Do not fallback to sshd_net_t SELinux context

This commit is contained in:
Jakub Jelen 2019-03-11 13:35:55 +01:00
parent 586cf149b5
commit 3339efd12d

View File

@ -19,7 +19,7 @@ index 8f32464..18a2ca4 100644
if (!sshd_selinux_enabled()) if (!sshd_selinux_enabled())
return; return;
@@ -461,6 +462,58 @@ sshd_selinux_copy_context(void) @@ -461,6 +462,72 @@ sshd_selinux_copy_context(void)
} }
} }
@ -30,46 +30,60 @@ index 8f32464..18a2ca4 100644
+ char line[1024], *preauth_context = NULL, *cp, *arg; + char line[1024], *preauth_context = NULL, *cp, *arg;
+ const char *contexts_path; + const char *contexts_path;
+ FILE *contexts_file; + FILE *contexts_file;
+ struct stat sb;
+ +
+ contexts_path = selinux_openssh_contexts_path(); + contexts_path = selinux_openssh_contexts_path();
+ if (contexts_path != NULL) { + if (contexts_path == NULL) {
+ if ((contexts_file = fopen(contexts_path, "r")) != NULL) { + debug3("%s: Failed to get the path to SELinux context", __func__);
+ struct stat sb; + return;
+
+ if (fstat(fileno(contexts_file), &sb) == 0 && ((sb.st_uid == 0) && ((sb.st_mode & 022) == 0))) {
+ while (fgets(line, sizeof(line), contexts_file)) {
+ /* Strip trailing whitespace */
+ for (len = strlen(line) - 1; len > 0; len--) {
+ if (strchr(" \t\r\n", line[len]) == NULL)
+ break;
+ line[len] = '\0';
+ }
+
+ if (line[0] == '\0')
+ continue;
+
+ cp = line;
+ arg = strdelim(&cp);
+ if (arg && *arg == '\0')
+ arg = strdelim(&cp);
+
+ if (arg && strcmp(arg, "privsep_preauth") == 0) {
+ arg = strdelim(&cp);
+ if (!arg || *arg == '\0') {
+ debug("%s: privsep_preauth is empty", __func__);
+ fclose(contexts_file);
+ return;
+ }
+ preauth_context = xstrdup(arg);
+ }
+ }
+ }
+ fclose(contexts_file);
+ }
+ } + }
+ +
+ if (preauth_context == NULL) + if ((contexts_file = fopen(contexts_path, "r")) == NULL) {
+ preauth_context = xstrdup("sshd_net_t"); + debug("%s: Failed to open SELinux context file", __func__);
+ return;
+ }
+
+ if (fstat(fileno(contexts_file), &sb) != 0 ||
+ sb.st_uid != 0 || (sb.st_mode & 022) != 0) {
+ logit("%s: SELinux context file needs to be owned by root"
+ " and not writable by anyone else", __func__);
+ fclose(contexts_file);
+ return;
+ }
+
+ while (fgets(line, sizeof(line), contexts_file)) {
+ /* Strip trailing whitespace */
+ for (len = strlen(line) - 1; len > 0; len--) {
+ if (strchr(" \t\r\n", line[len]) == NULL)
+ break;
+ line[len] = '\0';
+ }
+
+ if (line[0] == '\0')
+ continue;
+
+ cp = line;
+ arg = strdelim(&cp);
+ if (arg && *arg == '\0')
+ arg = strdelim(&cp);
+
+ if (arg && strcmp(arg, "privsep_preauth") == 0) {
+ arg = strdelim(&cp);
+ if (!arg || *arg == '\0') {
+ debug("%s: privsep_preauth is empty", __func__);
+ fclose(contexts_file);
+ return;
+ }
+ preauth_context = xstrdup(arg);
+ }
+ }
+ fclose(contexts_file);
+
+ if (preauth_context == NULL) {
+ debug("%s: Unable to find 'privsep_preauth' option in"
+ " SELinux context file", __func__);
+ return;
+ }
+ +
+ ssh_selinux_change_context(preauth_context); + ssh_selinux_change_context(preauth_context);
+ free(preauth_context); + free(preauth_context);