diff options
author | Colin Watson <cjwatson@debian.org> | 2011-01-25 12:59:25 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2011-01-25 12:59:25 +0000 |
commit | ddf3ca2157b82d609f169eb22706047cbee7d3b4 (patch) | |
tree | 9ae03508881372c8f22df0e4f7d44df4532f10b0 /debian/patches | |
parent | 5e750371bb19c8cc58b5faea70278d857acdae0a (diff) |
Rearrange selinux-role.patch so that it links properly given this
SELinux build fix.
Diffstat (limited to 'debian/patches')
-rw-r--r-- | debian/patches/selinux-build-failure.patch | 26 | ||||
-rw-r--r-- | debian/patches/selinux-role.patch | 226 |
2 files changed, 221 insertions, 31 deletions
diff --git a/debian/patches/selinux-build-failure.patch b/debian/patches/selinux-build-failure.patch index 47c953009..fb96e87b9 100644 --- a/debian/patches/selinux-build-failure.patch +++ b/debian/patches/selinux-build-failure.patch | |||
@@ -90,7 +90,7 @@ Index: b/configure | |||
90 | KRB5CONF | 90 | KRB5CONF |
91 | PRIVSEP_PATH | 91 | PRIVSEP_PATH |
92 | xauth_path | 92 | xauth_path |
93 | @@ -9047,7 +9159,6 @@ | 93 | @@ -9047,7 +9048,6 @@ |
94 | _ACEOF | 94 | _ACEOF |
95 | 95 | ||
96 | SSHDLIBS="$SSHDLIBS -lcontract" | 96 | SSHDLIBS="$SSHDLIBS -lcontract" |
@@ -98,7 +98,7 @@ Index: b/configure | |||
98 | SPC_MSG="yes" | 98 | SPC_MSG="yes" |
99 | fi | 99 | fi |
100 | 100 | ||
101 | @@ -9126,7 +9237,6 @@ | 101 | @@ -9126,7 +9126,6 @@ |
102 | _ACEOF | 102 | _ACEOF |
103 | 103 | ||
104 | SSHDLIBS="$SSHDLIBS -lproject" | 104 | SSHDLIBS="$SSHDLIBS -lproject" |
@@ -106,7 +106,7 @@ Index: b/configure | |||
106 | SP_MSG="yes" | 106 | SP_MSG="yes" |
107 | fi | 107 | fi |
108 | 108 | ||
109 | @@ -27806,6 +27916,7 @@ | 109 | @@ -27806,6 +27805,7 @@ |
110 | { (exit 1); exit 1; }; } | 110 | { (exit 1); exit 1; }; } |
111 | fi | 111 | fi |
112 | 112 | ||
@@ -114,7 +114,7 @@ Index: b/configure | |||
114 | SSHDLIBS="$SSHDLIBS $LIBSELINUX" | 114 | SSHDLIBS="$SSHDLIBS $LIBSELINUX" |
115 | 115 | ||
116 | 116 | ||
117 | @@ -27908,6 +28019,8 @@ | 117 | @@ -27908,6 +27908,8 @@ |
118 | fi | 118 | fi |
119 | 119 | ||
120 | 120 | ||
@@ -123,7 +123,7 @@ Index: b/configure | |||
123 | # Check whether user wants Kerberos 5 support | 123 | # Check whether user wants Kerberos 5 support |
124 | KRB5_MSG="no" | 124 | KRB5_MSG="no" |
125 | 125 | ||
126 | @@ -31416,7 +31529,6 @@ | 126 | @@ -31416,7 +31418,6 @@ |
127 | LOGIN_PROGRAM_FALLBACK!$LOGIN_PROGRAM_FALLBACK$ac_delim | 127 | LOGIN_PROGRAM_FALLBACK!$LOGIN_PROGRAM_FALLBACK$ac_delim |
128 | PATH_PASSWD_PROG!$PATH_PASSWD_PROG$ac_delim | 128 | PATH_PASSWD_PROG!$PATH_PASSWD_PROG$ac_delim |
129 | LD!$LD$ac_delim | 129 | LD!$LD$ac_delim |
@@ -131,7 +131,7 @@ Index: b/configure | |||
131 | PKGCONFIG!$PKGCONFIG$ac_delim | 131 | PKGCONFIG!$PKGCONFIG$ac_delim |
132 | LIBEDIT!$LIBEDIT$ac_delim | 132 | LIBEDIT!$LIBEDIT$ac_delim |
133 | TEST_SSH_SHA256!$TEST_SSH_SHA256$ac_delim | 133 | TEST_SSH_SHA256!$TEST_SSH_SHA256$ac_delim |
134 | @@ -31433,6 +31545,7 @@ | 134 | @@ -31433,6 +31434,7 @@ |
135 | PROG_SAR!$PROG_SAR$ac_delim | 135 | PROG_SAR!$PROG_SAR$ac_delim |
136 | PROG_W!$PROG_W$ac_delim | 136 | PROG_W!$PROG_W$ac_delim |
137 | PROG_WHO!$PROG_WHO$ac_delim | 137 | PROG_WHO!$PROG_WHO$ac_delim |
@@ -139,7 +139,7 @@ Index: b/configure | |||
139 | _ACEOF | 139 | _ACEOF |
140 | 140 | ||
141 | if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then | 141 | if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then |
142 | @@ -31474,7 +31587,6 @@ | 142 | @@ -31474,7 +31476,6 @@ |
143 | ac_delim='%!_!# ' | 143 | ac_delim='%!_!# ' |
144 | for ac_last_try in false false false false false :; do | 144 | for ac_last_try in false false false false false :; do |
145 | cat >conf$$subs.sed <<_ACEOF | 145 | cat >conf$$subs.sed <<_ACEOF |
@@ -147,7 +147,7 @@ Index: b/configure | |||
147 | PROG_LASTLOG!$PROG_LASTLOG$ac_delim | 147 | PROG_LASTLOG!$PROG_LASTLOG$ac_delim |
148 | PROG_DF!$PROG_DF$ac_delim | 148 | PROG_DF!$PROG_DF$ac_delim |
149 | PROG_VMSTAT!$PROG_VMSTAT$ac_delim | 149 | PROG_VMSTAT!$PROG_VMSTAT$ac_delim |
150 | @@ -31482,6 +31594,8 @@ | 150 | @@ -31482,6 +31483,8 @@ |
151 | PROG_IPCS!$PROG_IPCS$ac_delim | 151 | PROG_IPCS!$PROG_IPCS$ac_delim |
152 | PROG_TAIL!$PROG_TAIL$ac_delim | 152 | PROG_TAIL!$PROG_TAIL$ac_delim |
153 | INSTALL_SSH_PRNG_CMDS!$INSTALL_SSH_PRNG_CMDS$ac_delim | 153 | INSTALL_SSH_PRNG_CMDS!$INSTALL_SSH_PRNG_CMDS$ac_delim |
@@ -156,7 +156,7 @@ Index: b/configure | |||
156 | KRB5CONF!$KRB5CONF$ac_delim | 156 | KRB5CONF!$KRB5CONF$ac_delim |
157 | PRIVSEP_PATH!$PRIVSEP_PATH$ac_delim | 157 | PRIVSEP_PATH!$PRIVSEP_PATH$ac_delim |
158 | xauth_path!$xauth_path$ac_delim | 158 | xauth_path!$xauth_path$ac_delim |
159 | @@ -31496,7 +31610,7 @@ | 159 | @@ -31496,7 +31499,7 @@ |
160 | LTLIBOBJS!$LTLIBOBJS$ac_delim | 160 | LTLIBOBJS!$LTLIBOBJS$ac_delim |
161 | _ACEOF | 161 | _ACEOF |
162 | 162 | ||
@@ -165,7 +165,7 @@ Index: b/configure | |||
165 | break | 165 | break |
166 | elif $ac_last_try; then | 166 | elif $ac_last_try; then |
167 | { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5 | 167 | { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5 |
168 | @@ -31993,6 +32107,9 @@ | 168 | @@ -31993,6 +31996,9 @@ |
169 | if test ! -z "${SSHDLIBS}"; then | 169 | if test ! -z "${SSHDLIBS}"; then |
170 | echo " +for sshd: ${SSHDLIBS}" | 170 | echo " +for sshd: ${SSHDLIBS}" |
171 | fi | 171 | fi |
@@ -179,7 +179,7 @@ Index: b/openbsd-compat/port-linux.c | |||
179 | =================================================================== | 179 | =================================================================== |
180 | --- a/openbsd-compat/port-linux.c | 180 | --- a/openbsd-compat/port-linux.c |
181 | +++ b/openbsd-compat/port-linux.c | 181 | +++ b/openbsd-compat/port-linux.c |
182 | @@ -222,6 +222,20 @@ | 182 | @@ -218,6 +218,20 @@ |
183 | xfree(oldctx); | 183 | xfree(oldctx); |
184 | xfree(newctx); | 184 | xfree(newctx); |
185 | } | 185 | } |
@@ -205,8 +205,8 @@ Index: b/openbsd-compat/port-linux.h | |||
205 | --- a/openbsd-compat/port-linux.h | 205 | --- a/openbsd-compat/port-linux.h |
206 | +++ b/openbsd-compat/port-linux.h | 206 | +++ b/openbsd-compat/port-linux.h |
207 | @@ -24,6 +24,7 @@ | 207 | @@ -24,6 +24,7 @@ |
208 | void ssh_selinux_setup_pty(char *, const char *); | 208 | void ssh_selinux_setup_pty(char *, const char *, const char *); |
209 | void ssh_selinux_setup_exec_context(char *); | 209 | void ssh_selinux_setup_exec_context(char *, const char *); |
210 | void ssh_selinux_change_context(const char *); | 210 | void ssh_selinux_change_context(const char *); |
211 | +void ssh_selinux_setfscreatecon(const char *); | 211 | +void ssh_selinux_setfscreatecon(const char *); |
212 | #endif | 212 | #endif |
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch index 74cd06201..30db352dd 100644 --- a/debian/patches/selinux-role.patch +++ b/debian/patches/selinux-role.patch | |||
@@ -156,6 +156,15 @@ Index: b/monitor.c | |||
156 | return (0); | 156 | return (0); |
157 | } | 157 | } |
158 | 158 | ||
159 | @@ -1327,7 +1353,7 @@ | ||
160 | res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); | ||
161 | if (res == 0) | ||
162 | goto error; | ||
163 | - pty_setowner(authctxt->pw, s->tty); | ||
164 | + pty_setowner(authctxt->pw, s->tty, authctxt->role); | ||
165 | |||
166 | buffer_put_int(m, 1); | ||
167 | buffer_put_cstring(m, s->tty); | ||
159 | Index: b/monitor.h | 168 | Index: b/monitor.h |
160 | =================================================================== | 169 | =================================================================== |
161 | --- a/monitor.h | 170 | --- a/monitor.h |
@@ -247,32 +256,20 @@ Index: b/openbsd-compat/port-linux.c | |||
247 | #include "log.h" | 256 | #include "log.h" |
248 | #include "xmalloc.h" | 257 | #include "xmalloc.h" |
249 | #include "port-linux.h" | 258 | #include "port-linux.h" |
250 | @@ -38,6 +44,8 @@ | 259 | @@ -54,9 +60,9 @@ |
251 | #include <selinux/flask.h> | ||
252 | #include <selinux/get_context_list.h> | ||
253 | 260 | ||
254 | +extern Authctxt *the_authctxt; | 261 | /* Return the default security context for the given username */ |
255 | + | ||
256 | /* Wrapper around is_selinux_enabled() to log its return value once only */ | ||
257 | int | ||
258 | ssh_selinux_enabled(void) | ||
259 | @@ -56,8 +64,8 @@ | ||
260 | static security_context_t | 262 | static security_context_t |
261 | ssh_selinux_getctxbyname(char *pwname) | 263 | -ssh_selinux_getctxbyname(char *pwname) |
264 | +ssh_selinux_getctxbyname(char *pwname, const char *role) | ||
262 | { | 265 | { |
263 | - security_context_t sc; | 266 | - security_context_t sc; |
264 | - char *sename = NULL, *lvl = NULL; | ||
265 | + security_context_t sc = NULL; | 267 | + security_context_t sc = NULL; |
266 | + char *sename = NULL, *role = NULL, *lvl = NULL; | 268 | char *sename = NULL, *lvl = NULL; |
267 | int r; | 269 | int r; |
268 | 270 | ||
269 | #ifdef HAVE_GETSEUSERBYNAME | 271 | @@ -69,9 +75,16 @@ |
270 | @@ -67,11 +75,20 @@ | ||
271 | sename = pwname; | ||
272 | lvl = NULL; | ||
273 | #endif | 272 | #endif |
274 | + if (the_authctxt) | ||
275 | + role = the_authctxt->role; | ||
276 | 273 | ||
277 | #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL | 274 | #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL |
278 | - r = get_default_context_with_level(sename, lvl, NULL, &sc); | 275 | - r = get_default_context_with_level(sename, lvl, NULL, &sc); |
@@ -290,3 +287,196 @@ Index: b/openbsd-compat/port-linux.c | |||
290 | #endif | 287 | #endif |
291 | 288 | ||
292 | if (r != 0) { | 289 | if (r != 0) { |
290 | @@ -102,7 +115,7 @@ | ||
291 | |||
292 | /* Set the execution context to the default for the specified user */ | ||
293 | void | ||
294 | -ssh_selinux_setup_exec_context(char *pwname) | ||
295 | +ssh_selinux_setup_exec_context(char *pwname, const char *role) | ||
296 | { | ||
297 | security_context_t user_ctx = NULL; | ||
298 | |||
299 | @@ -111,7 +124,7 @@ | ||
300 | |||
301 | debug3("%s: setting execution context", __func__); | ||
302 | |||
303 | - user_ctx = ssh_selinux_getctxbyname(pwname); | ||
304 | + user_ctx = ssh_selinux_getctxbyname(pwname, role); | ||
305 | if (setexeccon(user_ctx) != 0) { | ||
306 | switch (security_getenforce()) { | ||
307 | case -1: | ||
308 | @@ -133,7 +146,7 @@ | ||
309 | |||
310 | /* Set the TTY context for the specified user */ | ||
311 | void | ||
312 | -ssh_selinux_setup_pty(char *pwname, const char *tty) | ||
313 | +ssh_selinux_setup_pty(char *pwname, const char *tty, const char *role) | ||
314 | { | ||
315 | security_context_t new_tty_ctx = NULL; | ||
316 | security_context_t user_ctx = NULL; | ||
317 | @@ -144,7 +157,7 @@ | ||
318 | |||
319 | debug3("%s: setting TTY context on %s", __func__, tty); | ||
320 | |||
321 | - user_ctx = ssh_selinux_getctxbyname(pwname); | ||
322 | + user_ctx = ssh_selinux_getctxbyname(pwname, role); | ||
323 | |||
324 | /* XXX: should these calls fatal() upon failure in enforcing mode? */ | ||
325 | |||
326 | Index: b/openbsd-compat/port-linux.h | ||
327 | =================================================================== | ||
328 | --- a/openbsd-compat/port-linux.h | ||
329 | +++ b/openbsd-compat/port-linux.h | ||
330 | @@ -21,8 +21,8 @@ | ||
331 | |||
332 | #ifdef WITH_SELINUX | ||
333 | int ssh_selinux_enabled(void); | ||
334 | -void ssh_selinux_setup_pty(char *, const char *); | ||
335 | -void ssh_selinux_setup_exec_context(char *); | ||
336 | +void ssh_selinux_setup_pty(char *, const char *, const char *); | ||
337 | +void ssh_selinux_setup_exec_context(char *, const char *); | ||
338 | void ssh_selinux_change_context(const char *); | ||
339 | #endif | ||
340 | |||
341 | Index: b/platform.c | ||
342 | =================================================================== | ||
343 | --- a/platform.c | ||
344 | +++ b/platform.c | ||
345 | @@ -134,7 +134,7 @@ | ||
346 | * called if sshd is running as root. | ||
347 | */ | ||
348 | void | ||
349 | -platform_setusercontext_post_groups(struct passwd *pw) | ||
350 | +platform_setusercontext_post_groups(struct passwd *pw, const char *role) | ||
351 | { | ||
352 | #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) | ||
353 | /* | ||
354 | @@ -181,7 +181,7 @@ | ||
355 | } | ||
356 | #endif /* HAVE_SETPCRED */ | ||
357 | #ifdef WITH_SELINUX | ||
358 | - ssh_selinux_setup_exec_context(pw->pw_name); | ||
359 | + ssh_selinux_setup_exec_context(pw->pw_name, role); | ||
360 | #endif | ||
361 | } | ||
362 | |||
363 | Index: b/platform.h | ||
364 | =================================================================== | ||
365 | --- a/platform.h | ||
366 | +++ b/platform.h | ||
367 | @@ -26,7 +26,7 @@ | ||
368 | void platform_post_fork_child(void); | ||
369 | int platform_privileged_uidswap(void); | ||
370 | void platform_setusercontext(struct passwd *); | ||
371 | -void platform_setusercontext_post_groups(struct passwd *); | ||
372 | +void platform_setusercontext_post_groups(struct passwd *, const char *); | ||
373 | char *platform_get_krb5_client(const char *); | ||
374 | char *platform_krb5_get_principal_name(const char *); | ||
375 | |||
376 | Index: b/session.c | ||
377 | =================================================================== | ||
378 | --- a/session.c | ||
379 | +++ b/session.c | ||
380 | @@ -1467,7 +1467,7 @@ | ||
381 | |||
382 | /* Set login name, uid, gid, and groups. */ | ||
383 | void | ||
384 | -do_setusercontext(struct passwd *pw) | ||
385 | +do_setusercontext(struct passwd *pw, const char *role) | ||
386 | { | ||
387 | char *chroot_path, *tmp; | ||
388 | |||
389 | @@ -1495,7 +1495,7 @@ | ||
390 | endgrent(); | ||
391 | #endif | ||
392 | |||
393 | - platform_setusercontext_post_groups(pw); | ||
394 | + platform_setusercontext_post_groups(pw, role); | ||
395 | |||
396 | if (options.chroot_directory != NULL && | ||
397 | strcasecmp(options.chroot_directory, "none") != 0) { | ||
398 | @@ -1618,7 +1618,7 @@ | ||
399 | |||
400 | /* Force a password change */ | ||
401 | if (s->authctxt->force_pwchange) { | ||
402 | - do_setusercontext(pw); | ||
403 | + do_setusercontext(pw, s->authctxt->role); | ||
404 | child_close_fds(); | ||
405 | do_pwchange(s); | ||
406 | exit(1); | ||
407 | @@ -1645,7 +1645,7 @@ | ||
408 | /* When PAM is enabled we rely on it to do the nologin check */ | ||
409 | if (!options.use_pam) | ||
410 | do_nologin(pw); | ||
411 | - do_setusercontext(pw); | ||
412 | + do_setusercontext(pw, s->authctxt->role); | ||
413 | /* | ||
414 | * PAM session modules in do_setusercontext may have | ||
415 | * generated messages, so if this in an interactive | ||
416 | @@ -2057,7 +2057,7 @@ | ||
417 | tty_parse_modes(s->ttyfd, &n_bytes); | ||
418 | |||
419 | if (!use_privsep) | ||
420 | - pty_setowner(s->pw, s->tty); | ||
421 | + pty_setowner(s->pw, s->tty, s->authctxt->role); | ||
422 | |||
423 | /* Set window size from the packet. */ | ||
424 | pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel); | ||
425 | Index: b/session.h | ||
426 | =================================================================== | ||
427 | --- a/session.h | ||
428 | +++ b/session.h | ||
429 | @@ -76,7 +76,7 @@ | ||
430 | Session *session_new(void); | ||
431 | Session *session_by_tty(char *); | ||
432 | void session_close(Session *); | ||
433 | -void do_setusercontext(struct passwd *); | ||
434 | +void do_setusercontext(struct passwd *, const char *); | ||
435 | void child_set_env(char ***envp, u_int *envsizep, const char *name, | ||
436 | const char *value); | ||
437 | |||
438 | Index: b/sshd.c | ||
439 | =================================================================== | ||
440 | --- a/sshd.c | ||
441 | +++ b/sshd.c | ||
442 | @@ -707,7 +707,7 @@ | ||
443 | RAND_seed(rnd, sizeof(rnd)); | ||
444 | |||
445 | /* Drop privileges */ | ||
446 | - do_setusercontext(authctxt->pw); | ||
447 | + do_setusercontext(authctxt->pw, authctxt->role); | ||
448 | |||
449 | skip: | ||
450 | /* It is safe now to apply the key state */ | ||
451 | Index: b/sshpty.c | ||
452 | =================================================================== | ||
453 | --- a/sshpty.c | ||
454 | +++ b/sshpty.c | ||
455 | @@ -200,7 +200,7 @@ | ||
456 | } | ||
457 | |||
458 | void | ||
459 | -pty_setowner(struct passwd *pw, const char *tty) | ||
460 | +pty_setowner(struct passwd *pw, const char *tty, const char *role) | ||
461 | { | ||
462 | struct group *grp; | ||
463 | gid_t gid; | ||
464 | @@ -227,7 +227,7 @@ | ||
465 | strerror(errno)); | ||
466 | |||
467 | #ifdef WITH_SELINUX | ||
468 | - ssh_selinux_setup_pty(pw->pw_name, tty); | ||
469 | + ssh_selinux_setup_pty(pw->pw_name, tty, role); | ||
470 | #endif | ||
471 | |||
472 | if (st.st_uid != pw->pw_uid || st.st_gid != gid) { | ||
473 | Index: b/sshpty.h | ||
474 | =================================================================== | ||
475 | --- a/sshpty.h | ||
476 | +++ b/sshpty.h | ||
477 | @@ -24,4 +24,4 @@ | ||
478 | void pty_release(const char *); | ||
479 | void pty_make_controlling_tty(int *, const char *); | ||
480 | void pty_change_window_size(int, u_int, u_int, u_int, u_int); | ||
481 | -void pty_setowner(struct passwd *, const char *); | ||
482 | +void pty_setowner(struct passwd *, const char *, const char *); | ||