From 5296a797aa03e6c6b4938695205b32880472416f Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Tue, 14 Oct 2014 13:10:45 +0200 Subject: [PATCH] privsep_preauth: use SELinux context from selinux-policy (#1008580) --- openssh-6.6.1p1-selinux-contexts.patch | 118 +++++++++++++++++++++++++ openssh.spec | 7 +- 2 files changed, 123 insertions(+), 2 deletions(-) create mode 100644 openssh-6.6.1p1-selinux-contexts.patch diff --git a/openssh-6.6.1p1-selinux-contexts.patch b/openssh-6.6.1p1-selinux-contexts.patch new file mode 100644 index 0000000..a831a15 --- /dev/null +++ b/openssh-6.6.1p1-selinux-contexts.patch @@ -0,0 +1,118 @@ +diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c +index 0077dd7..e3f2ced 100644 +--- a/openbsd-compat/port-linux-sshd.c ++++ b/openbsd-compat/port-linux-sshd.c +@@ -31,6 +31,7 @@ + #include "xmalloc.h" + #include "servconf.h" + #include "port-linux.h" ++#include "misc.h" + #include "key.h" + #include "hostfile.h" + #include "auth.h" +@@ -444,7 +445,7 @@ sshd_selinux_setup_exec_context(char *pwname) + void + sshd_selinux_copy_context(void) + { +- security_context_t *ctx; ++ char *ctx; + + if (!sshd_selinux_enabled()) + return; +@@ -460,6 +461,58 @@ sshd_selinux_copy_context(void) + } + } + ++void ++sshd_selinux_change_privsep_preauth_context(void) ++{ ++ int len; ++ char line[1024], *preauth_context = NULL, *cp, *arg; ++ const char *contexts_path; ++ FILE *contexts_file; ++ ++ contexts_path = selinux_openssh_contexts_path(); ++ if (contexts_path != NULL) { ++ if ((contexts_file = fopen(contexts_path, "r")) != NULL) { ++ struct stat sb; ++ ++ if (fstat(fileno(contexts_file), &sb) == 0 && ((sb.st_uid == 0) && ((sb.st_mode & 022) == 0))) { ++ while (fgets(line, sizeof(line), contexts_file)) { ++ /* Strip trailing whitespace */ ++ for (len = strlen(line) - 1; len > 0; len--) { ++ if (strchr(" \t\r\n", line[len]) == NULL) ++ break; ++ line[len] = '\0'; ++ } ++ ++ if (line[0] == '\0') ++ continue; ++ ++ cp = line; ++ arg = strdelim(&cp); ++ if (*arg == '\0') ++ arg = strdelim(&cp); ++ ++ if (strcmp(arg, "privsep_preauth") == 0) { ++ arg = strdelim(&cp); ++ if (!arg || *arg == '\0') { ++ debug("%s: privsep_preauth is empty", __func__); ++ fclose(contexts_file); ++ return; ++ } ++ preauth_context = xstrdup(arg); ++ } ++ } ++ } ++ fclose(contexts_file); ++ } ++ } ++ ++ if (preauth_context == NULL) ++ preauth_context = xstrdup("sshd_net_t"); ++ ++ ssh_selinux_change_context(preauth_context); ++ free(preauth_context); ++} ++ + #endif + #endif + +diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c +index 22ea8ef..1fc963d 100644 +--- a/openbsd-compat/port-linux.c ++++ b/openbsd-compat/port-linux.c +@@ -179,7 +179,7 @@ ssh_selinux_change_context(const char *newname) + strlcpy(newctx + len, newname, newlen - len); + if ((cx = index(cx + 1, ':'))) + strlcat(newctx, cx, newlen); +- debug3("%s: setting context from '%s' to '%s'", __func__, ++ debug("%s: setting context from '%s' to '%s'", __func__, + oldctx, newctx); + if (setcon(newctx) < 0) + switchlog("%s: setcon %s from %s failed with %s", __func__, +diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h +index cb51f99..8b7cda2 100644 +--- a/openbsd-compat/port-linux.h ++++ b/openbsd-compat/port-linux.h +@@ -29,6 +29,7 @@ int sshd_selinux_enabled(void); + void sshd_selinux_copy_context(void); + void sshd_selinux_setup_exec_context(char *); + int sshd_selinux_setup_env_variables(void); ++void sshd_selinux_change_privsep_preauth_context(void); + #endif + + #ifdef LINUX_OOM_ADJUST +diff --git a/sshd.c b/sshd.c +index 512c7ed..3eee75a 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -637,7 +637,7 @@ privsep_preauth_child(void) + demote_sensitive_data(); + + #ifdef WITH_SELINUX +- ssh_selinux_change_context("sshd_net_t"); ++ sshd_selinux_change_privsep_preauth_context(); + #endif + + /* Change our root directory */ diff --git a/openssh.spec b/openssh.spec index 0150a51..fa82eb0 100644 --- a/openssh.spec +++ b/openssh.spec @@ -207,6 +207,8 @@ Patch914: openssh-6.6.1p1-servconf-parser.patch # Ignore SIGXFSZ in postauth monitor # https://bugzilla.mindrot.org/show_bug.cgi?id=2263 Patch915: openssh-6.6.1p1-ignore-SIGXFSZ-in-postauth.patch +# privsep_preauth: use SELinux context from selinux-policy (#1008580) +Patch916: openssh-6.6.1p1-selinux-contexts.patch License: BSD @@ -246,8 +248,8 @@ BuildRequires: libedit-devel ncurses-devel %endif %if %{WITH_SELINUX} -Requires: libselinux >= 1.27.7 -BuildRequires: libselinux-devel >= 1.27.7 +Requires: libselinux >= 2.3-5 +BuildRequires: libselinux-devel >= 2.3-5 Requires: audit-libs >= 1.0.8 BuildRequires: audit-libs >= 1.0.8 %endif @@ -417,6 +419,7 @@ popd %patch913 -p1 -b .partial-success %patch914 -p1 -b .servconf %patch915 -p1 -b .SIGXFSZ +%patch916 -p1 -b .contexts %patch200 -p1 -b .audit %patch700 -p1 -b .fips