Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/net-misc/openssh/files/openssh-4.2_p1-selinux.patch
blob: 88c2b74e43fc963f6fc2a7e43280a48d7a74f180 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87

--- openssh/session.c
+++ openssh/session.c
@@ -66,6 +66,11 @@
 #include "ssh-gss.h"
 #endif
 
+#ifdef WITH_SELINUX
+#include <selinux/get_context_list.h>
+#include <selinux/selinux.h>
+#endif
+
 /* func */
 
 Session *session_new(void);
@@ -1304,6 +1309,19 @@
 #endif
 	if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
 		fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
+#ifdef WITH_SELINUX
+	if (is_selinux_enabled())
+	  {
+	    security_context_t scontext;
+	    if (get_default_context(pw->pw_name,NULL,&scontext))
+	      fatal("Failed to get default security context for %s.", pw->pw_name);
+	    if (setexeccon(scontext)) {
+	      freecon(scontext);
+	      fatal("Failed to set exec security context %s for %s.", scontext, pw->pw_name);
+	    }
+	    freecon(scontext);
+	  }
+#endif
 }
 
 static void
--- openssh/sshpty.c
+++ openssh/sshpty.c
@@ -30,6 +30,12 @@
 #define O_NOCTTY 0
 #endif

+#ifdef WITH_SELINUX
+#include <selinux/flask.h>
+#include <selinux/get_context_list.h>
+#include <selinux/selinux.h>
+#endif
+
 /*
  * Allocates and opens a pty.  Returns 0 if no pty could be allocated, or
  * nonzero if a pty was successfully allocated.  On success, open file
@@ -196,6 +202,37 @@
 	 * Warn but continue if filesystem is read-only and the uids match/
 	 * tty is owned by root.
 	 */
+#ifdef WITH_SELINUX
+	if (is_selinux_enabled()) {
+	  security_context_t 	  new_tty_context=NULL,
+	    user_context=NULL, old_tty_context=NULL; 
+
+	  if (get_default_context(pw->pw_name,NULL,&user_context))
+	      fatal("Failed to get default security context for %s.", pw->pw_name);
+
+	  if (getfilecon(tty, &old_tty_context)<0) {
+	    error("getfilecon(%.100s) failed: %.100s", tty,
+		  strerror(errno));
+	  }
+	  else 
+	    {
+	      if ( security_compute_relabel(user_context,old_tty_context,SECCLASS_CHR_FILE,&new_tty_context)!=0) {
+		error("security_compute_relabel(%.100s) failed: %.100s", tty,
+		      strerror(errno));
+	      } 
+	      else 
+		{
+		  if (setfilecon (tty, new_tty_context) != 0) {
+		    error("setfilecon(%.100s, %s) failed: %.100s",
+			  tty, new_tty_context, strerror(errno));
+		  }
+		  freecon(new_tty_context);
+		}
+	      freecon(old_tty_context);
+	    }
+	  freecon(user_context);
+	}
+#endif
 	if (stat(tty, &st))
 		fatal("stat(%.100s) failed: %.100s", tty,
 		    strerror(errno));