Review SELinux user context handling after authentication (#1269072)
The previous required to have for all SELInux user contexts with setexec capability. Otherwise user would not be able to change password if it is expired. This patch sets correct context and cleans up the exec context. When doing chroot, copy_selinux_context is called twice
This commit is contained in:
parent
8395bb78d0
commit
22a08c3da4
@ -2,7 +2,7 @@ diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c
|
||||
index c18524e..d04f4ed 100644
|
||||
--- a/openbsd-compat/port-linux-sshd.c
|
||||
+++ b/openbsd-compat/port-linux-sshd.c
|
||||
@@ -409,6 +409,25 @@ sshd_selinux_setup_exec_context(char *pwname)
|
||||
@@ -409,6 +409,28 @@ sshd_selinux_setup_exec_context(char *pwname)
|
||||
debug3("%s: done", __func__);
|
||||
}
|
||||
|
||||
@ -19,8 +19,11 @@ index c18524e..d04f4ed 100644
|
||||
+ return;
|
||||
+ }
|
||||
+ if (ctx != NULL) {
|
||||
+ /* unset exec context before we will lose this capabililty */
|
||||
+ if (setexeccon(NULL) != 0)
|
||||
+ fatal("%s: setexeccon failed with %s", __func__, strerror (errno));
|
||||
+ if (setcon(ctx) != 0)
|
||||
+ logit("%s: setcon failed with %s", __func__, strerror (errno));
|
||||
+ fatal("%s: setcon failed with %s", __func__, strerror (errno));
|
||||
+ freecon(ctx);
|
||||
+ }
|
||||
+}
|
||||
@ -44,6 +47,15 @@ diff --git a/session.c b/session.c
|
||||
index 2bcf818..b5dc144 100644
|
||||
--- a/session.c
|
||||
+++ b/session.c
|
||||
@@ -1532,7 +1532,7 @@ void
|
||||
do_setusercontext(struct passwd *pw)
|
||||
{
|
||||
char *chroot_path, *tmp;
|
||||
-#ifdef USE_LIBIAF
|
||||
+#if defined(USE_LIBIAF) || defined(WITH_SELINUX)
|
||||
int doing_chroot = 0;
|
||||
#endif
|
||||
|
||||
@@ -1538,6 +1538,9 @@ do_setusercontext(struct passwd *pw)
|
||||
pw->pw_uid);
|
||||
chroot_path = percent_expand(tmp, "h", pw->pw_dir,
|
||||
@ -54,19 +66,37 @@ index 2bcf818..b5dc144 100644
|
||||
safely_chroot(chroot_path, pw->pw_uid);
|
||||
free(tmp);
|
||||
free(chroot_path);
|
||||
@@ -1565,6 +1568,12 @@ do_setusercontext(struct passwd *pw)
|
||||
@@ -1557,7 +1557,7 @@ do_setusercontext(struct passwd *pw)
|
||||
/* Make sure we don't attempt to chroot again */
|
||||
free(options.chroot_directory);
|
||||
options.chroot_directory = NULL;
|
||||
-#ifdef USE_LIBIAF
|
||||
+#if defined(USE_LIBIAF) || defined(WITH_SELINUX)
|
||||
doing_chroot = 1;
|
||||
#endif
|
||||
}
|
||||
@@ -1565,6 +1568,11 @@ do_setusercontext(struct passwd *pw)
|
||||
/* Permanently switch to the desired uid. */
|
||||
permanently_set_uid(pw);
|
||||
#endif
|
||||
+
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (options.chroot_directory == NULL ||
|
||||
+ strcasecmp(options.chroot_directory, "none") == 0)
|
||||
+ if (doing_chroot == 0)
|
||||
+ sshd_selinux_copy_context();
|
||||
+#endif
|
||||
} else if (options.chroot_directory != NULL &&
|
||||
strcasecmp(options.chroot_directory, "none") != 0) {
|
||||
fatal("server lacks privileges to chroot to ChrootDirectory");
|
||||
@@ -1588,9 +1588,6 @@ do_pwchange(Session *s)
|
||||
if (s->ttyfd != -1) {
|
||||
fprintf(stderr,
|
||||
"You must change your password now and login again!\n");
|
||||
-#ifdef WITH_SELINUX
|
||||
- setexeccon(NULL);
|
||||
-#endif
|
||||
#ifdef PASSWD_NEEDS_USERNAME
|
||||
execl(_PATH_PASSWD_PROG, "passwd", s->pw->pw_name,
|
||||
(char *)NULL);
|
||||
@@ -1826,9 +1835,6 @@ do_child(Session *s, const char *command)
|
||||
argv[i] = NULL;
|
||||
optind = optreset = 1;
|
||||
|
Loading…
Reference in New Issue
Block a user