rpms / openssh

Clone
Source Code
GIT

Files

86_addmissingnb f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 fix_f38_terrapin fix_f39_terrapin gsskexfix main master-future openssh85286 openssh96_rebase_combined openssh_96rebase openssh_rebase_90to93 openssh_rebase_90to93_cont openssh_rebase_90to93_fin private-controlpersist-4_3p2-9-branch private-master-vanilla private-openssh-4_5p1-6-controlpersist-branch rawhide sshkeysign_fix
  1.   f12
  2.   openssh-5.0p1-pam_selinux.patch
Blob Blame History Raw 
diff -up openssh-5.0p1/auth-pam.h.pam_selinux openssh-5.0p1/auth-pam.h
--- openssh-5.0p1/auth-pam.h.pam_selinux	2004-09-11 14:17:26.000000000 +0200
+++ openssh-5.0p1/auth-pam.h	2008-04-30 14:25:28.000000000 +0200
@@ -38,7 +38,7 @@ void do_pam_session(void);
 void do_pam_set_tty(const char *);
 void do_pam_setcred(int );
 void do_pam_chauthtok(void);
-int do_pam_putenv(char *, char *);
+int do_pam_putenv(char *, const char *);
 char ** fetch_pam_environment(void);
 char ** fetch_pam_child_environment(void);
 void free_pam_environment(char **);
diff -up openssh-5.0p1/auth-pam.c.pam_selinux openssh-5.0p1/auth-pam.c
--- openssh-5.0p1/auth-pam.c.pam_selinux	2008-03-11 12:58:25.000000000 +0100
+++ openssh-5.0p1/auth-pam.c	2008-04-30 14:25:21.000000000 +0200
@@ -1069,7 +1069,7 @@ is_pam_session_open(void)
  * during the ssh authentication process.
  */
 int
-do_pam_putenv(char *name, char *value)
+do_pam_putenv(char *name, const char *value)
 {
 	int ret = 1;
 #ifdef HAVE_PAM_PUTENV
diff -up openssh-5.0p1/openbsd-compat/port-linux.c.pam_selinux openssh-5.0p1/openbsd-compat/port-linux.c
--- openssh-5.0p1/openbsd-compat/port-linux.c.pam_selinux	2008-04-07 22:01:37.000000000 +0200
+++ openssh-5.0p1/openbsd-compat/port-linux.c	2008-04-30 14:26:17.000000000 +0200
@@ -34,6 +34,7 @@
 #include "hostfile.h"
 #include "auth.h"
 #include "xmalloc.h"
+#include "servconf.h"
 
 #include <selinux/selinux.h>
 #include <selinux/flask.h>
@@ -47,6 +48,7 @@
 #include <unistd.h>
 #endif
 
+extern ServerOptions options;
 extern Authctxt *the_authctxt;
 extern int inetd_flag;
 extern int rexeced_flag;
@@ -208,29 +210,38 @@ get_user_context(const char *sename, con
         return -1;
 }
 
+static void
+ssh_selinux_get_role_level(char **role, const char **level)
+{
+	*role = NULL;
+	*level = NULL;
+	if (the_authctxt) {
+		if (the_authctxt->role != NULL) {
+			char *slash;
+			*role = xstrdup(the_authctxt->role);
+			if ((slash = strchr(*role, '/')) != NULL) {
+				*slash = '\0';
+				*level = slash + 1;
+			}
+		}
+	}
+}
+
 /* Return the default security context for the given username */
 static int
 ssh_selinux_getctxbyname(char *pwname,
 	security_context_t *default_sc, security_context_t *user_sc)
 {
 	char *sename, *lvl;
-	const char *reqlvl = NULL;
-	char *role = NULL;
+	const char *reqlvl;
+	char *role;
 	int r = -1;
 	context_t con = NULL;
 
 	*default_sc = NULL;
 	*user_sc = NULL;
-	if (the_authctxt) {
-		if (the_authctxt->role != NULL) {
-			char *slash;
-			role = xstrdup(the_authctxt->role);
-			if ((slash = strchr(role, '/')) != NULL) {
-				*slash = '\0';
-				reqlvl = slash + 1;
-			}
-		}
-	}
+
+	ssh_selinux_get_role_level(&role, &reqlvl);
 
 #ifdef HAVE_GETSEUSERBYNAME
 	if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
@@ -311,6 +322,36 @@ ssh_selinux_getctxbyname(char *pwname,
 	return (r);
 }
 
+/* Setup environment variables for pam_selinux */
+static int
+ssh_selinux_setup_pam_variables(void)
+{
+	const char *reqlvl;
+	char *role;
+	char *use_current;
+	int rv;
+
+	debug3("%s: setting execution context", __func__);
+
+	ssh_selinux_get_role_level(&role, &reqlvl);
+
+	rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
+	
+	if (inetd_flag && !rexeced_flag) {
+		use_current = "1";
+	} else {
+		use_current = "";
+		rv = rv || do_pam_putenv("SELINUX_LEVEL_REQUESTED", reqlvl ? reqlvl: "");
+	}
+
+	rv = rv || do_pam_putenv("SELINUX_USE_CURRENT_RANGE", use_current);
+
+	if (role != NULL)
+		xfree(role);
+	
+	return rv;
+}
+
 /* Set the execution context to the default for the specified user */
 void
 ssh_selinux_setup_exec_context(char *pwname)
@@ -322,6 +363,24 @@ ssh_selinux_setup_exec_context(char *pwn
 	if (!ssh_selinux_enabled())
 		return;
 
+	if (options.use_pam) {
+		/* do not compute context, just setup environment for pam_selinux */
+		if (ssh_selinux_setup_pam_variables()) {
+			switch (security_getenforce()) {
+			case -1:
+				fatal("%s: security_getenforce() failed", __func__);
+			case 0:
+				error("%s: SELinux PAM variable setup failure. Continuing in permissive mode.",
+				    __func__);
+			break;
+			default:
+				fatal("%s: SELinux PAM variable setup failure. Aborting connection.",
+				    __func__);
+			}
+		}
+		return;
+	}
+
 	debug3("%s: setting execution context", __func__);
 
 	r = ssh_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.