|
 |
afd52c4 |
diff -up openssh-6.1p1/openbsd-compat/port-linux.c.privsep-selinux openssh-6.1p1/openbsd-compat/port-linux.c
|
|
|
afd52c4 |
--- openssh-6.1p1/openbsd-compat/port-linux.c.privsep-selinux 2012-10-12 13:35:03.715980297 +0200
|
|
|
afd52c4 |
+++ openssh-6.1p1/openbsd-compat/port-linux.c 2012-10-12 13:35:03.719980279 +0200
|
|
|
afd52c4 |
@@ -505,6 +505,23 @@ ssh_selinux_change_context(const char *n
|
|
|
afd52c4 |
xfree(newctx);
|
|
|
afd52c4 |
}
|
|
|
afd52c4 |
|
|
|
afd52c4 |
+void
|
|
|
afd52c4 |
+ssh_selinux_copy_context(void)
|
|
|
afd52c4 |
+{
|
|
|
afd52c4 |
+ char *ctx;
|
|
|
afd52c4 |
+
|
|
|
afd52c4 |
+ if (!ssh_selinux_enabled())
|
|
|
afd52c4 |
+ return;
|
|
|
afd52c4 |
+
|
|
|
afd52c4 |
+ if (getexeccon((security_context_t *)&ctx) != 0) {
|
|
|
afd52c4 |
+ logit("%s: getcon failed with %s", __func__, strerror (errno));
|
|
|
afd52c4 |
+ return;
|
|
|
afd52c4 |
+ }
|
|
|
afd52c4 |
+ if (setcon(ctx) != 0)
|
|
|
afd52c4 |
+ logit("%s: setcon failed with %s", __func__, strerror (errno));
|
|
|
afd52c4 |
+ xfree(ctx);
|
|
|
afd52c4 |
+}
|
|
|
afd52c4 |
+
|
|
|
afd52c4 |
#endif /* WITH_SELINUX */
|
|
|
afd52c4 |
|
|
|
afd52c4 |
#ifdef LINUX_OOM_ADJUST
|
|
|
afd52c4 |
diff -up openssh-6.1p1/openbsd-compat/port-linux.h.privsep-selinux openssh-6.1p1/openbsd-compat/port-linux.h
|
|
|
afd52c4 |
--- openssh-6.1p1/openbsd-compat/port-linux.h.privsep-selinux 2011-01-25 02:16:18.000000000 +0100
|
|
|
afd52c4 |
+++ openssh-6.1p1/openbsd-compat/port-linux.h 2012-10-12 13:35:03.719980279 +0200
|
|
|
afd52c4 |
@@ -24,6 +24,7 @@ int ssh_selinux_enabled(void);
|
|
|
afd52c4 |
void ssh_selinux_setup_pty(char *, const char *);
|
|
|
afd52c4 |
void ssh_selinux_setup_exec_context(char *);
|
|
|
afd52c4 |
void ssh_selinux_change_context(const char *);
|
|
|
afd52c4 |
+void ssh_selinux_copy_context(void);
|
|
|
afd52c4 |
void ssh_selinux_setfscreatecon(const char *);
|
|
|
afd52c4 |
#endif
|
|
|
afd52c4 |
|
|
|
581bf30 |
diff -up openssh-6.1p1/session.c.privsep-selinux openssh-6.1p1/session.c
|
|
|
afd52c4 |
--- openssh-6.1p1/session.c.privsep-selinux 2012-10-12 13:35:03.670980503 +0200
|
|
|
afd52c4 |
+++ openssh-6.1p1/session.c 2012-10-12 14:03:01.011305806 +0200
|
|
|
afd52c4 |
@@ -1513,6 +1513,10 @@ do_setusercontext(struct passwd *pw)
|
|
|
581bf30 |
|
|
|
581bf30 |
platform_setusercontext_post_groups(pw);
|
|
|
581bf30 |
|
|
|
581bf30 |
+
|
|
|
0c438f5 |
+#ifdef WITH_SELINUX
|
|
|
581bf30 |
+ ssh_selinux_copy_context();
|
|
|
0c438f5 |
+#endif
|
|
|
afd52c4 |
if (options.chroot_directory != NULL &&
|
|
|
afd52c4 |
strcasecmp(options.chroot_directory, "none") != 0) {
|
|
|
afd52c4 |
tmp = tilde_expand_filename(options.chroot_directory,
|
|
|
afd52c4 |
@@ -1787,9 +1791,6 @@ do_child(Session *s, const char *command
|
|
|
afd52c4 |
argv[i] = NULL;
|
|
|
afd52c4 |
optind = optreset = 1;
|
|
|
afd52c4 |
__progname = argv[0];
|
|
|
afd52c4 |
-#ifdef WITH_SELINUX
|
|
|
afd52c4 |
- ssh_selinux_change_context("sftpd_t");
|
|
|
afd52c4 |
-#endif
|
|
|
afd52c4 |
exit(sftp_server_main(i, argv, s->pw));
|
|
|
cd5891d |
}
|
|
|
cd5891d |
|
|
|
581bf30 |
diff -up openssh-6.1p1/sshd.c.privsep-selinux openssh-6.1p1/sshd.c
|
|
|
afd52c4 |
--- openssh-6.1p1/sshd.c.privsep-selinux 2012-10-12 13:35:03.716980292 +0200
|
|
|
afd52c4 |
+++ openssh-6.1p1/sshd.c 2012-10-12 13:35:03.721980271 +0200
|
|
|
581bf30 |
@@ -794,6 +794,13 @@ privsep_postauth(Authctxt *authctxt)
|
|
|
0c438f5 |
do_setusercontext(authctxt->pw);
|
|
|
0c438f5 |
|
|
|
0c438f5 |
skip:
|
|
|
cd5891d |
+#ifdef WITH_SELINUX
|
|
|
0c438f5 |
+ /* switch SELinux content for root too */
|
|
|
581bf30 |
+ if (authctxt->pw->pw_uid == 0) {
|
|
|
cd5891d |
+ ssh_selinux_copy_context();
|
|
|
cd5891d |
+ }
|
|
|
cd5891d |
+#endif
|
|
|
cd5891d |
+
|
|
|
0c438f5 |
/* It is safe now to apply the key state */
|
|
|
0c438f5 |
monitor_apply_keystate(pmonitor);
|
|
|
0c438f5 |
|