create '~/.ssh/known_hosts' within proper context

2009-06-30 10:26:13 +00:00 · 2009-06-30 10:26:13 +00:00 · ca05b36451
commit ca05b36451
parent f4b0b4b772
2 changed files with 60 additions and 1 deletions
--- a/openssh-5.2p1-selabel.patch
+++ b/openssh-5.2p1-selabel.patch
@ -0,0 +1,53 @@
 diff -up openssh-5.2p1/contrib/ssh-copy-id.selabel openssh-5.2p1/contrib/ssh-copy-id
 --- openssh-5.2p1/contrib/ssh-copy-id.selabel	2009-06-29 23:43:03.514390092 +0200
 +++ openssh-5.2p1/contrib/ssh-copy-id	2009-06-29 23:44:11.188382120 +0200
@@ -38,7 +38,7 @@ if [ "$#" -lt 1 ] || [ "$1" = "-h" ] || 
   exit 1
 fi
 -{ eval "$GET_ID" ; } | ssh $1 "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys" || exit 1
 +{ eval "$GET_ID" ; } | ssh $1 "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys; test -x /sbin/restorecon && /sbin/restorecon .ssh .ssh/authorized_keys" || exit 1
 cat <<EOF
 Now try logging into the machine, with "ssh '$1'", and check in:
 diff -up openssh-5.2p1/Makefile.in.selabel openssh-5.2p1/Makefile.in
 --- openssh-5.2p1/Makefile.in.selabel	2009-06-29 23:38:34.224128017 +0200
 +++ openssh-5.2p1/Makefile.in	2009-06-29 23:38:34.332123333 +0200
@@ -134,7 +134,7 @@ libssh.a: $(LIBSSH_OBJS)
 	$(RANLIB) $@
 ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
 -	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
 +	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck -lselinux $(LIBS)
 sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
 	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) -lfipscheck $(LIBS)
 diff -up openssh-5.2p1/ssh.c.selabel openssh-5.2p1/ssh.c
 --- openssh-5.2p1/ssh.c.selabel	2009-06-29 23:38:34.314132116 +0200
 +++ openssh-5.2p1/ssh.c	2009-06-29 23:38:34.335927287 +0200
@@ -74,6 +74,7 @@
 #include <openssl/err.h>
 #include <openssl/fips.h>
 #include <fipscheck.h>
 +#include <selinux/selinux.h>
 #include "openbsd-compat/openssl-compat.h"
 #include "openbsd-compat/sys-queue.h"
@@ -790,10 +791,15 @@ main(int ac, char **av)
 	 */
 	snprintf(buf, sizeof buf, "%.100s%s%.100s", pw->pw_dir,
 	    strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR);
 -	if (stat(buf, &st) < 0)
 +	if (stat(buf, &st) < 0) {
 +		char *scon;
 +
 +		matchpathcon(buf, 0700, &scon);
 +		setfscreatecon(scon);
 		if (mkdir(buf, 0700) < 0)
 			error("Could not create directory '%.200s'.", buf);
 -
 +		setfscreatecon(NULL);
 +	}
 	/* load options.identity_files */
 	load_public_identity_files();
--- a/openssh.spec
+++ b/openssh.spec
@ -63,7 +63,7 @@
 Summary: An open source implementation of SSH protocol versions 1 and 2
 Name: openssh
 Version: 5.2p1
-Release: 11%{?dist}%{?rescue_rel}
+Release: 12%{?dist}%{?rescue_rel}
 URL: http://www.openssh.com/portable.html
 #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
@ -100,6 +100,7 @@ Patch65: openssh-5.2p1-fips.patch
 Patch66: openssh-5.2p1-homechroot.patch
 Patch67: openssh-5.2p1-xmodifiers.patch
 Patch68: openssh-5.2p1-pathmax.patch
 Patch69: openssh-5.2p1-selabel.patch
 License: BSD
 Group: Applications/Internet
@ -234,6 +235,7 @@ an X11 passphrase dialog for OpenSSH.
 %patch66 -p1 -b .homechroot
 %patch67 -p1 -b .xmodifiers
 %patch68 -p1 -b .pathmax
 %patch69 -p1 -b .selabel
 autoreconf
@ -468,8 +470,12 @@ fi
 %endif
 %changelog
 * Tue Jun 30 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-11
 - create '~/.ssh/known_hosts' within proper context
 * Mon Jun 29 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-11
 - length of home path in ssh now limited by PATH_MAX
 - correct timezone with daylight processing
 * Sat Jun 27 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-10
 - final version chroot %%h (sftp only)