rpms/openssh
7
0
Fork 1
Code Issues Pull Requests Releases Activity

Fix obsolete usage of SELinux constants (#1261496)

Browse Source
This commit is contained in:
Jakub Jelen 2015-09-18 15:31:51 +02:00
parent bf69b47630
commit a01bd486f0
2 changed files with 49 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
openssh-6.6.1p1-selinux-contexts.patch
View File

@ -116,3 +116,38 @@ index 2871fe9..39b9c08 100644
#endif #endif
/* Change our root directory */ /* Change our root directory */
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
index 12c014e..c5ef2ff 100644
--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
@@ -35,7 +35,6 @@
#ifdef WITH_SELINUX
#include <selinux/selinux.h>
-#include <selinux/flask.h>
#include <selinux/get_context_list.h>
#ifndef SSH_SELINUX_UNCONFINED_TYPE
@@ -110,6 +109,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
security_context_t new_tty_ctx = NULL;
security_context_t user_ctx = NULL;
security_context_t old_tty_ctx = NULL;
+ security_class_t class;
if (!ssh_selinux_enabled())
return;
@@ -129,8 +129,13 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
goto out;
}
+ class = string_to_security_class("chr_file");
+ if (!class) {
+ error("string_to_security_class failed to translate security class context");
+ goto out;
+ }
if (security_compute_relabel(user_ctx, old_tty_ctx,
- SECCLASS_CHR_FILE, &new_tty_ctx) != 0) {
+ class, &new_tty_ctx) != 0) {
error("%s: security_compute_relabel: %s",
__func__, strerror(errno));
goto out;

19
openssh-6.6p1-role-mls.patch
View File

@ -378,7 +378,7 @@ diff -up openssh-6.8p1/openbsd-compat/Makefile.in.role-mls openssh-6.8p1/openbsd
diff -up openssh-6.8p1/openbsd-compat/port-linux-sshd.c.role-mls openssh-6.8p1/openbsd-compat/port-linux-sshd.c diff -up openssh-6.8p1/openbsd-compat/port-linux-sshd.c.role-mls openssh-6.8p1/openbsd-compat/port-linux-sshd.c
--- openssh-6.8p1/openbsd-compat/port-linux-sshd.c.role-mls 2015-03-18 11:04:21.048817114 +0100 --- openssh-6.8p1/openbsd-compat/port-linux-sshd.c.role-mls 2015-03-18 11:04:21.048817114 +0100
+++ openssh-6.8p1/openbsd-compat/port-linux-sshd.c 2015-03-18 11:04:21.048817114 +0100 +++ openssh-6.8p1/openbsd-compat/port-linux-sshd.c 2015-03-18 11:04:21.048817114 +0100
@@ -0,0 +1,415 @@ @@ -0,0 +1,424 @@
+/* +/*
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com> + * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
+ * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com> + * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com>
@ -419,11 +419,9 @@ diff -up openssh-6.8p1/openbsd-compat/port-linux-sshd.c.role-mls openssh-6.8p1/o
+ +
+#ifdef WITH_SELINUX +#ifdef WITH_SELINUX
+#include <selinux/selinux.h> +#include <selinux/selinux.h>
+#include <selinux/flask.h>
+#include <selinux/context.h> +#include <selinux/context.h>
+#include <selinux/get_context_list.h> +#include <selinux/get_context_list.h>
+#include <selinux/get_default_type.h> +#include <selinux/get_default_type.h>
+#include <selinux/av_permissions.h>
+ +
+#ifdef HAVE_LINUX_AUDIT +#ifdef HAVE_LINUX_AUDIT
+#include <libaudit.h> +#include <libaudit.h>
@ -488,10 +486,21 @@ diff -up openssh-6.8p1/openbsd-compat/port-linux-sshd.c.role-mls openssh-6.8p1/o
+{ +{
+ struct av_decision avd; + struct av_decision avd;
+ int retval; + int retval;
+ unsigned int bit = CONTEXT__CONTAINS; + access_vector_t bit;
+ security_class_t class;
+ +
+ debug("%s: src:%s dst:%s", __func__, src, dst); + debug("%s: src:%s dst:%s", __func__, src, dst);
+ retval = security_compute_av(src, dst, SECCLASS_CONTEXT, bit, &avd); + class = string_to_security_class("context");
+ if (!class) {
+ error("string_to_security_class failed to translate security class context");
+ return 1;
+ }
+ bit = string_to_av_perm(class, "contains");
+ if (!bit) {
+ error("string_to_av_perm failed to translate av perm contains");
+ return 1;
+ }
+ retval = security_compute_av(src, dst, class, bit, &avd);
+ if (retval || ((bit & avd.allowed) != bit)) + if (retval || ((bit & avd.allowed) != bit))
+ return 0; + return 0;
+ +