- experimental NSS keys support

- correctly setup context when empty level requested (#234951)
This commit is contained in:
Tomáš Mráz 2007-06-20 17:47:18 +00:00
parent 7210c0162a
commit c3274ccb32
3 changed files with 1439 additions and 7 deletions

View File

@ -49,15 +49,15 @@
+ } + }
+ if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) { + if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) {
+ error("Error translating default context."); + error("Error translating default context.");
+ goto out; + default_raw = NULL;
+ } + }
+ if (selinux_trans_to_raw_context(selected_context, &selected_raw) < 0) { + if (selinux_trans_to_raw_context(selected_context, &selected_raw) < 0) {
+ error("Error translating selected context."); + error("Error translating selected context.");
+ goto out; + selected_raw = NULL;
+ } + }
+ if (asprintf(&msg, "sshd: default-context=%s selected-context=%s", + if (asprintf(&msg, "sshd: default-context=%s selected-context=%s",
+ default_context ? default_raw : "?", + default_raw ? default_raw : (default_context ? default_context: "?"),
+ selected_context ? selected_raw : "?") < 0) { + selected_context ? selected_raw : (selected_context ? selected_context :"?")) < 0) {
+ error("Error allocating memory."); + error("Error allocating memory.");
+ goto out; + goto out;
+ } + }
@ -95,7 +95,7 @@
+get_user_context(const char *sename, const char *role, const char *lvl, +get_user_context(const char *sename, const char *role, const char *lvl,
+ security_context_t *sc) { + security_context_t *sc) {
+#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL +#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
+ if (get_default_context_with_level(sename, lvl, NULL, sc) != 0) { + if (lvl == NULL || lvl[0] == '\0' || get_default_context_with_level(sename, lvl, NULL, sc) != 0) {
+ /* User may have requested a level completely outside of his + /* User may have requested a level completely outside of his
+ allowed range. We get a context just for auditing as the + allowed range. We get a context just for auditing as the
+ range check below will certainly fail for default context. */ + range check below will certainly fail for default context. */

1416
openssh-4.5p1-nss-keys.patch Normal file

File diff suppressed because it is too large Load Diff

View File

@ -28,6 +28,9 @@
# Do we want kerberos5 support (1=yes 0=no) # Do we want kerberos5 support (1=yes 0=no)
%define kerberos5 1 %define kerberos5 1
# Do we want NSS tokens support
%define nss 1
# Whether or not /sbin/nologin exists. # Whether or not /sbin/nologin exists.
%define nologin 1 %define nologin 1
@ -61,7 +64,7 @@
Summary: The OpenSSH implementation of SSH protocol versions 1 and 2 Summary: The OpenSSH implementation of SSH protocol versions 1 and 2
Name: openssh Name: openssh
Version: 4.5p1 Version: 4.5p1
Release: 6%{?dist}%{?rescue_rel} Release: 7%{?dist}%{?rescue_rel}
URL: http://www.openssh.com/portable.html URL: http://www.openssh.com/portable.html
#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.sig #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.sig
@ -90,6 +93,7 @@ Patch44: openssh-4.3p2-allow-ip-opts.patch
Patch48: openssh-4.3p2-pam-session.patch Patch48: openssh-4.3p2-pam-session.patch
Patch49: openssh-4.3p2-gssapi-canohost.patch Patch49: openssh-4.3p2-gssapi-canohost.patch
Patch50: openssh-4.5p1-mls.patch Patch50: openssh-4.5p1-mls.patch
Patch51: openssh-4.5p1-nss-keys.patch
License: BSD License: BSD
Group: Applications/Internet Group: Applications/Internet
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@ -115,7 +119,7 @@ BuildRequires: autoconf, automake, openssl-devel, perl, zlib-devel
BuildRequires: audit-libs-devel BuildRequires: audit-libs-devel
BuildRequires: util-linux, groff, man BuildRequires: util-linux, groff, man
BuildRequires: pam-devel BuildRequires: pam-devel
BuildRequires: tcp_wrappers-devel #BuildRequires: tcp_wrappers-devel
%if %{kerberos5} %if %{kerberos5}
BuildRequires: krb5-devel BuildRequires: krb5-devel
@ -217,6 +221,7 @@ an X11 passphrase dialog for OpenSSH.
%patch48 -p1 -b .pam-sesssion %patch48 -p1 -b .pam-sesssion
%patch49 -p1 -b .canohost %patch49 -p1 -b .canohost
%patch50 -p1 -b .mls %patch50 -p1 -b .mls
%patch51 -p1 -b .nss-keys
autoreconf autoreconf
@ -259,6 +264,9 @@ fi
--enable-vendor-patchlevel="FC-%{version}-%{release}" \ --enable-vendor-patchlevel="FC-%{version}-%{release}" \
--disable-strip \ --disable-strip \
--without-zlib-version-check \ --without-zlib-version-check \
%if %{nss}
--with-nss \
%endif
%if %{scard} %if %{scard}
--with-smartcard \ --with-smartcard \
%endif %endif
@ -342,6 +350,10 @@ rm -f $RPM_BUILD_ROOT/etc/profile.d/gnome-ssh-askpass.*
perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/* perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/*
rm -f README.nss.nss-keys
%if ! %{nss}
rm -f README.nss
%endif
%clean %clean
rm -rf $RPM_BUILD_ROOT rm -rf $RPM_BUILD_ROOT
@ -460,6 +472,10 @@ fi
%endif %endif
%changelog %changelog
* Wed Jun 20 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-7
- experimental NSS keys support
- correctly setup context when empty level requested (#234951)
* Tue Mar 20 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-6 * Tue Mar 20 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-6
- mls level check must be done with default role same as requested - mls level check must be done with default role same as requested