rcolebaugh / rpms / openssh

Forked from rpms/openssh 2 years ago
Clone

Blame SOURCES/openssh-6.6.1p1-selinux-contexts.patch

3e8b5b
diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c
3e8b5b
index 8f32464..18a2ca4 100644
3e8b5b
--- a/openbsd-compat/port-linux-sshd.c
3e8b5b
+++ b/openbsd-compat/port-linux-sshd.c
3e8b5b
@@ -32,6 +32,7 @@
3e8b5b
 #include "misc.h"      /* servconf.h needs misc.h for struct ForwardOptions */
3e8b5b
 #include "servconf.h"
3e8b5b
 #include "port-linux.h"
3e8b5b
+#include "misc.h"
3e8b5b
 #include "sshkey.h"
3e8b5b
 #include "hostfile.h"
3e8b5b
 #include "auth.h"
3e8b5b
@@ -445,7 +446,7 @@ sshd_selinux_setup_exec_context(char *pwname)
3e8b5b
 void
3e8b5b
 sshd_selinux_copy_context(void)
3e8b5b
 {
3e8b5b
-	security_context_t *ctx;
3e8b5b
+	char *ctx;
3e8b5b
 
3e8b5b
 	if (!sshd_selinux_enabled())
3e8b5b
 		return;
3e8b5b
@@ -461,6 +462,72 @@ sshd_selinux_copy_context(void)
3e8b5b
 	}
3e8b5b
 }
3e8b5b
 
3e8b5b
+void
3e8b5b
+sshd_selinux_change_privsep_preauth_context(void)
3e8b5b
+{
3e8b5b
+	int len;
3e8b5b
+	char line[1024], *preauth_context = NULL, *cp, *arg;
3e8b5b
+	const char *contexts_path;
3e8b5b
+	FILE *contexts_file;
3e8b5b
+	struct stat sb;
3e8b5b
+
3e8b5b
+	contexts_path = selinux_openssh_contexts_path();
3e8b5b
+	if (contexts_path == NULL) {
3e8b5b
+		debug3("%s: Failed to get the path to SELinux context", __func__);
3e8b5b
+		return;
3e8b5b
+	}
3e8b5b
+
3e8b5b
+	if ((contexts_file = fopen(contexts_path, "r")) == NULL) {
3e8b5b
+		debug("%s: Failed to open SELinux context file", __func__);
3e8b5b
+		return;
3e8b5b
+	}
3e8b5b
+
3e8b5b
+	if (fstat(fileno(contexts_file), &sb) != 0 ||
3e8b5b
+	    sb.st_uid != 0 || (sb.st_mode & 022) != 0) {
3e8b5b
+		logit("%s: SELinux context file needs to be owned by root"
3e8b5b
+		    " and not writable by anyone else", __func__);
3e8b5b
+		fclose(contexts_file);
3e8b5b
+		return;
3e8b5b
+	}
3e8b5b
+
3e8b5b
+	while (fgets(line, sizeof(line), contexts_file)) {
3e8b5b
+		/* Strip trailing whitespace */
3e8b5b
+		for (len = strlen(line) - 1; len > 0; len--) {
3e8b5b
+			if (strchr(" \t\r\n", line[len]) == NULL)
3e8b5b
+				break;
3e8b5b
+			line[len] = '\0';
3e8b5b
+		}
3e8b5b
+
3e8b5b
+		if (line[0] == '\0')
3e8b5b
+			continue;
3e8b5b
+
3e8b5b
+		cp = line;
3e8b5b
+		arg = strdelim(&cp;;
3e8b5b
+		if (arg && *arg == '\0')
3e8b5b
+			arg = strdelim(&cp;;
3e8b5b
+
3e8b5b
+		if (arg && strcmp(arg, "privsep_preauth") == 0) {
3e8b5b
+			arg = strdelim(&cp;;
3e8b5b
+			if (!arg || *arg == '\0') {
3e8b5b
+				debug("%s: privsep_preauth is empty", __func__);
3e8b5b
+				fclose(contexts_file);
3e8b5b
+				return;
3e8b5b
+			}
3e8b5b
+			preauth_context = xstrdup(arg);
3e8b5b
+		}
3e8b5b
+	}
3e8b5b
+	fclose(contexts_file);
3e8b5b
+
3e8b5b
+	if (preauth_context == NULL) {
3e8b5b
+		debug("%s: Unable to find 'privsep_preauth' option in"
3e8b5b
+		    " SELinux context file", __func__);
3e8b5b
+		return;
3e8b5b
+	}
3e8b5b
+
3e8b5b
+	ssh_selinux_change_context(preauth_context);
3e8b5b
+	free(preauth_context);
3e8b5b
+}
3e8b5b
+
3e8b5b
 #endif
3e8b5b
 #endif
3e8b5b
 
3e8b5b
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
3e8b5b
index 22ea8ef..1fc963d 100644
3e8b5b
--- a/openbsd-compat/port-linux.c
3e8b5b
+++ b/openbsd-compat/port-linux.c
3e8b5b
@@ -179,7 +179,7 @@ ssh_selinux_change_context(const char *newname)
3e8b5b
 	strlcpy(newctx + len, newname, newlen - len);
3e8b5b
 	if ((cx = index(cx + 1, ':')))
3e8b5b
 		strlcat(newctx, cx, newlen);
3e8b5b
-	debug3("%s: setting context from '%s' to '%s'", __func__,
3e8b5b
+	debug("%s: setting context from '%s' to '%s'", __func__,
3e8b5b
 	    oldctx, newctx);
3e8b5b
 	if (setcon(newctx) < 0)
3e8b5b
 		switchlog("%s: setcon %s from %s failed with %s", __func__,
3e8b5b
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
3e8b5b
index cb51f99..8b7cda2 100644
3e8b5b
--- a/openbsd-compat/port-linux.h
3e8b5b
+++ b/openbsd-compat/port-linux.h
3e8b5b
@@ -29,6 +29,7 @@ int sshd_selinux_enabled(void);
3e8b5b
 void sshd_selinux_copy_context(void);
3e8b5b
 void sshd_selinux_setup_exec_context(char *);
3e8b5b
 int sshd_selinux_setup_env_variables(void);
3e8b5b
+void sshd_selinux_change_privsep_preauth_context(void);
3e8b5b
 #endif
3e8b5b
 
3e8b5b
 #ifdef LINUX_OOM_ADJUST
3e8b5b
diff --git a/sshd.c b/sshd.c
3e8b5b
index 2871fe9..39b9c08 100644
3e8b5b
--- a/sshd.c
3e8b5b
+++ b/sshd.c
3e8b5b
@@ -629,7 +629,7 @@ privsep_preauth_child(void)
3e8b5b
 	demote_sensitive_data();
3e8b5b
 
3e8b5b
 #ifdef WITH_SELINUX
3e8b5b
-	ssh_selinux_change_context("sshd_net_t");
3e8b5b
+	sshd_selinux_change_privsep_preauth_context();
3e8b5b
 #endif
3e8b5b
 
3e8b5b
 	/* Demote the child */