- mls level check must be done with default role same as requested
This commit is contained in:
Tomáš Mráz
parent
b40baab181
commit
7210c0162a
@ -1,5 +1,5 @@
|
|||||||
--- openssh-4.5p1/openbsd-compat/port-linux.c.mls 2007-01-16 22:13:32.000000000 +0100
|
--- openssh-4.5p1/openbsd-compat/port-linux.c.mls 2007-01-16 22:13:32.000000000 +0100
|
||||||
+++ openssh-4.5p1/openbsd-compat/port-linux.c 2007-03-01 09:04:17.000000000 +0100
|
+++ openssh-4.5p1/openbsd-compat/port-linux.c 2007-03-20 10:07:39.000000000 +0100
|
||||||
@@ -33,12 +33,23 @@
|
@@ -33,12 +33,23 @@
|
||||||
#include "key.h"
|
#include "key.h"
|
||||||
#include "hostfile.h"
|
#include "hostfile.h"
|
||||||
@ -24,7 +24,7 @@
|
|||||||
|
|
||||||
/* Wrapper around is_selinux_enabled() to log its return value once only */
|
/* Wrapper around is_selinux_enabled() to log its return value once only */
|
||||||
static int
|
static int
|
||||||
@@ -54,17 +65,172 @@
|
@@ -54,17 +65,173 @@
|
||||||
return (enabled);
|
return (enabled);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -83,6 +83,7 @@
|
|||||||
+ int retval;
|
+ int retval;
|
||||||
+ unsigned int bit = CONTEXT__CONTAINS;
|
+ unsigned int bit = CONTEXT__CONTAINS;
|
||||||
+
|
+
|
||||||
|
+ debug("%s: src:%s dst:%s", __func__, src, dst);
|
||||||
+ retval = security_compute_av(src, dst, SECCLASS_CONTEXT, bit, &avd);
|
+ retval = security_compute_av(src, dst, SECCLASS_CONTEXT, bit, &avd);
|
||||||
+ if (retval || ((bit & avd.allowed) != bit))
|
+ if (retval || ((bit & avd.allowed) != bit))
|
||||||
+ return 0;
|
+ return 0;
|
||||||
@ -203,7 +204,7 @@
|
|||||||
#ifdef HAVE_GETSEUSERBYNAME
|
#ifdef HAVE_GETSEUSERBYNAME
|
||||||
if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
|
if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
|
||||||
sename = NULL;
|
sename = NULL;
|
||||||
@@ -72,37 +238,56 @@
|
@@ -72,37 +239,63 @@
|
||||||
}
|
}
|
||||||
#else
|
#else
|
||||||
sename = pwname;
|
sename = pwname;
|
||||||
@ -262,13 +263,20 @@
|
|||||||
+ r = get_user_context(sename, role, reqlvl, user_sc);
|
+ r = get_user_context(sename, role, reqlvl, user_sc);
|
||||||
+
|
+
|
||||||
+ if (r == 0 && reqlvl != NULL && reqlvl[0]) {
|
+ if (r == 0 && reqlvl != NULL && reqlvl[0]) {
|
||||||
|
+ security_context_t default_level_sc = *default_sc;
|
||||||
|
+ if (role != NULL && role[0]) {
|
||||||
|
+ if (get_user_context(sename, role, lvl, &default_level_sc) < 0)
|
||||||
|
+ default_level_sc = *default_sc;
|
||||||
|
+ }
|
||||||
+ /* verify that the requested range is contained in the user range */
|
+ /* verify that the requested range is contained in the user range */
|
||||||
+ if (mls_range_allowed(*default_sc, *user_sc)) {
|
+ if (mls_range_allowed(default_level_sc, *user_sc)) {
|
||||||
+ logit("permit MLS level %s (user range %s)", reqlvl, lvl);
|
+ logit("permit MLS level %s (user range %s)", reqlvl, lvl);
|
||||||
+ } else {
|
+ } else {
|
||||||
+ r = -1;
|
+ r = -1;
|
||||||
+ error("deny MLS level %s (user range %s)", reqlvl, lvl);
|
+ error("deny MLS level %s (user range %s)", reqlvl, lvl);
|
||||||
+ }
|
+ }
|
||||||
|
+ if (default_level_sc != *default_sc)
|
||||||
|
+ freecon(default_level_sc);
|
||||||
+ }
|
+ }
|
||||||
+ } else {
|
+ } else {
|
||||||
+ *user_sc = *default_sc;
|
+ *user_sc = *default_sc;
|
||||||
@ -281,7 +289,7 @@
|
|||||||
|
|
||||||
#ifdef HAVE_GETSEUSERBYNAME
|
#ifdef HAVE_GETSEUSERBYNAME
|
||||||
if (sename != NULL)
|
if (sename != NULL)
|
||||||
@@ -110,14 +295,20 @@
|
@@ -110,14 +303,20 @@
|
||||||
if (lvl != NULL)
|
if (lvl != NULL)
|
||||||
xfree(lvl);
|
xfree(lvl);
|
||||||
#endif
|
#endif
|
||||||
@ -303,7 +311,7 @@
|
|||||||
security_context_t user_ctx = NULL;
|
security_context_t user_ctx = NULL;
|
||||||
|
|
||||||
if (!ssh_selinux_enabled())
|
if (!ssh_selinux_enabled())
|
||||||
@@ -125,21 +316,39 @@
|
@@ -125,21 +324,39 @@
|
||||||
|
|
||||||
debug3("%s: setting execution context", __func__);
|
debug3("%s: setting execution context", __func__);
|
||||||
|
|
||||||
@ -350,7 +358,7 @@
|
|||||||
|
|
||||||
debug3("%s: done", __func__);
|
debug3("%s: done", __func__);
|
||||||
}
|
}
|
||||||
@@ -157,7 +366,10 @@
|
@@ -157,7 +374,10 @@
|
||||||
|
|
||||||
debug3("%s: setting TTY context on %s", __func__, tty);
|
debug3("%s: setting TTY context on %s", __func__, tty);
|
||||||
|
|
||||||
|
|||||||
@ -61,7 +61,7 @@
|
|||||||
Summary: The OpenSSH implementation of SSH protocol versions 1 and 2
|
Summary: The OpenSSH implementation of SSH protocol versions 1 and 2
|
||||||
Name: openssh
|
Name: openssh
|
||||||
Version: 4.5p1
|
Version: 4.5p1
|
||||||
Release: 5%{?dist}%{?rescue_rel}
|
Release: 6%{?dist}%{?rescue_rel}
|
||||||
URL: http://www.openssh.com/portable.html
|
URL: http://www.openssh.com/portable.html
|
||||||
#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
||||||
#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.sig
|
#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.sig
|
||||||
@ -460,6 +460,9 @@ fi
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Mar 20 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-6
|
||||||
|
- mls level check must be done with default role same as requested
|
||||||
|
|
||||||
* Mon Mar 19 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-5
|
* Mon Mar 19 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-5
|
||||||
- make profile.d/gnome-ssh-askpass.* regular files (#226218)
|
- make profile.d/gnome-ssh-askpass.* regular files (#226218)
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user