rpms / openssh

Clone
Source Code
GIT

Files

86_addmissingnb f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 fix_f38_terrapin fix_f39_terrapin gsskexfix main master-future openssh85286 openssh96_rebase_combined openssh_96rebase openssh_rebase_90to93 openssh_rebase_90to93_cont openssh_rebase_90to93_fin private-controlpersist-4_3p2-9-branch private-master-vanilla private-openssh-4_5p1-6-controlpersist-branch rawhide sshkeysign_fix
  1.   f18
  2.   openssh-6.1p1-role-mls.patch
Blob Blame History Raw 
diff -up openssh-6.1p1/auth1.c.role-mls openssh-6.1p1/auth1.c
--- openssh-6.1p1/auth1.c.role-mls	2012-11-28 17:06:43.657990103 +0100
+++ openssh-6.1p1/auth1.c	2012-11-28 17:06:43.699989959 +0100
@@ -384,6 +384,9 @@ do_authentication(Authctxt *authctxt)
 {
 	u_int ulen;
 	char *user, *style = NULL;
+#ifdef WITH_SELINUX
+	char *role=NULL;
+#endif
 
 	/* Get the name of the user that we wish to log in as. */
 	packet_read_expect(SSH_CMSG_USER);
@@ -392,11 +395,24 @@ do_authentication(Authctxt *authctxt)
 	user = packet_get_cstring(&ulen);
 	packet_check_eom();
 
+#ifdef WITH_SELINUX
+	if ((role = strchr(user, '/')) != NULL)
+		*role++ = '\0';
+#endif
+
 	if ((style = strchr(user, ':')) != NULL)
 		*style++ = '\0';
+#ifdef WITH_SELINUX
+	else
+		if (role && (style = strchr(role, ':')) != NULL)
+			*style++ = '\0';
+#endif
 
 	authctxt->user = user;
 	authctxt->style = style;
+#ifdef WITH_SELINUX
+	authctxt->role = role;
+#endif
 
 	/* Verify that the user is a valid user. */
 	if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
diff -up openssh-6.1p1/auth2.c.role-mls openssh-6.1p1/auth2.c
--- openssh-6.1p1/auth2.c.role-mls	2012-11-28 17:06:43.661990089 +0100
+++ openssh-6.1p1/auth2.c	2012-11-28 17:11:09.058916613 +0100
@@ -218,6 +218,9 @@ input_userauth_request(int type, u_int32
 	Authctxt *authctxt = ctxt;
 	Authmethod *m = NULL;
 	char *user, *service, *method, *style = NULL;
+#ifdef WITH_SELINUX
+	char *role = NULL;
+#endif
 	int authenticated = 0;
 
 	if (authctxt == NULL)
@@ -229,6 +232,11 @@ input_userauth_request(int type, u_int32
 	debug("userauth-request for user %s service %s method %s", user, service, method);
 	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
 
+#ifdef WITH_SELINUX
+	if ((role = strchr(user, '/')) != NULL)
+		*role++ = 0;
+#endif
+
 	if ((style = strchr(user, ':')) != NULL)
 		*style++ = 0;
 
@@ -251,8 +259,15 @@ input_userauth_request(int type, u_int32
 		    use_privsep ? " [net]" : "");
 		authctxt->service = xstrdup(service);
 		authctxt->style = style ? xstrdup(style) : NULL;
-		if (use_privsep)
+#ifdef WITH_SELINUX
+		authctxt->role = role ? xstrdup(role) : NULL;
+#endif
+		if (use_privsep) {
 			mm_inform_authserv(service, style);
+#ifdef WITH_SELINUX
+			mm_inform_authrole(role);
+#endif
+		}
 		userauth_banner();
 		if (auth2_setup_methods_lists(authctxt) != 0)
 			packet_disconnect("no authentication methods enabled");
diff -up openssh-6.1p1/auth2-gss.c.role-mls openssh-6.1p1/auth2-gss.c
--- openssh-6.1p1/auth2-gss.c.role-mls	2011-05-05 06:04:11.000000000 +0200
+++ openssh-6.1p1/auth2-gss.c	2012-11-28 17:06:43.700989956 +0100
@@ -260,6 +260,7 @@ input_gssapi_mic(int type, u_int32_t ple
 	Authctxt *authctxt = ctxt;
 	Gssctxt *gssctxt;
 	int authenticated = 0;
+	char *micuser;
 	Buffer b;
 	gss_buffer_desc mic, gssbuf;
 	u_int len;
@@ -272,7 +273,13 @@ input_gssapi_mic(int type, u_int32_t ple
 	mic.value = packet_get_string(&len);
 	mic.length = len;
 
-	ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
+#ifdef WITH_SELINUX
+	if (authctxt->role && (strlen(authctxt->role) > 0))
+		xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
+	else
+#endif
+		micuser = authctxt->user;
+	ssh_gssapi_buildmic(&b, micuser, authctxt->service,
 	    "gssapi-with-mic");
 
 	gssbuf.value = buffer_ptr(&b);
@@ -284,6 +291,8 @@ input_gssapi_mic(int type, u_int32_t ple
 		logit("GSSAPI MIC check failed");
 
 	buffer_free(&b);
+	if (micuser != authctxt->user)
+		xfree(micuser);
 	xfree(mic.value);
 
 	authctxt->postponed = 0;
diff -up openssh-6.1p1/auth2-hostbased.c.role-mls openssh-6.1p1/auth2-hostbased.c
--- openssh-6.1p1/auth2-hostbased.c.role-mls	2012-11-28 17:06:43.669990062 +0100
+++ openssh-6.1p1/auth2-hostbased.c	2012-11-28 17:06:43.700989956 +0100
@@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt)
 	buffer_put_string(&b, session_id2, session_id2_len);
 	/* reconstruct packet */
 	buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
-	buffer_put_cstring(&b, authctxt->user);
+#ifdef WITH_SELINUX
+	if (authctxt->role) {
+		buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
+		buffer_append(&b, authctxt->user, strlen(authctxt->user));
+		buffer_put_char(&b, '/');
+		buffer_append(&b, authctxt->role, strlen(authctxt->role));
+	} else 
+#endif
+		buffer_put_cstring(&b, authctxt->user);
 	buffer_put_cstring(&b, service);
 	buffer_put_cstring(&b, "hostbased");
 	buffer_put_string(&b, pkalg, alen);
diff -up openssh-6.1p1/auth2-pubkey.c.role-mls openssh-6.1p1/auth2-pubkey.c
--- openssh-6.1p1/auth2-pubkey.c.role-mls	2012-11-28 17:06:43.669990062 +0100
+++ openssh-6.1p1/auth2-pubkey.c	2012-11-28 17:06:43.700989956 +0100
@@ -121,7 +121,15 @@ userauth_pubkey(Authctxt *authctxt)
 		}
 		/* reconstruct packet */
 		buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
-		buffer_put_cstring(&b, authctxt->user);
+#ifdef WITH_SELINUX
+		if (authctxt->role) {
+			buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
+			buffer_append(&b, authctxt->user, strlen(authctxt->user));
+			buffer_put_char(&b, '/');
+			buffer_append(&b, authctxt->role, strlen(authctxt->role));
+		} else 
+#endif
+			buffer_put_cstring(&b, authctxt->user);
 		buffer_put_cstring(&b,
 		    datafellows & SSH_BUG_PKSERVICE ?
 		    "ssh-userauth" :
diff -up openssh-6.1p1/auth.h.role-mls openssh-6.1p1/auth.h
--- openssh-6.1p1/auth.h.role-mls	2012-11-28 17:06:43.669990062 +0100
+++ openssh-6.1p1/auth.h	2012-11-28 17:06:43.699989959 +0100
@@ -59,6 +59,9 @@ struct Authctxt {
 	char		*service;
 	struct passwd	*pw;		/* set if 'valid' */
 	char		*style;
+#ifdef WITH_SELINUX
+	char		*role;
+#endif
 	void		*kbdintctxt;
 	void		*jpake_ctx;
 #ifdef BSD_AUTH
diff -up openssh-6.1p1/auth-pam.c.role-mls openssh-6.1p1/auth-pam.c
--- openssh-6.1p1/auth-pam.c.role-mls	2012-11-28 17:06:43.638990168 +0100
+++ openssh-6.1p1/auth-pam.c	2012-11-28 17:06:43.699989959 +0100
@@ -1074,7 +1074,7 @@ is_pam_session_open(void)
  * during the ssh authentication process.
  */
 int
-do_pam_putenv(char *name, char *value)
+do_pam_putenv(char *name, const char *value)
 {
 	int ret = 1;
 #ifdef HAVE_PAM_PUTENV
diff -up openssh-6.1p1/auth-pam.h.role-mls openssh-6.1p1/auth-pam.h
--- openssh-6.1p1/auth-pam.h.role-mls	2004-09-11 14:17:26.000000000 +0200
+++ openssh-6.1p1/auth-pam.h	2012-11-28 17:06:43.699989959 +0100
@@ -38,7 +38,7 @@ void do_pam_session(void);
 void do_pam_set_tty(const char *);
 void do_pam_setcred(int );
 void do_pam_chauthtok(void);
-int do_pam_putenv(char *, char *);
+int do_pam_putenv(char *, const char *);
 char ** fetch_pam_environment(void);
 char ** fetch_pam_child_environment(void);
 void free_pam_environment(char **);
diff -up openssh-6.1p1/misc.c.role-mls openssh-6.1p1/misc.c
--- openssh-6.1p1/misc.c.role-mls	2011-09-22 13:34:36.000000000 +0200
+++ openssh-6.1p1/misc.c	2012-11-28 17:06:43.701989952 +0100
@@ -427,6 +427,7 @@ char *
 colon(char *cp)
 {
 	int flag = 0;
+	int start = 1;
 
 	if (*cp == ':')		/* Leading colon is part of file name. */
 		return NULL;
@@ -442,6 +443,13 @@ colon(char *cp)
 			return (cp);
 		if (*cp == '/')
 			return NULL;
+		if (start) {
+		/* Slash on beginning or after dots only denotes file name. */
+			if (*cp == '/')
+				return (0);
+			if (*cp != '.')
+				start = 0;
+		}
 	}
 	return NULL;
 }
diff -up openssh-6.1p1/monitor.c.role-mls openssh-6.1p1/monitor.c
--- openssh-6.1p1/monitor.c.role-mls	2012-11-28 17:06:43.686990004 +0100
+++ openssh-6.1p1/monitor.c	2012-11-28 17:06:43.701989952 +0100
@@ -148,6 +148,9 @@ int mm_answer_sign(int, Buffer *);
 int mm_answer_pwnamallow(int, Buffer *);
 int mm_answer_auth2_read_banner(int, Buffer *);
 int mm_answer_authserv(int, Buffer *);
+#ifdef WITH_SELINUX
+int mm_answer_authrole(int, Buffer *);
+#endif
 int mm_answer_authpassword(int, Buffer *);
 int mm_answer_bsdauthquery(int, Buffer *);
 int mm_answer_bsdauthrespond(int, Buffer *);
@@ -231,6 +234,9 @@ struct mon_table mon_dispatch_proto20[]
     {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
     {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
+#ifdef WITH_SELINUX
+    {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
+#endif
     {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
 #ifdef USE_PAM
@@ -838,6 +844,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
 	else {
 		/* Allow service/style information on the auth context */
 		monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
+#ifdef WITH_SELINUX
+		monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
+#endif
 		monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
 	}
 #ifdef USE_PAM
@@ -881,6 +890,25 @@ mm_answer_authserv(int sock, Buffer *m)
 	return (0);
 }
 
+#ifdef WITH_SELINUX
+int
+mm_answer_authrole(int sock, Buffer *m)
+{
+	monitor_permit_authentications(1);
+
+	authctxt->role = buffer_get_string(m, NULL);
+	debug3("%s: role=%s",
+	    __func__, authctxt->role);
+
+	if (strlen(authctxt->role) == 0) {
+		xfree(authctxt->role);
+		authctxt->role = NULL;
+	}
+
+	return (0);
+}
+#endif
+
 int
 mm_answer_authpassword(int sock, Buffer *m)
 {
@@ -1251,7 +1279,7 @@ static int
 monitor_valid_userblob(u_char *data, u_int datalen)
 {
 	Buffer b;
-	char *p;
+	char *p, *r;
 	u_int len;
 	int fail = 0;
 
@@ -1277,6 +1305,8 @@ monitor_valid_userblob(u_char *data, u_i
 	if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
 		fail++;
 	p = buffer_get_string(&b, NULL);
+	if ((r = strchr(p, '/')) != NULL)
+		*r = '\0';
 	if (strcmp(authctxt->user, p) != 0) {
 		logit("wrong user name passed to monitor: expected %s != %.100s",
 		    authctxt->user, p);
@@ -1308,7 +1338,7 @@ monitor_valid_hostbasedblob(u_char *data
     char *chost)
 {
 	Buffer b;
-	char *p;
+	char *p, *r;
 	u_int len;
 	int fail = 0;
 
@@ -1325,6 +1355,8 @@ monitor_valid_hostbasedblob(u_char *data
 	if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
 		fail++;
 	p = buffer_get_string(&b, NULL);
+	if ((r = strchr(p, '/')) != NULL)
+		*r = '\0';
 	if (strcmp(authctxt->user, p) != 0) {
 		logit("wrong user name passed to monitor: expected %s != %.100s",
 		    authctxt->user, p);
diff -up openssh-6.1p1/monitor.h.role-mls openssh-6.1p1/monitor.h
--- openssh-6.1p1/monitor.h.role-mls	2012-11-28 17:06:43.686990004 +0100
+++ openssh-6.1p1/monitor.h	2012-11-28 17:06:43.701989952 +0100
@@ -31,6 +31,9 @@
 enum monitor_reqtype {
 	MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
 	MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
+#ifdef WITH_SELINUX
+	MONITOR_REQ_AUTHROLE,
+#endif
 	MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
 	MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
 	MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
diff -up openssh-6.1p1/monitor_wrap.c.role-mls openssh-6.1p1/monitor_wrap.c
--- openssh-6.1p1/monitor_wrap.c.role-mls	2012-11-28 17:06:43.686990004 +0100
+++ openssh-6.1p1/monitor_wrap.c	2012-11-28 17:06:43.702989948 +0100
@@ -336,6 +336,25 @@ mm_inform_authserv(char *service, char *
 	buffer_free(&m);
 }
 
+/* Inform the privileged process about role */
+
+#ifdef WITH_SELINUX
+void
+mm_inform_authrole(char *role)
+{
+	Buffer m;
+
+	debug3("%s entering", __func__);
+
+	buffer_init(&m);
+	buffer_put_cstring(&m, role ? role : "");
+
+	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
+
+	buffer_free(&m);
+}
+#endif
+
 /* Do the password authentication */
 int
 mm_auth_password(Authctxt *authctxt, char *password)
diff -up openssh-6.1p1/monitor_wrap.h.role-mls openssh-6.1p1/monitor_wrap.h
--- openssh-6.1p1/monitor_wrap.h.role-mls	2012-11-28 17:06:43.686990004 +0100
+++ openssh-6.1p1/monitor_wrap.h	2012-11-28 17:06:43.702989948 +0100
@@ -42,6 +42,9 @@ int mm_is_monitor(void);
 DH *mm_choose_dh(int, int, int);
 int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
 void mm_inform_authserv(char *, char *);
+#ifdef WITH_SELINUX
+void mm_inform_authrole(char *);
+#endif
 struct passwd *mm_getpwnamallow(const char *);
 char *mm_auth2_read_banner(void);
 int mm_auth_password(struct Authctxt *, char *);
diff -up openssh-6.1p1/openbsd-compat/Makefile.in.role-mls openssh-6.1p1/openbsd-compat/Makefile.in
--- openssh-6.1p1/openbsd-compat/Makefile.in.role-mls	2011-11-04 01:25:25.000000000 +0100
+++ openssh-6.1p1/openbsd-compat/Makefile.in	2012-11-28 17:06:43.702989948 +0100
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport
 
 COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
 
-PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
+PORTS=port-aix.o port-irix.o port-linux.o port-linux_part_2.o port-solaris.o port-tun.o port-uw.o
 
 .c.o:
 	$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
diff -up openssh-6.1p1/openbsd-compat/port-linux.c.role-mls openssh-6.1p1/openbsd-compat/port-linux.c
--- openssh-6.1p1/openbsd-compat/port-linux.c.role-mls	2012-03-09 00:25:18.000000000 +0100
+++ openssh-6.1p1/openbsd-compat/port-linux.c	2012-11-28 17:06:43.702989948 +0100
@@ -31,68 +31,271 @@
 
 #include "log.h"
 #include "xmalloc.h"
+#include "servconf.h"
 #include "port-linux.h"
+#include "key.h"
+#include "hostfile.h"
+#include "auth.h"
 
 #ifdef WITH_SELINUX
 #include <selinux/selinux.h>
 #include <selinux/flask.h>
+#include <selinux/context.h>
 #include <selinux/get_context_list.h>
+#include <selinux/get_default_type.h>
+#include <selinux/av_permissions.h>
+
+#ifdef HAVE_LINUX_AUDIT
+#include <libaudit.h>
+#include <unistd.h>
+#endif
 
 #ifndef SSH_SELINUX_UNCONFINED_TYPE
 # define SSH_SELINUX_UNCONFINED_TYPE ":unconfined_t:"
 #endif
 
-/* Wrapper around is_selinux_enabled() to log its return value once only */
-int
-ssh_selinux_enabled(void)
+extern ServerOptions options;
+extern Authctxt *the_authctxt;
+extern int inetd_flag;
+extern int rexeced_flag;
+
+/* Send audit message */
+static int
+send_audit_message(int success, security_context_t default_context,
+		       security_context_t selected_context)
+{
+	int rc=0;
+#ifdef HAVE_LINUX_AUDIT
+	char *msg = NULL;
+	int audit_fd = audit_open();
+	security_context_t default_raw=NULL;
+	security_context_t selected_raw=NULL;
+	rc = -1;
+	if (audit_fd < 0) {
+		if (errno == EINVAL || errno == EPROTONOSUPPORT ||
+					errno == EAFNOSUPPORT)
+				return 0; /* No audit support in kernel */
+		error("Error connecting to audit system.");
+		return rc;
+	}
+	if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) {
+		error("Error translating default context.");
+		default_raw = NULL;
+	}
+	if (selinux_trans_to_raw_context(selected_context, &selected_raw) < 0) {
+		error("Error translating selected context.");
+		selected_raw = NULL;
+	}
+	if (asprintf(&msg, "sshd: default-context=%s selected-context=%s",
+		     default_raw ? default_raw : (default_context ? default_context: "?"),
+		     selected_context ? selected_raw : (selected_context ? selected_context :"?")) < 0) {
+		error("Error allocating memory.");
+		goto out;
+	}
+	if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE,
+				   msg, NULL, NULL, NULL, success) <= 0) {
+		error("Error sending audit message.");
+		goto out;
+	}
+	rc = 0;
+      out:
+	free(msg);
+	freecon(default_raw);
+	freecon(selected_raw);
+	close(audit_fd);
+#endif
+	return rc;
+}
+
+static int
+mls_range_allowed(security_context_t src, security_context_t dst)
 {
-	static int enabled = -1;
+	struct av_decision avd;
+	int retval;
+	unsigned int bit = CONTEXT__CONTAINS;
+
+	debug("%s: src:%s dst:%s", __func__, src, dst);
+	retval = security_compute_av(src, dst, SECCLASS_CONTEXT, bit, &avd);
+	if (retval || ((bit & avd.allowed) != bit))
+		return 0;
+
+	return 1;
+}
+
+static int
+get_user_context(const char *sename, const char *role, const char *lvl,
+	security_context_t *sc) {
+#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
+	if (lvl == NULL || lvl[0] == '\0' || get_default_context_with_level(sename, lvl, NULL, sc) != 0) {
+	        /* User may have requested a level completely outside of his 
+	           allowed range. We get a context just for auditing as the
+	           range check below will certainly fail for default context. */
+#endif
+		if (get_default_context(sename, NULL, sc) != 0) {
+			*sc = NULL;
+			return -1;
+		}
+#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
+	}
+#endif
+	if (role != NULL && role[0]) {
+		context_t con;
+		char *type=NULL;
+		if (get_default_type(role, &type) != 0) {
+			error("get_default_type: failed to get default type for '%s'",
+				role);
+			goto out;
+		}
+		con = context_new(*sc);
+		if (!con) {
+			goto out;
+		}
+		context_role_set(con, role);
+		context_type_set(con, type);
+		freecon(*sc);
+		*sc = strdup(context_str(con));
+		context_free(con);
+		if (!*sc) 
+			return -1;
+	}
+#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
+	if (lvl != NULL && lvl[0]) {
+		/* verify that the requested range is obtained */
+		context_t con;
+		security_context_t obtained_raw;
+		security_context_t requested_raw;
+		con = context_new(*sc);
+		if (!con) {
+			goto out;
+		}
+		context_range_set(con, lvl);
+		if (selinux_trans_to_raw_context(*sc, &obtained_raw) < 0) {
+			context_free(con);
+			goto out;
+		}
+		if (selinux_trans_to_raw_context(context_str(con), &requested_raw) < 0) {
+			freecon(obtained_raw);
+			context_free(con);
+			goto out;
+		}
 
-	if (enabled == -1) {
-		enabled = (is_selinux_enabled() == 1);
-		debug("SELinux support %s", enabled ? "enabled" : "disabled");
+		debug("get_user_context: obtained context '%s' requested context '%s'",
+			obtained_raw, requested_raw);
+		if (strcmp(obtained_raw, requested_raw)) {
+			/* set the context to the real requested one but fail */
+			freecon(requested_raw);
+			freecon(obtained_raw);
+			freecon(*sc);
+			*sc = strdup(context_str(con));
+			context_free(con);
+			return -1;
+		}
+		freecon(requested_raw);
+		freecon(obtained_raw);
+		context_free(con);
 	}
+#endif
+	return 0;
+      out:
+	freecon(*sc);
+	*sc = NULL;
+	return -1;
+}
 
-	return (enabled);
+static void
+ssh_selinux_get_role_level(char **role, const char **level)
+{
+	*role = NULL;
+	*level = NULL;
+	if (the_authctxt) {
+		if (the_authctxt->role != NULL) {
+			char *slash;
+			*role = xstrdup(the_authctxt->role);
+			if ((slash = strchr(*role, '/')) != NULL) {
+				*slash = '\0';
+				*level = slash + 1;
+			}
+		}
+	}
 }
 
 /* Return the default security context for the given username */
 static security_context_t
-ssh_selinux_getctxbyname(char *pwname)
+ssh_selinux_getctxbyname(char *pwname,
+	security_context_t *default_sc, security_context_t *user_sc)
 {
-	security_context_t sc = NULL;
-	char *sename = NULL, *lvl = NULL;
-	int r;
+	char *sename, *lvl;
+	char *role;
+	const char *reqlvl;
+	int r = 0;
+	context_t con = NULL;
+ 
+	ssh_selinux_get_role_level(&role, &reqlvl);
 
 #ifdef HAVE_GETSEUSERBYNAME
-	if (getseuserbyname(pwname, &sename, &lvl) != 0)
-		return NULL;
+	if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
+		sename = NULL;
+		lvl = NULL;
+	}
 #else
 	sename = pwname;
-	lvl = NULL;
+	lvl = "";
 #endif
 
+	if (r == 0) {
 #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
-	r = get_default_context_with_level(sename, lvl, NULL, &sc);
+		r = get_default_context_with_level(sename, lvl, NULL, default_sc);
 #else
-	r = get_default_context(sename, NULL, &sc);
+		r = get_default_context(sename, NULL, default_sc);
 #endif
+	}
+
+	if (r == 0) {
+		/* If launched from xinetd, we must use current level */
+		if (inetd_flag && !rexeced_flag) {
+			security_context_t sshdsc=NULL;
+
+			if (getcon_raw(&sshdsc) < 0)
+				fatal("failed to allocate security context");
+
+			if ((con=context_new(sshdsc)) == NULL)
+				fatal("failed to allocate selinux context");
+			reqlvl = context_range_get(con);
+			freecon(sshdsc);
+			if (reqlvl !=NULL && lvl != NULL && strcmp(reqlvl, lvl) == 0)
+			    /* we actually don't change level */
+			    reqlvl = "";
+
+			debug("%s: current connection level '%s'", __func__, reqlvl);
 
-	if (r != 0) {
-		switch (security_getenforce()) {
-		case -1:
-			fatal("%s: ssh_selinux_getctxbyname: "
-			    "security_getenforce() failed", __func__);
-		case 0:
-			error("%s: Failed to get default SELinux security "
-			    "context for %s", __func__, pwname);
-			sc = NULL;
-			break;
-		default:
-			fatal("%s: Failed to get default SELinux security "
-			    "context for %s (in enforcing mode)",
-			    __func__, pwname);
 		}
+		
+		if ((reqlvl != NULL && reqlvl[0]) || (role != NULL && role[0])) {
+			r = get_user_context(sename, role, reqlvl, user_sc);
+		
+			if (r == 0 && reqlvl != NULL && reqlvl[0]) {
+				security_context_t default_level_sc = *default_sc;
+				if (role != NULL && role[0]) {
+					if (get_user_context(sename, role, lvl, &default_level_sc) < 0)
+						default_level_sc = *default_sc;
+				}
+				/* verify that the requested range is contained in the user range */
+				if (mls_range_allowed(default_level_sc, *user_sc)) {
+					logit("permit MLS level %s (user range %s)", reqlvl, lvl);
+				} else {
+					r = -1;
+					error("deny MLS level %s (user range %s)", reqlvl, lvl);
+				}
+				if (default_level_sc != *default_sc)
+					freecon(default_level_sc);
+			}
+		} else {
+			*user_sc = *default_sc;
+		}
+	}
+	if (r != 0) {
+		error("%s: Failed to get default SELinux security "
+		    "context for %s", __func__, pwname);
 	}
 
 #ifdef HAVE_GETSEUSERBYNAME
@@ -102,7 +305,42 @@ ssh_selinux_getctxbyname(char *pwname)
 		xfree(lvl);
 #endif
 
-	return sc;
+	if (role != NULL)
+		xfree(role);
+	if (con)
+		context_free(con);
+ 
+	return (r);
+}
+
+/* Setup environment variables for pam_selinux */
+static int
+ssh_selinux_setup_pam_variables(void)
+{
+	const char *reqlvl;
+	char *role;
+	char *use_current;
+	int rv;
+
+	debug3("%s: setting execution context", __func__);
+
+	ssh_selinux_get_role_level(&role, &reqlvl);
+
+	rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
+	
+	if (inetd_flag && !rexeced_flag) {
+		use_current = "1";
+	} else {
+		use_current = "";
+		rv = rv || do_pam_putenv("SELINUX_LEVEL_REQUESTED", reqlvl ? reqlvl: "");
+	}
+
+	rv = rv || do_pam_putenv("SELINUX_USE_CURRENT_RANGE", use_current);
+
+	if (role != NULL)
+		xfree(role);
+	
+	return rv;
 }
 
 /* Set the execution context to the default for the specified user */
@@ -110,28 +348,71 @@ void
 ssh_selinux_setup_exec_context(char *pwname)
 {
 	security_context_t user_ctx = NULL;
+	int r = 0;
+	security_context_t default_ctx = NULL;
 
 	if (!ssh_selinux_enabled())
 		return;
 
+	if (options.use_pam) {
+		/* do not compute context, just setup environment for pam_selinux */
+		if (ssh_selinux_setup_pam_variables()) {
+			switch (security_getenforce()) {
+			case -1:
+				fatal("%s: security_getenforce() failed", __func__);
+			case 0:
+				error("%s: SELinux PAM variable setup failure. Continuing in permissive mode.",
+				    __func__);
+			break;
+			default:
+				fatal("%s: SELinux PAM variable setup failure. Aborting connection.",
+				    __func__);
+			}
+		}
+		return;
+	}
+
 	debug3("%s: setting execution context", __func__);
 
-	user_ctx = ssh_selinux_getctxbyname(pwname);
-	if (setexeccon(user_ctx) != 0) {
+	r = ssh_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
+	if (r >= 0) {
+		r = setexeccon(user_ctx);
+		if (r < 0) {
+			error("%s: Failed to set SELinux execution context %s for %s",
+			    __func__, user_ctx, pwname);
+		} 
+#ifdef HAVE_SETKEYCREATECON
+		else if (setkeycreatecon(user_ctx) < 0) {
+			error("%s: Failed to set SELinux keyring creation context %s for %s",
+			    __func__, user_ctx, pwname);
+		}
+#endif
+	}
+	if (user_ctx == NULL) {
+		user_ctx = default_ctx;
+	}
+	if (r < 0 || user_ctx != default_ctx) {
+		/* audit just the case when user changed a role or there was
+		   a failure */
+		send_audit_message(r >= 0, default_ctx, user_ctx);
+	}
+	if (r < 0) {
 		switch (security_getenforce()) {
 		case -1:
 			fatal("%s: security_getenforce() failed", __func__);
 		case 0:
-			error("%s: Failed to set SELinux execution "
-			    "context for %s", __func__, pwname);
+			error("%s: SELinux failure. Continuing in permissive mode.",
+			    __func__);
 			break;
 		default:
-			fatal("%s: Failed to set SELinux execution context "
-			    "for %s (in enforcing mode)", __func__, pwname);
+			fatal("%s: SELinux failure. Aborting connection.",
+			    __func__);
 		}
 	}
-	if (user_ctx != NULL)
+	if (user_ctx != NULL && user_ctx != default_ctx)
 		freecon(user_ctx);
+	if (default_ctx != NULL)
+		freecon(default_ctx);
 
 	debug3("%s: done", __func__);
 }
@@ -149,7 +430,10 @@ ssh_selinux_setup_pty(char *pwname, cons
 
 	debug3("%s: setting TTY context on %s", __func__, tty);
 
-	user_ctx = ssh_selinux_getctxbyname(pwname);
+	if (getexeccon(&user_ctx) < 0) {
+		error("%s: getexeccon: %s", __func__, strerror(errno));
+		goto out;
+	}
 
 	/* XXX: should these calls fatal() upon failure in enforcing mode? */
 
@@ -221,21 +505,6 @@ ssh_selinux_change_context(const char *n
 	xfree(newctx);
 }
 
-void
-ssh_selinux_setfscreatecon(const char *path)
-{
-	security_context_t context;
-
-	if (!ssh_selinux_enabled())
-		return;
-	if (path == NULL) {
-		setfscreatecon(NULL);
-		return;
-	}
-	if (matchpathcon(path, 0700, &context) == 0)
-		setfscreatecon(context);
-}
-
 #endif /* WITH_SELINUX */
 
 #ifdef LINUX_OOM_ADJUST
diff -up openssh-6.1p1/openbsd-compat/port-linux_part_2.c.role-mls openssh-6.1p1/openbsd-compat/port-linux_part_2.c
--- openssh-6.1p1/openbsd-compat/port-linux_part_2.c.role-mls	2012-11-28 17:06:43.703989944 +0100
+++ openssh-6.1p1/openbsd-compat/port-linux_part_2.c	2012-11-28 17:06:43.703989944 +0100
@@ -0,0 +1,75 @@
+/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
+
+/*
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
+ * Copyright (c) 2006 Damien Miller <djm@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Linux-specific portability code - just SELinux support at present
+ */
+
+#include "includes.h"
+
+#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST)
+#include <errno.h>
+#include <stdarg.h>
+#include <string.h>
+#include <stdio.h>
+
+#include "log.h"
+#include "xmalloc.h"
+#include "port-linux.h"
+#include "key.h"
+#include "hostfile.h"
+#include "auth.h"
+
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/flask.h>
+#include <selinux/get_context_list.h>
+
+/* Wrapper around is_selinux_enabled() to log its return value once only */
+int
+ssh_selinux_enabled(void)
+{
+	static int enabled = -1;
+
+	if (enabled == -1) {
+		enabled = (is_selinux_enabled() == 1);
+		debug("SELinux support %s", enabled ? "enabled" : "disabled");
+	}
+
+	return (enabled);
+}
+
+void
+ssh_selinux_setfscreatecon(const char *path)
+{
+	security_context_t context;
+
+	if (!ssh_selinux_enabled())
+		return;
+	if (path == NULL) {
+		setfscreatecon(NULL);
+		return;
+	}
+	if (matchpathcon(path, 0700, &context) == 0)
+		setfscreatecon(context);
+}
+
+#endif /* WITH_SELINUX */
+
+#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */
diff -up openssh-6.1p1/sshd.c.role-mls openssh-6.1p1/sshd.c
--- openssh-6.1p1/sshd.c.role-mls	2012-11-28 17:06:43.688989996 +0100
+++ openssh-6.1p1/sshd.c	2012-11-28 17:06:43.703989944 +0100
@@ -2101,6 +2101,9 @@ main(int ac, char **av)
 		restore_uid();
 	}
 #endif
+#ifdef WITH_SELINUX
+	ssh_selinux_setup_exec_context(authctxt->pw->pw_name);
+#endif
 #ifdef USE_PAM
 	if (options.use_pam) {
 		do_pam_setcred(1);
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.