forked from rpms/openssh
Fix obsolete usage of SELinux constants (#1261496)
This commit is contained in:
parent
bf69b47630
commit
a01bd486f0
@ -116,3 +116,38 @@ index 2871fe9..39b9c08 100644
|
||||
#endif
|
||||
|
||||
/* Change our root directory */
|
||||
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
|
||||
index 12c014e..c5ef2ff 100644
|
||||
--- a/openbsd-compat/port-linux.c
|
||||
+++ b/openbsd-compat/port-linux.c
|
||||
@@ -35,7 +35,6 @@
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
#include <selinux/selinux.h>
|
||||
-#include <selinux/flask.h>
|
||||
#include <selinux/get_context_list.h>
|
||||
|
||||
#ifndef SSH_SELINUX_UNCONFINED_TYPE
|
||||
@@ -110,6 +109,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
|
||||
security_context_t new_tty_ctx = NULL;
|
||||
security_context_t user_ctx = NULL;
|
||||
security_context_t old_tty_ctx = NULL;
|
||||
+ security_class_t class;
|
||||
|
||||
if (!ssh_selinux_enabled())
|
||||
return;
|
||||
@@ -129,8 +129,13 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
|
||||
goto out;
|
||||
}
|
||||
|
||||
+ class = string_to_security_class("chr_file");
|
||||
+ if (!class) {
|
||||
+ error("string_to_security_class failed to translate security class context");
|
||||
+ goto out;
|
||||
+ }
|
||||
if (security_compute_relabel(user_ctx, old_tty_ctx,
|
||||
- SECCLASS_CHR_FILE, &new_tty_ctx) != 0) {
|
||||
+ class, &new_tty_ctx) != 0) {
|
||||
error("%s: security_compute_relabel: %s",
|
||||
__func__, strerror(errno));
|
||||
goto out;
|
||||
|
@ -378,7 +378,7 @@ diff -up openssh-6.8p1/openbsd-compat/Makefile.in.role-mls openssh-6.8p1/openbsd
|
||||
diff -up openssh-6.8p1/openbsd-compat/port-linux-sshd.c.role-mls openssh-6.8p1/openbsd-compat/port-linux-sshd.c
|
||||
--- openssh-6.8p1/openbsd-compat/port-linux-sshd.c.role-mls 2015-03-18 11:04:21.048817114 +0100
|
||||
+++ openssh-6.8p1/openbsd-compat/port-linux-sshd.c 2015-03-18 11:04:21.048817114 +0100
|
||||
@@ -0,0 +1,415 @@
|
||||
@@ -0,0 +1,424 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
|
||||
+ * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com>
|
||||
@ -419,11 +419,9 @@ diff -up openssh-6.8p1/openbsd-compat/port-linux-sshd.c.role-mls openssh-6.8p1/o
|
||||
+
|
||||
+#ifdef WITH_SELINUX
|
||||
+#include <selinux/selinux.h>
|
||||
+#include <selinux/flask.h>
|
||||
+#include <selinux/context.h>
|
||||
+#include <selinux/get_context_list.h>
|
||||
+#include <selinux/get_default_type.h>
|
||||
+#include <selinux/av_permissions.h>
|
||||
+
|
||||
+#ifdef HAVE_LINUX_AUDIT
|
||||
+#include <libaudit.h>
|
||||
@ -488,10 +486,21 @@ diff -up openssh-6.8p1/openbsd-compat/port-linux-sshd.c.role-mls openssh-6.8p1/o
|
||||
+{
|
||||
+ struct av_decision avd;
|
||||
+ int retval;
|
||||
+ unsigned int bit = CONTEXT__CONTAINS;
|
||||
+ access_vector_t bit;
|
||||
+ security_class_t class;
|
||||
+
|
||||
+ debug("%s: src:%s dst:%s", __func__, src, dst);
|
||||
+ retval = security_compute_av(src, dst, SECCLASS_CONTEXT, bit, &avd);
|
||||
+ class = string_to_security_class("context");
|
||||
+ if (!class) {
|
||||
+ error("string_to_security_class failed to translate security class context");
|
||||
+ return 1;
|
||||
+ }
|
||||
+ bit = string_to_av_perm(class, "contains");
|
||||
+ if (!bit) {
|
||||
+ error("string_to_av_perm failed to translate av perm contains");
|
||||
+ return 1;
|
||||
+ }
|
||||
+ retval = security_compute_av(src, dst, class, bit, &avd);
|
||||
+ if (retval || ((bit & avd.allowed) != bit))
|
||||
+ return 0;
|
||||
+
|
||||
|
Loading…
Reference in New Issue
Block a user