--- /dev/null 2005-10-16 17:38:47.999906500 -0400
+++ openssh-4.2p1/selinux.c 2005-10-18 15:52:16.000000000 -0400
@@ -0,0 +1,84 @@
+#include "includes.h"
+#include "auth.h"
+#include "log.h"
+
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/flask.h>
+#include <selinux/context.h>
+#include <selinux/get_context_list.h>
+#include <selinux/get_default_type.h>
+extern Authctxt *the_authctxt;
+
+static const security_context_t selinux_get_user_context(const char *name) {
+ security_context_t user_context=NULL;
+ char *role=NULL;
+ int ret=-1;
+ char *seuser=NULL;
+ char *level=NULL;
+
+ if (the_authctxt)
+ role=the_authctxt->role;
+
+ if (getseuserbyname(name, &seuser, &level)==0) {
+ if (role != NULL && role[0])
+ ret=get_default_context_with_rolelevel(seuser, role, level,NULL,&user_context);
+ else
+ ret=get_default_context_with_level(seuser, level, NULL,&user_context);
+ }
+
+ if ( ret < 0 ) {
+ if (security_getenforce() > 0)
+ fatal("Failed to get default security context for %s.", name);
+ else
+ error("Failed to get default security context for %s. Continuing in permissive mode", name);
+ }
+ return user_context;
+}
+
+void setup_selinux_pty(const char *name, const char *tty) {
+ if (is_selinux_enabled() > 0) {
+ security_context_t new_tty_context=NULL, user_context=NULL, old_tty_context=NULL;
+
+ user_context=selinux_get_user_context(name);
+
+ if (getfilecon(tty, &old_tty_context) < 0) {
+ error("getfilecon(%.100s) failed: %.100s", tty, strerror(errno));
+ } else {
+ if (security_compute_relabel(user_context,old_tty_context,
+ SECCLASS_CHR_FILE,
+ &new_tty_context) != 0) {
+ error("security_compute_relabel(%.100s) failed: %.100s", tty,
+ strerror(errno));
+ } else {
+ if (setfilecon (tty, new_tty_context) != 0)
+ error("setfilecon(%.100s, %s) failed: %.100s",
+ tty, new_tty_context,
+ strerror(errno));
+ freecon(new_tty_context);
+ }
+ freecon(old_tty_context);
+ }
+ if (user_context) {
+ freecon(user_context);
+ }
+ }
+}
+
+void setup_selinux_exec_context(char *name) {
+
+ if (is_selinux_enabled() > 0) {
+ security_context_t user_context=selinux_get_user_context(name);
+ if (setexeccon(user_context)) {
+ if (security_getenforce() > 0)
+ fatal("Failed to set exec security context %s for %s.", user_context, name);
+ else
+ error("Failed to set exec security context %s for %s. Continuing in permissive mode", user_context, name);
+ }
+ if (user_context) {
+ freecon(user_context);
+ }
+ }
+}
+
+#endif /* WITH_SELINUX */
--- openssh-4.2p1/monitor.h.selinux 2005-02-02 08:20:53.000000000 -0500
+++ openssh-4.2p1/monitor.h 2005-10-18 15:50:12.000000000 -0400
@@ -30,7 +30,7 @@
enum monitor_reqtype {
MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
- MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
+ MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,MONITOR_REQ_AUTHROLE,
MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
--- openssh-4.2p1/contrib/redhat/sshd.init.selinux 2005-10-18 15:50:12.000000000 -0400
+++ openssh-4.2p1/contrib/redhat/sshd.init 2005-10-18 15:50:12.000000000 -0400
@@ -35,6 +35,9 @@
if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
chmod 600 $RSA1_KEY
chmod 644 $RSA1_KEY.pub
+ if [ -x /sbin/restorecon ]; then
+ /sbin/restorecon $RSA1_KEY.pub
+ fi
success $"RSA1 key generation"
echo
else
@@ -51,6 +54,9 @@
if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
chmod 600 $RSA_KEY
chmod 644 $RSA_KEY.pub
+ if [ -x /sbin/restorecon ]; then
+ /sbin/restorecon $RSA_KEY.pub
+ fi
success $"RSA key generation"
echo
else
@@ -67,6 +73,9 @@
if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
chmod 600 $DSA_KEY
chmod 644 $DSA_KEY.pub
+ if [ -x /sbin/restorecon ]; then
+ /sbin/restorecon $DSA_KEY.pub
+ fi
success $"DSA key generation"
echo
else
--- openssh-4.2p1/monitor.c.selinux 2005-07-17 03:53:31.000000000 -0400
+++ openssh-4.2p1/monitor.c 2005-10-18 15:50:12.000000000 -0400
@@ -111,6 +111,7 @@
int mm_answer_pwnamallow(int, Buffer *);
int mm_answer_auth2_read_banner(int, Buffer *);
int mm_answer_authserv(int, Buffer *);
+int mm_answer_authrole(int, Buffer *);
int mm_answer_authpassword(int, Buffer *);
int mm_answer_bsdauthquery(int, Buffer *);
int mm_answer_bsdauthrespond(int, Buffer *);
@@ -181,6 +182,7 @@
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
+ {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM
@@ -623,6 +625,7 @@
else {
/* Allow service/style information on the auth context */
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
}
@@ -671,6 +674,23 @@
}
int
+mm_answer_authrole(int sock, Buffer *m)
+{
+ monitor_permit_authentications(1);
+
+ authctxt->role = buffer_get_string(m, NULL);
+ debug3("%s: role=%s",
+ __func__, authctxt->role);
+
+ if (strlen(authctxt->role) == 0) {
+ xfree(authctxt->role);
+ authctxt->role = NULL;
+ }
+
+ return (0);
+}
+
+int
mm_answer_authpassword(int sock, Buffer *m)
{
static int call_count;
--- openssh-4.2p1/monitor_wrap.c.selinux 2005-07-17 03:53:31.000000000 -0400
+++ openssh-4.2p1/monitor_wrap.c 2005-10-18 15:50:12.000000000 -0400
@@ -272,6 +272,23 @@
buffer_free(&m);
}
+/* Inform the privileged process about role */
+
+void
+mm_inform_authrole(char *role)
+{
+ Buffer m;
+
+ debug3("%s entering", __func__);
+
+ buffer_init(&m);
+ buffer_put_cstring(&m, role ? role : "");
+
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
+
+ buffer_free(&m);
+}
+
/* Do the password authentication */
int
mm_auth_password(Authctxt *authctxt, char *password)
--- openssh-4.2p1/Makefile.in.selinux 2005-05-29 03:22:29.000000000 -0400
+++ openssh-4.2p1/Makefile.in 2005-10-18 15:50:12.000000000 -0400
@@ -43,6 +43,7 @@
CFLAGS=@CFLAGS@
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
LIBS=@LIBS@
+LIBSELINUX=@LIBSELINUX@
LIBEDIT=@LIBEDIT@
LIBPAM=@LIBPAM@
LIBWRAP=@LIBWRAP@
@@ -77,7 +78,7 @@
sshconnect.o sshconnect1.o sshconnect2.o
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
- sshpty.o sshlogin.o servconf.o serverloop.o \
+ sshpty.o sshlogin.o servconf.o serverloop.o selinux.o \
auth.o auth1.o auth2.o auth-options.o session.o \
auth-chall.o auth2-chall.o groupaccess.o \
auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
@@ -136,7 +137,7 @@
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS)
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBS)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
$(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
--- openssh-4.2p1/auth2.c.selinux 2005-07-17 03:26:44.000000000 -0400
+++ openssh-4.2p1/auth2.c 2005-10-18 15:50:12.000000000 -0400
@@ -134,7 +134,7 @@
{
Authctxt *authctxt = ctxt;
Authmethod *m = NULL;
- char *user, *service, *method, *style = NULL;
+ char *user, *service, *method, *style = NULL, *role = NULL;
int authenticated = 0;
if (authctxt == NULL)
@@ -146,6 +146,9 @@
debug("userauth-request for user %s service %s method %s", user, service, method);
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
+ if ((role = strchr(user, '/')) != NULL)
+ *role++ = 0;
+
if ((style = strchr(user, ':')) != NULL)
*style++ = 0;
@@ -175,8 +178,11 @@
use_privsep ? " [net]" : "");
authctxt->service = xstrdup(service);
authctxt->style = style ? xstrdup(style) : NULL;
- if (use_privsep)
+ authctxt->role = role ? xstrdup(role) : NULL;
+ if (use_privsep) {
mm_inform_authserv(service, style);
+ mm_inform_authrole(role);
+ }
} else if (strcmp(user, authctxt->user) != 0 ||
strcmp(service, authctxt->service) != 0) {
packet_disconnect("Change of username or service not allowed: "
--- openssh-4.2p1/auth1.c.selinux 2005-10-18 15:50:12.000000000 -0400
+++ openssh-4.2p1/auth1.c 2005-10-18 15:50:12.000000000 -0400
@@ -370,7 +370,7 @@
do_authentication(Authctxt *authctxt)
{
u_int ulen;
- char *user, *style = NULL;
+ char *user, *style = NULL, *role=NULL;
/* Get the name of the user that we wish to log in as. */
packet_read_expect(SSH_CMSG_USER);
@@ -379,11 +379,19 @@
user = packet_get_string(&ulen);
packet_check_eom();
+ if ((role = strchr(user, '/')) != NULL)
+ *role++ = '\0';
+
if ((style = strchr(user, ':')) != NULL)
*style++ = '\0';
+ else
+ if (role && (style = strchr(role, ':')) != NULL)
+ *style++ = '\0';
+
authctxt->user = user;
authctxt->style = style;
+ authctxt->role = role;
/* Verify that the user is a valid user. */
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
--- openssh-4.2p1/sshpty.c.selinux 2005-05-27 07:13:41.000000000 -0400
+++ openssh-4.2p1/sshpty.c 2005-10-18 15:50:12.000000000 -0400
@@ -22,6 +22,8 @@
#include "log.h"
#include "misc.h"
+#include "selinux.h"
+
#ifdef HAVE_PTY_H
# include <pty.h>
#endif
@@ -200,6 +202,8 @@
fatal("stat(%.100s) failed: %.100s", tty,
strerror(errno));
+ setup_selinux_pty(pw->pw_name, tty);
+
if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
if (chown(tty, pw->pw_uid, gid) < 0) {
if (errno == EROFS &&
--- openssh-4.2p1/configure.ac.selinux 2005-10-18 15:50:12.000000000 -0400
+++ openssh-4.2p1/configure.ac 2005-10-18 15:50:12.000000000 -0400
@@ -2667,6 +2667,28 @@
[#include <arpa/nameser.h>])
])
+# Check whether user wants SELinux support
+SELINUX_MSG="no"
+LIBSELINUX=""
+AC_ARG_WITH(selinux,
+ [ --with-selinux[[=LIBSELINUX-PATH]] Enable SELinux support],
+ [ if test "x$withval" != "xno" ; then
+ if test "x$withval" != "xyes"; then
+ CPPFLAGS="$CPPFLAGS -I${withval}/include"
+ if test -n "${need_dash_r}"; then
+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+ else
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+ fi
+ fi
+ AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.])
+ SELINUX_MSG="yes"
+ AC_CHECK_HEADERS(selinux.h)
+ LIBSELINUX="-lselinux"
+ fi
+ ])
+AC_SUBST(LIBSELINUX)
+
# Check whether user wants Kerberos 5 support
KRB5_MSG="no"
AC_ARG_WITH(kerberos5,
@@ -3459,6 +3481,7 @@
echo " Manpage format: $MANTYPE"
echo " PAM support: $PAM_MSG"
echo " KerberosV support: $KRB5_MSG"
+echo " SELinux support: $SELINUX_MSG"
echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG"
echo " TCP Wrappers support: $TCPW_MSG"
--- openssh-4.2p1/session.c.selinux 2005-08-31 12:59:49.000000000 -0400
+++ openssh-4.2p1/session.c 2005-10-18 15:50:12.000000000 -0400
@@ -59,6 +59,8 @@
#include "kex.h"
#include "monitor_wrap.h"
+#include "selinux.h"
+
#if defined(KRB5) && defined(USE_AFS)
#include <kafs.h>
#endif
@@ -1349,6 +1351,8 @@
#endif
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
+
+ setup_selinux_exec_context(pw->pw_name);
}
static void
--- openssh-4.2p1/auth.h.selinux 2005-07-06 21:50:20.000000000 -0400
+++ openssh-4.2p1/auth.h 2005-10-18 15:50:12.000000000 -0400
@@ -58,6 +58,7 @@
char *service;
struct passwd *pw; /* set if 'valid' */
char *style;
+ char *role;
void *kbdintctxt;
#ifdef BSD_AUTH
auth_session_t *as;
--- openssh-4.2p1/monitor_wrap.h.selinux 2005-02-08 05:52:48.000000000 -0500
+++ openssh-4.2p1/monitor_wrap.h 2005-10-18 15:50:12.000000000 -0400
@@ -44,6 +44,7 @@
DH *mm_choose_dh(int, int, int);
int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
void mm_inform_authserv(char *, char *);
+void mm_inform_authrole(char *);
struct passwd *mm_getpwnamallow(const char *);
char *mm_auth2_read_banner(void);
int mm_auth_password(struct Authctxt *, char *);
--- /dev/null 2005-10-16 17:38:47.999906500 -0400
+++ openssh-4.2p1/selinux.h 2005-10-18 15:50:12.000000000 -0400
@@ -0,0 +1,10 @@
+#ifndef __SELINUX_H_
+#define __SELINUX_H_
+#ifdef WITH_SELINUX
+extern void setup_selinux_pty(const char *name, const char *tty);
+extern void setup_selinux_exec_context(const char *name);
+#else
+static inline void setup_selinux_pty(const char *name, const char *tty) {}
+static inline void setup_selinux_exec_context(const char *name) {}
+#endif /* WITH_SELINUX */
+#endif /* __SELINUX_H_ */
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
8f2cd3b6c09ef7c3eecaade501aafeec
>
files
>
41
