerberosV support: $KRB5_MSG"
echo "                   SELinux support: $SELINUX_MSG"
echo "                 Smartcard support: $SCARD_MSG"
echo "                     S/KEY support: $SKEY_MSG"
echo "              TCP Wrappers support: $TCPW_MSG"

Lines 22-27 Link Here

(-)openssh-3.8.1p1/sshpty.c.selinux (+38 lines)
22	#include "log.h"	22	#include "log.h"
23	#include "misc.h"	23	#include "misc.h"
24		24
		25	#ifdef WITH_SELINUX
		26	#include <selinux/selinux.h>
		27	#include <selinux/flask.h>
		28	#include <selinux/get_context_list.h>
		29	#endif
		30
25	#ifdef HAVE_PTY_H	31	#ifdef HAVE_PTY_H
26	# include <pty.h>	32	# include <pty.h>
27	#endif	33	#endif
Lines 196-201 Link Here
196	* Warn but continue if filesystem is read-only and the uids match/	202	* Warn but continue if filesystem is read-only and the uids match/
197	* tty is owned by root.	203	* tty is owned by root.
198	*/	204	*/
		205	#ifdef WITH_SELINUX
		206	if (is_selinux_enabled() > 0) {
		207	security_context_t new_tty_context=NULL, user_context=NULL, old_tty_context=NULL;
		208
		209	if (get_default_context(pw->pw_name,NULL,&user_context)) {
		210	if (security_getenforce() > 0)
		211	fatal("Failed to get default security context for %s.", pw->pw_name);
		212	else
		213	error("Failed to get default security context for %s. Continuing in permissve mode", pw->pw_name);
		214	} else {
		215	if (getfilecon(ttyname, &old_tty_context) < 0) {
		216	error("getfilecon(%.100s) failed: %.100s", ttyname, strerror(errno));
		217	} else {
		218	if (security_compute_relabel(user_context,old_tty_context,
		219	SECCLASS_CHR_FILE,
		220	&new_tty_context) != 0) {
		221	error("security_compute_relabel(%.100s) failed: %.100s", ttyname,
		222	strerror(errno));
		223	} else {
		224	if (setfilecon (ttyname, new_tty_context) != 0)
		225	error("setfilecon(%.100s, %s) failed: %.100s",
		226	ttyname, new_tty_context,
		227	strerror(errno));
		228	freecon(new_tty_context);
		229	}
		230	freecon(old_tty_context);
		231	}
		232	freecon(user_context);
		233	}
		234	}
		235	#endif
199	if (stat(ttyname, &st))	236	if (stat(ttyname, &st))
200	fatal("stat(%.100s) failed: %.100s", ttyname,	237	fatal("stat(%.100s) failed: %.100s", ttyname,
201	strerror(errno));	238	strerror(errno));
Lines 225-228 Link Here
225	ttyname, (u_int)mode, strerror(errno));	262	ttyname, (u_int)mode, strerror(errno));
226	}	263	}
227	}	264	}
		265
228	}	266	}

Lines 263-268 Link Here

(-)openssh-3.8.1p1/config.h.in.selinux (+3 lines)
263	/* Define if you want Kerberos 5 support */	263	/* Define if you want Kerberos 5 support */
264	#undef KRB5	264	#undef KRB5
265		265
		266	/* Define if have want SELinux support */
		267	#undef WITH_SELINUX
		268
266	/* Define this if you are using the Heimdal version of Kerberos V5 */	269	/* Define this if you are using the Heimdal version of Kerberos V5 */
267	#undef HEIMDAL	270	#undef HEIMDAL
268		271

Lines 58-63 Link Here

(-)openssh-3.8.1p1/session.c.selinux (+24 lines)
58	#include "session.h"	58	#include "session.h"
59	#include "monitor_wrap.h"	59	#include "monitor_wrap.h"
60		60
		61	#ifdef WITH_SELINUX
		62	#include <selinux/selinux.h>
		63	#include <selinux/get_context_list.h>
		64	#endif
		65
61	#if defined(KRB5) && defined(USE_AFS)	66	#if defined(KRB5) && defined(USE_AFS)
62	#include <kafs.h>	67	#include <kafs.h>
63	#endif	68	#endif
Lines 1305-1310 Link Here
1305	#endif	1310	#endif
1306	if (getuid() != pw->pw_uid \|\| geteuid() != pw->pw_uid)	1311	if (getuid() != pw->pw_uid \|\| geteuid() != pw->pw_uid)
1307	fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);	1312	fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
		1313	#ifdef WITH_SELINUX
		1314	if (is_selinux_enabled() > 0) {
		1315	security_context_t scontext;
		1316	if (get_default_context(pw->pw_name,NULL,&scontext)) {
		1317	if (security_getenforce() > 0)
		1318	fatal("Failed to get default security context for %s.", pw->pw_name);
		1319	else
		1320	error("Failed to get default security context for %s. Continuing in permissve mode", pw->pw_name);
		1321	} else {
		1322	if (setexeccon(scontext)) {
		1323	if (security_getenforce() > 0)
		1324	fatal("Failed to set exec security context %s for %s.", scontext, pw->pw_name);
		1325	else
		1326	error("Failed to set exec security context %s for %s. Continueing in permissive mode", scontext, pw->pw_name);
		1327	}
		1328	freecon(scontext);
		1329	}
		1330	}
		1331	#endif
1308	}	1332	}
1309		1333
1310	static void	1334	static void

Return to bug 880

Lines 2160-2165 Link Here

(-)openssh-3.8.1p1/configure.ac.selinux (+13 lines)
2160	[#include <arpa/nameser.h>])	2160	[#include <arpa/nameser.h>])
2161	])	2161	])
2162		2162
		2163	# Check whether user wants SELinux support
		2164	SELINUX_MSG="no"
		2165	AC_ARG_WITH(selinux,
		2166	[ --with-selinux Enable SELinux support],
		2167	[ if test "x$withval" != "xno" ; then
		2168	AC_DEFINE(WITH_SELINUX)
		2169	SELINUX_MSG="yes"
		2170	AC_CHECK_HEADERS(selinux.h)
		2171	LIBS="$LIBS -lselinux"
		2172	fi
		2173	])
		2174
2163	# Check whether user wants Kerberos 5 support	2175	# Check whether user wants Kerberos 5 support
2164	KRB5_MSG="no"	2176	KRB5_MSG="no"
2165	AC_ARG_WITH(kerberos5,	2177	AC_ARG_WITH(kerberos5,
Lines 2914-2919 Link Here
2914	echo " Manpage format: $MANTYPE"	2926	echo " Manpage format: $MANTYPE"
2915	echo " PAM support: $PAM_MSG"	2927	echo " PAM support: $PAM_MSG"
2916	echo " KerberosV support: $KRB5_MSG"	2928	echo " KerberosV support: $KRB5_MSG"
		2929	echo " SELinux support: $SELINUX_MSG"
2917	echo " Smartcard support: $SCARD_MSG"	2930	echo " Smartcard support: $SCARD_MSG"
2918	echo " S/KEY support: $SKEY_MSG"	2931	echo " S/KEY support: $SKEY_MSG"
2919	echo " TCP Wrappers support: $TCPW_MSG"	2932	echo " TCP Wrappers support: $TCPW_MSG"