Attachment 648 Details for Bug 880 – SELinux patch

[patch] SELinux patch

openssh-selinux.patch (text/plain), 5.28 KB, created by Daniel Walsh on 2004-06-16 04:03:21 AEST

(hide)

Description:

Filename:

MIME Type:

Creator: Daniel Walsh

Created: 2004-06-16 04:03:21 AEST

Size: 5.28 KB

patch

obsolete

>--- openssh-3.8.1p1/contrib/redhat/sshd.init.selinux	2002-05-09 22:19:23.000000000 -0400
>+++ openssh-3.8.1p1/contrib/redhat/sshd.init	2004-06-15 13:43:03.171207144 -0400
>@@ -35,6 +35,9 @@
> 		if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
> 			chmod 600 $RSA1_KEY
> 			chmod 644 $RSA1_KEY.pub
>+			if [ -x /sbin/restorecon ]; then
>+			    /sbin/restorecon $RSA1_KEY.pub
>+			fi
> 			success $"RSA1 key generation"
> 			echo
> 		else
>@@ -51,6 +54,9 @@
> 		if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
> 			chmod 600 $RSA_KEY
> 			chmod 644 $RSA_KEY.pub
>+			if [ -x /sbin/restorecon ]; then
>+			    /sbin/restorecon $RSA_KEY.pub
>+			fi
> 			success $"RSA key generation"
> 			echo
> 		else
>@@ -67,6 +73,9 @@
> 		if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
> 			chmod 600 $DSA_KEY
> 			chmod 644 $DSA_KEY.pub
>+			if [ -x /sbin/restorecon ]; then
>+			    /sbin/restorecon $DSA_KEY.pub
>+			fi
> 			success $"DSA key generation"
> 			echo
> 		else
>--- openssh-3.8.1p1/configure.ac.selinux	2004-06-15 13:43:03.097218392 -0400
>+++ openssh-3.8.1p1/configure.ac	2004-06-15 13:43:03.174206688 -0400
>@@ -2160,6 +2160,18 @@
> 			[#include <arpa/nameser.h>])
> 	])
> 
>+# Check whether user wants SELinux support
>+SELINUX_MSG="no"
>+AC_ARG_WITH(selinux,
>+	[  --with-selinux   Enable SELinux support],
>+	[ if test "x$withval" != "xno" ; then
>+		AC_DEFINE(WITH_SELINUX)
>+		SELINUX_MSG="yes"
>+		AC_CHECK_HEADERS(selinux.h)
>+		LIBS="$LIBS -lselinux"
>+	fi
>+	])
>+
> # Check whether user wants Kerberos 5 support
> KRB5_MSG="no"
> AC_ARG_WITH(kerberos5,
>@@ -2914,6 +2926,7 @@
> echo "                    Manpage format: $MANTYPE"
> echo "                       PAM support: $PAM_MSG"
> echo "                 KerberosV support: $KRB5_MSG"
>+echo "                   SELinux support: $SELINUX_MSG"
> echo "                 Smartcard support: $SCARD_MSG"
> echo "                     S/KEY support: $SKEY_MSG"
> echo "              TCP Wrappers support: $TCPW_MSG"
>--- openssh-3.8.1p1/sshpty.c.selinux	2004-01-21 01:07:17.000000000 -0500
>+++ openssh-3.8.1p1/sshpty.c	2004-06-15 13:45:24.834671024 -0400
>@@ -22,6 +22,12 @@
> #include "log.h"
> #include "misc.h"
> 
>+#ifdef WITH_SELINUX
>+#include <selinux/selinux.h>
>+#include <selinux/flask.h>
>+#include <selinux/get_context_list.h>
>+#endif
>+
> #ifdef HAVE_PTY_H
> # include <pty.h>
> #endif
>@@ -196,6 +202,37 @@
> 	 * Warn but continue if filesystem is read-only and the uids match/
> 	 * tty is owned by root.
> 	 */
>+#ifdef WITH_SELINUX
>+	if (is_selinux_enabled() > 0) {
>+		security_context_t new_tty_context=NULL, user_context=NULL, old_tty_context=NULL; 
>+
>+		if (get_default_context(pw->pw_name,NULL,&user_context)) {
>+			if (security_getenforce() > 0) 
>+				fatal("Failed to get default security context for %s.", pw->pw_name);
>+			else 
>+				error("Failed to get default security context for %s. Continuing in permissve mode", pw->pw_name);
>+		} else {
>+			if (getfilecon(ttyname, &old_tty_context) < 0) {
>+				error("getfilecon(%.100s) failed: %.100s", ttyname, strerror(errno));
>+			} else {
>+				if (security_compute_relabel(user_context,old_tty_context,
>+							     SECCLASS_CHR_FILE,
>+							     &new_tty_context) != 0) {
>+					error("security_compute_relabel(%.100s) failed: %.100s", ttyname,
>+					      strerror(errno));
>+				} else {
>+					if (setfilecon (ttyname, new_tty_context) != 0) 
>+						error("setfilecon(%.100s, %s) failed: %.100s",
>+						      ttyname, new_tty_context, 
>+						      strerror(errno));
>+					freecon(new_tty_context);
>+				}
>+				freecon(old_tty_context);
>+			}
>+			freecon(user_context);
>+		}
>+	}
>+#endif
> 	if (stat(ttyname, &st))
> 		fatal("stat(%.100s) failed: %.100s", ttyname,
> 		    strerror(errno));
>@@ -225,4 +262,5 @@
> 				    ttyname, (u_int)mode, strerror(errno));
> 		}
> 	}
>+
> }
>--- openssh-3.8.1p1/config.h.in.selinux	2004-04-18 08:51:50.000000000 -0400
>+++ openssh-3.8.1p1/config.h.in	2004-06-15 13:43:03.179205928 -0400
>@@ -263,6 +263,9 @@
> /* Define if you want Kerberos 5 support */
> #undef KRB5
> 
>+/* Define if have want SELinux support */
>+#undef WITH_SELINUX
>+
> /* Define this if you are using the Heimdal version of Kerberos V5 */
> #undef HEIMDAL
> 
>--- openssh-3.8.1p1/session.c.selinux	2004-04-16 08:47:55.000000000 -0400
>+++ openssh-3.8.1p1/session.c	2004-06-15 13:44:40.179459648 -0400
>@@ -58,6 +58,11 @@
> #include "session.h"
> #include "monitor_wrap.h"
> 
>+#ifdef WITH_SELINUX
>+#include <selinux/selinux.h>
>+#include <selinux/get_context_list.h>
>+#endif
>+
> #if defined(KRB5) && defined(USE_AFS)
> #include <kafs.h>
> #endif
>@@ -1305,6 +1310,25 @@
> #endif
> 	if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
> 		fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
>+#ifdef WITH_SELINUX
>+	if (is_selinux_enabled() > 0) {
>+		security_context_t scontext;
>+		if (get_default_context(pw->pw_name,NULL,&scontext)) {
>+			if (security_getenforce() > 0) 
>+				fatal("Failed to get default security context for %s.", pw->pw_name);
>+			else 
>+				error("Failed to get default security context for %s. Continuing in permissve mode", pw->pw_name);
>+		} else {
>+			if (setexeccon(scontext)) {
>+				if (security_getenforce() > 0) 
>+					fatal("Failed to set exec security context %s for %s.", scontext, pw->pw_name);
>+				else 
>+					error("Failed to set exec security context %s for %s. Continueing in permissive mode", scontext, pw->pw_name);
>+			}
>+			freecon(scontext);
>+		}
>+	}
>+#endif
> }
> 
> static void

Actions: View | Diff

Attachments on bug 880: 648 | 1110 | 1111 | 1120 | 1124