Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/net-misc/openssh/files/openssh-4.2_p1-selinux.patch
diff options
context:
space:
mode:
Diffstat (limited to 'net-misc/openssh/files/openssh-4.2_p1-selinux.patch')
-rw-r--r--net-misc/openssh/files/openssh-4.2_p1-selinux.patch87
1 files changed, 87 insertions, 0 deletions
diff --git a/net-misc/openssh/files/openssh-4.2_p1-selinux.patch b/net-misc/openssh/files/openssh-4.2_p1-selinux.patch
new file mode 100644
index 000000000000..88c2b74e43fc
--- /dev/null
+++ b/net-misc/openssh/files/openssh-4.2_p1-selinux.patch
@@ -0,0 +1,87 @@
+--- openssh/session.c
++++ openssh/session.c
+@@ -66,6 +66,11 @@
+ #include "ssh-gss.h"
+ #endif
+
++#ifdef WITH_SELINUX
++#include <selinux/get_context_list.h>
++#include <selinux/selinux.h>
++#endif
++
+ /* func */
+
+ Session *session_new(void);
+@@ -1304,6 +1309,19 @@
+ #endif
+ if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
+ fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
++#ifdef WITH_SELINUX
++ if (is_selinux_enabled())
++ {
++ security_context_t scontext;
++ if (get_default_context(pw->pw_name,NULL,&scontext))
++ fatal("Failed to get default security context for %s.", pw->pw_name);
++ if (setexeccon(scontext)) {
++ freecon(scontext);
++ fatal("Failed to set exec security context %s for %s.", scontext, pw->pw_name);
++ }
++ freecon(scontext);
++ }
++#endif
+ }
+
+ static void
+--- openssh/sshpty.c
++++ openssh/sshpty.c
+@@ -30,6 +30,12 @@
+ #define O_NOCTTY 0
+ #endif
+
++#ifdef WITH_SELINUX
++#include <selinux/flask.h>
++#include <selinux/get_context_list.h>
++#include <selinux/selinux.h>
++#endif
++
+ /*
+ * Allocates and opens a pty. Returns 0 if no pty could be allocated, or
+ * nonzero if a pty was successfully allocated. On success, open file
+@@ -196,6 +202,37 @@
+ * Warn but continue if filesystem is read-only and the uids match/
+ * tty is owned by root.
+ */
++#ifdef WITH_SELINUX
++ if (is_selinux_enabled()) {
++ security_context_t new_tty_context=NULL,
++ user_context=NULL, old_tty_context=NULL;
++
++ if (get_default_context(pw->pw_name,NULL,&user_context))
++ fatal("Failed to get default security context for %s.", pw->pw_name);
++
++ if (getfilecon(tty, &old_tty_context)<0) {
++ error("getfilecon(%.100s) failed: %.100s", tty,
++ strerror(errno));
++ }
++ else
++ {
++ if ( security_compute_relabel(user_context,old_tty_context,SECCLASS_CHR_FILE,&new_tty_context)!=0) {
++ error("security_compute_relabel(%.100s) failed: %.100s", tty,
++ strerror(errno));
++ }
++ else
++ {
++ if (setfilecon (tty, new_tty_context) != 0) {
++ error("setfilecon(%.100s, %s) failed: %.100s",
++ tty, new_tty_context, strerror(errno));
++ }
++ freecon(new_tty_context);
++ }
++ freecon(old_tty_context);
++ }
++ freecon(user_context);
++ }
++#endif
+ if (stat(tty, &st))
+ fatal("stat(%.100s) failed: %.100s", tty,
+ strerror(errno));