From 3339efd12d92457b797dd7c1e351a6246c9f5128 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 11 Mar 2019 13:35:55 +0100
Subject: [PATCH] Do not fallback to sshd_net_t SELinux context

---
 openssh-6.6.1p1-selinux-contexts.patch | 88 +++++++++++++++-----------
 1 file changed, 51 insertions(+), 37 deletions(-)

diff --git a/openssh-6.6.1p1-selinux-contexts.patch b/openssh-6.6.1p1-selinux-contexts.patch
index f26f343..3a7193e 100644
--- a/openssh-6.6.1p1-selinux-contexts.patch
+++ b/openssh-6.6.1p1-selinux-contexts.patch
@@ -19,7 +19,7 @@ index 8f32464..18a2ca4 100644
  
  	if (!sshd_selinux_enabled())
  		return;
-@@ -461,6 +462,58 @@ sshd_selinux_copy_context(void)
+@@ -461,6 +462,72 @@ sshd_selinux_copy_context(void)
  	}
  }
  
@@ -30,46 +30,60 @@ index 8f32464..18a2ca4 100644
 +	char line[1024], *preauth_context = NULL, *cp, *arg;
 +	const char *contexts_path;
 +	FILE *contexts_file;
++	struct stat sb;
 +
 +	contexts_path = selinux_openssh_contexts_path();
-+	if (contexts_path != NULL) {
-+		if ((contexts_file = fopen(contexts_path, "r")) != NULL) {
-+			struct stat sb;
-+
-+			if (fstat(fileno(contexts_file), &sb) == 0 && ((sb.st_uid == 0) && ((sb.st_mode & 022) == 0))) {
-+				while (fgets(line, sizeof(line), contexts_file)) {
-+					/* Strip trailing whitespace */
-+					for (len = strlen(line) - 1; len > 0; len--) {
-+						if (strchr(" \t\r\n", line[len]) == NULL)
-+							break;
-+						line[len] = '\0';
-+					}
-+
-+					if (line[0] == '\0')
-+						continue;
-+
-+					cp = line;
-+					arg = strdelim(&cp);
-+					if (arg && *arg == '\0')
-+						arg = strdelim(&cp);
-+
-+					if (arg && strcmp(arg, "privsep_preauth") == 0) {
-+						arg = strdelim(&cp);
-+						if (!arg || *arg == '\0') {
-+							debug("%s: privsep_preauth is empty", __func__);
-+							fclose(contexts_file);
-+							return;
-+						}
-+						preauth_context = xstrdup(arg);
-+					}
-+				}
-+			}
-+			fclose(contexts_file);
-+		}
++	if (contexts_path == NULL) {
++		debug3("%s: Failed to get the path to SELinux context", __func__);
++		return;
 +	}
 +
-+	if (preauth_context == NULL)
-+		preauth_context = xstrdup("sshd_net_t");
++	if ((contexts_file = fopen(contexts_path, "r")) == NULL) {
++		debug("%s: Failed to open SELinux context file", __func__);
++		return;
++	}
++
++	if (fstat(fileno(contexts_file), &sb) != 0 ||
++	    sb.st_uid != 0 || (sb.st_mode & 022) != 0) {
++		logit("%s: SELinux context file needs to be owned by root"
++		    " and not writable by anyone else", __func__);
++		fclose(contexts_file);
++		return;
++	}
++
++	while (fgets(line, sizeof(line), contexts_file)) {
++		/* Strip trailing whitespace */
++		for (len = strlen(line) - 1; len > 0; len--) {
++			if (strchr(" \t\r\n", line[len]) == NULL)
++				break;
++			line[len] = '\0';
++		}
++
++		if (line[0] == '\0')
++			continue;
++
++		cp = line;
++		arg = strdelim(&cp);
++		if (arg && *arg == '\0')
++			arg = strdelim(&cp);
++
++		if (arg && strcmp(arg, "privsep_preauth") == 0) {
++			arg = strdelim(&cp);
++			if (!arg || *arg == '\0') {
++				debug("%s: privsep_preauth is empty", __func__);
++				fclose(contexts_file);
++				return;
++			}
++			preauth_context = xstrdup(arg);
++		}
++	}
++	fclose(contexts_file);
++
++	if (preauth_context == NULL) {
++		debug("%s: Unable to find 'privsep_preauth' option in"
++		    " SELinux context file", __func__);
++		return;
++	}
 +
 +	ssh_selinux_change_context(preauth_context);
 +	free(preauth_context);