Bugzilla – Attachment 648 Details for
Bug 880
SELinux patch
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
SELinux patch
openssh-selinux.patch (text/plain), 5.28 KB, created by
Daniel Walsh
on 2004-06-16 04:03:21 AEST
(
hide
)
Description:
SELinux patch
Filename:
MIME Type:
Creator:
Daniel Walsh
Created:
2004-06-16 04:03:21 AEST
Size:
5.28 KB
patch
obsolete
>--- openssh-3.8.1p1/contrib/redhat/sshd.init.selinux 2002-05-09 22:19:23.000000000 -0400 >+++ openssh-3.8.1p1/contrib/redhat/sshd.init 2004-06-15 13:43:03.171207144 -0400 >@@ -35,6 +35,9 @@ > if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then > chmod 600 $RSA1_KEY > chmod 644 $RSA1_KEY.pub >+ if [ -x /sbin/restorecon ]; then >+ /sbin/restorecon $RSA1_KEY.pub >+ fi > success $"RSA1 key generation" > echo > else >@@ -51,6 +54,9 @@ > if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then > chmod 600 $RSA_KEY > chmod 644 $RSA_KEY.pub >+ if [ -x /sbin/restorecon ]; then >+ /sbin/restorecon $RSA_KEY.pub >+ fi > success $"RSA key generation" > echo > else >@@ -67,6 +73,9 @@ > if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then > chmod 600 $DSA_KEY > chmod 644 $DSA_KEY.pub >+ if [ -x /sbin/restorecon ]; then >+ /sbin/restorecon $DSA_KEY.pub >+ fi > success $"DSA key generation" > echo > else >--- openssh-3.8.1p1/configure.ac.selinux 2004-06-15 13:43:03.097218392 -0400 >+++ openssh-3.8.1p1/configure.ac 2004-06-15 13:43:03.174206688 -0400 >@@ -2160,6 +2160,18 @@ > [#include <arpa/nameser.h>]) > ]) > >+# Check whether user wants SELinux support >+SELINUX_MSG="no" >+AC_ARG_WITH(selinux, >+ [ --with-selinux Enable SELinux support], >+ [ if test "x$withval" != "xno" ; then >+ AC_DEFINE(WITH_SELINUX) >+ SELINUX_MSG="yes" >+ AC_CHECK_HEADERS(selinux.h) >+ LIBS="$LIBS -lselinux" >+ fi >+ ]) >+ > # Check whether user wants Kerberos 5 support > KRB5_MSG="no" > AC_ARG_WITH(kerberos5, >@@ -2914,6 +2926,7 @@ > echo " Manpage format: $MANTYPE" > echo " PAM support: $PAM_MSG" > echo " KerberosV support: $KRB5_MSG" >+echo " SELinux support: $SELINUX_MSG" > echo " Smartcard support: $SCARD_MSG" > echo " S/KEY support: $SKEY_MSG" > echo " TCP Wrappers support: $TCPW_MSG" >--- openssh-3.8.1p1/sshpty.c.selinux 2004-01-21 01:07:17.000000000 -0500 >+++ openssh-3.8.1p1/sshpty.c 2004-06-15 13:45:24.834671024 -0400 >@@ -22,6 +22,12 @@ > #include "log.h" > #include "misc.h" > >+#ifdef WITH_SELINUX >+#include <selinux/selinux.h> >+#include <selinux/flask.h> >+#include <selinux/get_context_list.h> >+#endif >+ > #ifdef HAVE_PTY_H > # include <pty.h> > #endif >@@ -196,6 +202,37 @@ > * Warn but continue if filesystem is read-only and the uids match/ > * tty is owned by root. > */ >+#ifdef WITH_SELINUX >+ if (is_selinux_enabled() > 0) { >+ security_context_t new_tty_context=NULL, user_context=NULL, old_tty_context=NULL; >+ >+ if (get_default_context(pw->pw_name,NULL,&user_context)) { >+ if (security_getenforce() > 0) >+ fatal("Failed to get default security context for %s.", pw->pw_name); >+ else >+ error("Failed to get default security context for %s. Continuing in permissve mode", pw->pw_name); >+ } else { >+ if (getfilecon(ttyname, &old_tty_context) < 0) { >+ error("getfilecon(%.100s) failed: %.100s", ttyname, strerror(errno)); >+ } else { >+ if (security_compute_relabel(user_context,old_tty_context, >+ SECCLASS_CHR_FILE, >+ &new_tty_context) != 0) { >+ error("security_compute_relabel(%.100s) failed: %.100s", ttyname, >+ strerror(errno)); >+ } else { >+ if (setfilecon (ttyname, new_tty_context) != 0) >+ error("setfilecon(%.100s, %s) failed: %.100s", >+ ttyname, new_tty_context, >+ strerror(errno)); >+ freecon(new_tty_context); >+ } >+ freecon(old_tty_context); >+ } >+ freecon(user_context); >+ } >+ } >+#endif > if (stat(ttyname, &st)) > fatal("stat(%.100s) failed: %.100s", ttyname, > strerror(errno)); >@@ -225,4 +262,5 @@ > ttyname, (u_int)mode, strerror(errno)); > } > } >+ > } >--- openssh-3.8.1p1/config.h.in.selinux 2004-04-18 08:51:50.000000000 -0400 >+++ openssh-3.8.1p1/config.h.in 2004-06-15 13:43:03.179205928 -0400 >@@ -263,6 +263,9 @@ > /* Define if you want Kerberos 5 support */ > #undef KRB5 > >+/* Define if have want SELinux support */ >+#undef WITH_SELINUX >+ > /* Define this if you are using the Heimdal version of Kerberos V5 */ > #undef HEIMDAL > >--- openssh-3.8.1p1/session.c.selinux 2004-04-16 08:47:55.000000000 -0400 >+++ openssh-3.8.1p1/session.c 2004-06-15 13:44:40.179459648 -0400 >@@ -58,6 +58,11 @@ > #include "session.h" > #include "monitor_wrap.h" > >+#ifdef WITH_SELINUX >+#include <selinux/selinux.h> >+#include <selinux/get_context_list.h> >+#endif >+ > #if defined(KRB5) && defined(USE_AFS) > #include <kafs.h> > #endif >@@ -1305,6 +1310,25 @@ > #endif > if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) > fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); >+#ifdef WITH_SELINUX >+ if (is_selinux_enabled() > 0) { >+ security_context_t scontext; >+ if (get_default_context(pw->pw_name,NULL,&scontext)) { >+ if (security_getenforce() > 0) >+ fatal("Failed to get default security context for %s.", pw->pw_name); >+ else >+ error("Failed to get default security context for %s. Continuing in permissve mode", pw->pw_name); >+ } else { >+ if (setexeccon(scontext)) { >+ if (security_getenforce() > 0) >+ fatal("Failed to set exec security context %s for %s.", scontext, pw->pw_name); >+ else >+ error("Failed to set exec security context %s for %s. Continueing in permissive mode", scontext, pw->pw_name); >+ } >+ freecon(scontext); >+ } >+ } >+#endif > } > > static void
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 880
:
648
|
1110
|
1111
|
1120
|
1124