summaryrefslogtreecommitdiff
path: root/debian
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2011-01-25 12:59:25 +0000
committerColin Watson <cjwatson@debian.org>2011-01-25 12:59:25 +0000
commitddf3ca2157b82d609f169eb22706047cbee7d3b4 (patch)
tree9ae03508881372c8f22df0e4f7d44df4532f10b0 /debian
parent5e750371bb19c8cc58b5faea70278d857acdae0a (diff)
Rearrange selinux-role.patch so that it links properly given this
SELinux build fix.
Diffstat (limited to 'debian')
-rw-r--r--debian/changelog2
-rw-r--r--debian/patches/selinux-build-failure.patch26
-rw-r--r--debian/patches/selinux-role.patch226
3 files changed, 223 insertions, 31 deletions
diff --git a/debian/changelog b/debian/changelog
index b063f0fac..5d1d80e6a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -27,6 +27,8 @@ openssh (1:5.7p1-1) UNRELEASED; urgency=low
27 /etc/ssh/ssh_host_ecdsa_key' to /etc/ssh/sshd_config. 27 /etc/ssh/ssh_host_ecdsa_key' to /etc/ssh/sshd_config.
28 * Build-depend on libssl-dev (>= 0.9.8g) to ensure sufficient ECC support. 28 * Build-depend on libssl-dev (>= 0.9.8g) to ensure sufficient ECC support.
29 * Backport SELinux build fix from CVS. 29 * Backport SELinux build fix from CVS.
30 * Rearrange selinux-role.patch so that it links properly given this
31 SELinux build fix.
30 32
31 -- Colin Watson <cjwatson@debian.org> Mon, 24 Jan 2011 12:07:24 +0000 33 -- Colin Watson <cjwatson@debian.org> Mon, 24 Jan 2011 12:07:24 +0000
32 34
diff --git a/debian/patches/selinux-build-failure.patch b/debian/patches/selinux-build-failure.patch
index 47c953009..fb96e87b9 100644
--- a/debian/patches/selinux-build-failure.patch
+++ b/debian/patches/selinux-build-failure.patch
@@ -90,7 +90,7 @@ Index: b/configure
90 KRB5CONF 90 KRB5CONF
91 PRIVSEP_PATH 91 PRIVSEP_PATH
92 xauth_path 92 xauth_path
93@@ -9047,7 +9159,6 @@ 93@@ -9047,7 +9048,6 @@
94 _ACEOF 94 _ACEOF
95 95
96 SSHDLIBS="$SSHDLIBS -lcontract" 96 SSHDLIBS="$SSHDLIBS -lcontract"
@@ -98,7 +98,7 @@ Index: b/configure
98 SPC_MSG="yes" 98 SPC_MSG="yes"
99 fi 99 fi
100 100
101@@ -9126,7 +9237,6 @@ 101@@ -9126,7 +9126,6 @@
102 _ACEOF 102 _ACEOF
103 103
104 SSHDLIBS="$SSHDLIBS -lproject" 104 SSHDLIBS="$SSHDLIBS -lproject"
@@ -106,7 +106,7 @@ Index: b/configure
106 SP_MSG="yes" 106 SP_MSG="yes"
107 fi 107 fi
108 108
109@@ -27806,6 +27916,7 @@ 109@@ -27806,6 +27805,7 @@
110 { (exit 1); exit 1; }; } 110 { (exit 1); exit 1; }; }
111 fi 111 fi
112 112
@@ -114,7 +114,7 @@ Index: b/configure
114 SSHDLIBS="$SSHDLIBS $LIBSELINUX" 114 SSHDLIBS="$SSHDLIBS $LIBSELINUX"
115 115
116 116
117@@ -27908,6 +28019,8 @@ 117@@ -27908,6 +27908,8 @@
118 fi 118 fi
119 119
120 120
@@ -123,7 +123,7 @@ Index: b/configure
123 # Check whether user wants Kerberos 5 support 123 # Check whether user wants Kerberos 5 support
124 KRB5_MSG="no" 124 KRB5_MSG="no"
125 125
126@@ -31416,7 +31529,6 @@ 126@@ -31416,7 +31418,6 @@
127 LOGIN_PROGRAM_FALLBACK!$LOGIN_PROGRAM_FALLBACK$ac_delim 127 LOGIN_PROGRAM_FALLBACK!$LOGIN_PROGRAM_FALLBACK$ac_delim
128 PATH_PASSWD_PROG!$PATH_PASSWD_PROG$ac_delim 128 PATH_PASSWD_PROG!$PATH_PASSWD_PROG$ac_delim
129 LD!$LD$ac_delim 129 LD!$LD$ac_delim
@@ -131,7 +131,7 @@ Index: b/configure
131 PKGCONFIG!$PKGCONFIG$ac_delim 131 PKGCONFIG!$PKGCONFIG$ac_delim
132 LIBEDIT!$LIBEDIT$ac_delim 132 LIBEDIT!$LIBEDIT$ac_delim
133 TEST_SSH_SHA256!$TEST_SSH_SHA256$ac_delim 133 TEST_SSH_SHA256!$TEST_SSH_SHA256$ac_delim
134@@ -31433,6 +31545,7 @@ 134@@ -31433,6 +31434,7 @@
135 PROG_SAR!$PROG_SAR$ac_delim 135 PROG_SAR!$PROG_SAR$ac_delim
136 PROG_W!$PROG_W$ac_delim 136 PROG_W!$PROG_W$ac_delim
137 PROG_WHO!$PROG_WHO$ac_delim 137 PROG_WHO!$PROG_WHO$ac_delim
@@ -139,7 +139,7 @@ Index: b/configure
139 _ACEOF 139 _ACEOF
140 140
141 if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then 141 if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
142@@ -31474,7 +31587,6 @@ 142@@ -31474,7 +31476,6 @@
143 ac_delim='%!_!# ' 143 ac_delim='%!_!# '
144 for ac_last_try in false false false false false :; do 144 for ac_last_try in false false false false false :; do
145 cat >conf$$subs.sed <<_ACEOF 145 cat >conf$$subs.sed <<_ACEOF
@@ -147,7 +147,7 @@ Index: b/configure
147 PROG_LASTLOG!$PROG_LASTLOG$ac_delim 147 PROG_LASTLOG!$PROG_LASTLOG$ac_delim
148 PROG_DF!$PROG_DF$ac_delim 148 PROG_DF!$PROG_DF$ac_delim
149 PROG_VMSTAT!$PROG_VMSTAT$ac_delim 149 PROG_VMSTAT!$PROG_VMSTAT$ac_delim
150@@ -31482,6 +31594,8 @@ 150@@ -31482,6 +31483,8 @@
151 PROG_IPCS!$PROG_IPCS$ac_delim 151 PROG_IPCS!$PROG_IPCS$ac_delim
152 PROG_TAIL!$PROG_TAIL$ac_delim 152 PROG_TAIL!$PROG_TAIL$ac_delim
153 INSTALL_SSH_PRNG_CMDS!$INSTALL_SSH_PRNG_CMDS$ac_delim 153 INSTALL_SSH_PRNG_CMDS!$INSTALL_SSH_PRNG_CMDS$ac_delim
@@ -156,7 +156,7 @@ Index: b/configure
156 KRB5CONF!$KRB5CONF$ac_delim 156 KRB5CONF!$KRB5CONF$ac_delim
157 PRIVSEP_PATH!$PRIVSEP_PATH$ac_delim 157 PRIVSEP_PATH!$PRIVSEP_PATH$ac_delim
158 xauth_path!$xauth_path$ac_delim 158 xauth_path!$xauth_path$ac_delim
159@@ -31496,7 +31610,7 @@ 159@@ -31496,7 +31499,7 @@
160 LTLIBOBJS!$LTLIBOBJS$ac_delim 160 LTLIBOBJS!$LTLIBOBJS$ac_delim
161 _ACEOF 161 _ACEOF
162 162
@@ -165,7 +165,7 @@ Index: b/configure
165 break 165 break
166 elif $ac_last_try; then 166 elif $ac_last_try; then
167 { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5 167 { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
168@@ -31993,6 +32107,9 @@ 168@@ -31993,6 +31996,9 @@
169 if test ! -z "${SSHDLIBS}"; then 169 if test ! -z "${SSHDLIBS}"; then
170 echo " +for sshd: ${SSHDLIBS}" 170 echo " +for sshd: ${SSHDLIBS}"
171 fi 171 fi
@@ -179,7 +179,7 @@ Index: b/openbsd-compat/port-linux.c
179=================================================================== 179===================================================================
180--- a/openbsd-compat/port-linux.c 180--- a/openbsd-compat/port-linux.c
181+++ b/openbsd-compat/port-linux.c 181+++ b/openbsd-compat/port-linux.c
182@@ -222,6 +222,20 @@ 182@@ -218,6 +218,20 @@
183 xfree(oldctx); 183 xfree(oldctx);
184 xfree(newctx); 184 xfree(newctx);
185 } 185 }
@@ -205,8 +205,8 @@ Index: b/openbsd-compat/port-linux.h
205--- a/openbsd-compat/port-linux.h 205--- a/openbsd-compat/port-linux.h
206+++ b/openbsd-compat/port-linux.h 206+++ b/openbsd-compat/port-linux.h
207@@ -24,6 +24,7 @@ 207@@ -24,6 +24,7 @@
208 void ssh_selinux_setup_pty(char *, const char *); 208 void ssh_selinux_setup_pty(char *, const char *, const char *);
209 void ssh_selinux_setup_exec_context(char *); 209 void ssh_selinux_setup_exec_context(char *, const char *);
210 void ssh_selinux_change_context(const char *); 210 void ssh_selinux_change_context(const char *);
211+void ssh_selinux_setfscreatecon(const char *); 211+void ssh_selinux_setfscreatecon(const char *);
212 #endif 212 #endif
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index 74cd06201..30db352dd 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -156,6 +156,15 @@ Index: b/monitor.c
156 return (0); 156 return (0);
157 } 157 }
158 158
159@@ -1327,7 +1353,7 @@
160 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
161 if (res == 0)
162 goto error;
163- pty_setowner(authctxt->pw, s->tty);
164+ pty_setowner(authctxt->pw, s->tty, authctxt->role);
165
166 buffer_put_int(m, 1);
167 buffer_put_cstring(m, s->tty);
159Index: b/monitor.h 168Index: b/monitor.h
160=================================================================== 169===================================================================
161--- a/monitor.h 170--- a/monitor.h
@@ -247,32 +256,20 @@ Index: b/openbsd-compat/port-linux.c
247 #include "log.h" 256 #include "log.h"
248 #include "xmalloc.h" 257 #include "xmalloc.h"
249 #include "port-linux.h" 258 #include "port-linux.h"
250@@ -38,6 +44,8 @@ 259@@ -54,9 +60,9 @@
251 #include <selinux/flask.h>
252 #include <selinux/get_context_list.h>
253 260
254+extern Authctxt *the_authctxt; 261 /* Return the default security context for the given username */
255+
256 /* Wrapper around is_selinux_enabled() to log its return value once only */
257 int
258 ssh_selinux_enabled(void)
259@@ -56,8 +64,8 @@
260 static security_context_t 262 static security_context_t
261 ssh_selinux_getctxbyname(char *pwname) 263-ssh_selinux_getctxbyname(char *pwname)
264+ssh_selinux_getctxbyname(char *pwname, const char *role)
262 { 265 {
263- security_context_t sc; 266- security_context_t sc;
264- char *sename = NULL, *lvl = NULL;
265+ security_context_t sc = NULL; 267+ security_context_t sc = NULL;
266+ char *sename = NULL, *role = NULL, *lvl = NULL; 268 char *sename = NULL, *lvl = NULL;
267 int r; 269 int r;
268 270
269 #ifdef HAVE_GETSEUSERBYNAME 271@@ -69,9 +75,16 @@
270@@ -67,11 +75,20 @@
271 sename = pwname;
272 lvl = NULL;
273 #endif 272 #endif
274+ if (the_authctxt)
275+ role = the_authctxt->role;
276 273
277 #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL 274 #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
278- r = get_default_context_with_level(sename, lvl, NULL, &sc); 275- r = get_default_context_with_level(sename, lvl, NULL, &sc);
@@ -290,3 +287,196 @@ Index: b/openbsd-compat/port-linux.c
290 #endif 287 #endif
291 288
292 if (r != 0) { 289 if (r != 0) {
290@@ -102,7 +115,7 @@
291
292 /* Set the execution context to the default for the specified user */
293 void
294-ssh_selinux_setup_exec_context(char *pwname)
295+ssh_selinux_setup_exec_context(char *pwname, const char *role)
296 {
297 security_context_t user_ctx = NULL;
298
299@@ -111,7 +124,7 @@
300
301 debug3("%s: setting execution context", __func__);
302
303- user_ctx = ssh_selinux_getctxbyname(pwname);
304+ user_ctx = ssh_selinux_getctxbyname(pwname, role);
305 if (setexeccon(user_ctx) != 0) {
306 switch (security_getenforce()) {
307 case -1:
308@@ -133,7 +146,7 @@
309
310 /* Set the TTY context for the specified user */
311 void
312-ssh_selinux_setup_pty(char *pwname, const char *tty)
313+ssh_selinux_setup_pty(char *pwname, const char *tty, const char *role)
314 {
315 security_context_t new_tty_ctx = NULL;
316 security_context_t user_ctx = NULL;
317@@ -144,7 +157,7 @@
318
319 debug3("%s: setting TTY context on %s", __func__, tty);
320
321- user_ctx = ssh_selinux_getctxbyname(pwname);
322+ user_ctx = ssh_selinux_getctxbyname(pwname, role);
323
324 /* XXX: should these calls fatal() upon failure in enforcing mode? */
325
326Index: b/openbsd-compat/port-linux.h
327===================================================================
328--- a/openbsd-compat/port-linux.h
329+++ b/openbsd-compat/port-linux.h
330@@ -21,8 +21,8 @@
331
332 #ifdef WITH_SELINUX
333 int ssh_selinux_enabled(void);
334-void ssh_selinux_setup_pty(char *, const char *);
335-void ssh_selinux_setup_exec_context(char *);
336+void ssh_selinux_setup_pty(char *, const char *, const char *);
337+void ssh_selinux_setup_exec_context(char *, const char *);
338 void ssh_selinux_change_context(const char *);
339 #endif
340
341Index: b/platform.c
342===================================================================
343--- a/platform.c
344+++ b/platform.c
345@@ -134,7 +134,7 @@
346 * called if sshd is running as root.
347 */
348 void
349-platform_setusercontext_post_groups(struct passwd *pw)
350+platform_setusercontext_post_groups(struct passwd *pw, const char *role)
351 {
352 #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
353 /*
354@@ -181,7 +181,7 @@
355 }
356 #endif /* HAVE_SETPCRED */
357 #ifdef WITH_SELINUX
358- ssh_selinux_setup_exec_context(pw->pw_name);
359+ ssh_selinux_setup_exec_context(pw->pw_name, role);
360 #endif
361 }
362
363Index: b/platform.h
364===================================================================
365--- a/platform.h
366+++ b/platform.h
367@@ -26,7 +26,7 @@
368 void platform_post_fork_child(void);
369 int platform_privileged_uidswap(void);
370 void platform_setusercontext(struct passwd *);
371-void platform_setusercontext_post_groups(struct passwd *);
372+void platform_setusercontext_post_groups(struct passwd *, const char *);
373 char *platform_get_krb5_client(const char *);
374 char *platform_krb5_get_principal_name(const char *);
375
376Index: b/session.c
377===================================================================
378--- a/session.c
379+++ b/session.c
380@@ -1467,7 +1467,7 @@
381
382 /* Set login name, uid, gid, and groups. */
383 void
384-do_setusercontext(struct passwd *pw)
385+do_setusercontext(struct passwd *pw, const char *role)
386 {
387 char *chroot_path, *tmp;
388
389@@ -1495,7 +1495,7 @@
390 endgrent();
391 #endif
392
393- platform_setusercontext_post_groups(pw);
394+ platform_setusercontext_post_groups(pw, role);
395
396 if (options.chroot_directory != NULL &&
397 strcasecmp(options.chroot_directory, "none") != 0) {
398@@ -1618,7 +1618,7 @@
399
400 /* Force a password change */
401 if (s->authctxt->force_pwchange) {
402- do_setusercontext(pw);
403+ do_setusercontext(pw, s->authctxt->role);
404 child_close_fds();
405 do_pwchange(s);
406 exit(1);
407@@ -1645,7 +1645,7 @@
408 /* When PAM is enabled we rely on it to do the nologin check */
409 if (!options.use_pam)
410 do_nologin(pw);
411- do_setusercontext(pw);
412+ do_setusercontext(pw, s->authctxt->role);
413 /*
414 * PAM session modules in do_setusercontext may have
415 * generated messages, so if this in an interactive
416@@ -2057,7 +2057,7 @@
417 tty_parse_modes(s->ttyfd, &n_bytes);
418
419 if (!use_privsep)
420- pty_setowner(s->pw, s->tty);
421+ pty_setowner(s->pw, s->tty, s->authctxt->role);
422
423 /* Set window size from the packet. */
424 pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
425Index: b/session.h
426===================================================================
427--- a/session.h
428+++ b/session.h
429@@ -76,7 +76,7 @@
430 Session *session_new(void);
431 Session *session_by_tty(char *);
432 void session_close(Session *);
433-void do_setusercontext(struct passwd *);
434+void do_setusercontext(struct passwd *, const char *);
435 void child_set_env(char ***envp, u_int *envsizep, const char *name,
436 const char *value);
437
438Index: b/sshd.c
439===================================================================
440--- a/sshd.c
441+++ b/sshd.c
442@@ -707,7 +707,7 @@
443 RAND_seed(rnd, sizeof(rnd));
444
445 /* Drop privileges */
446- do_setusercontext(authctxt->pw);
447+ do_setusercontext(authctxt->pw, authctxt->role);
448
449 skip:
450 /* It is safe now to apply the key state */
451Index: b/sshpty.c
452===================================================================
453--- a/sshpty.c
454+++ b/sshpty.c
455@@ -200,7 +200,7 @@
456 }
457
458 void
459-pty_setowner(struct passwd *pw, const char *tty)
460+pty_setowner(struct passwd *pw, const char *tty, const char *role)
461 {
462 struct group *grp;
463 gid_t gid;
464@@ -227,7 +227,7 @@
465 strerror(errno));
466
467 #ifdef WITH_SELINUX
468- ssh_selinux_setup_pty(pw->pw_name, tty);
469+ ssh_selinux_setup_pty(pw->pw_name, tty, role);
470 #endif
471
472 if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
473Index: b/sshpty.h
474===================================================================
475--- a/sshpty.h
476+++ b/sshpty.h
477@@ -24,4 +24,4 @@
478 void pty_release(const char *);
479 void pty_make_controlling_tty(int *, const char *);
480 void pty_change_window_size(int, u_int, u_int, u_int, u_int);
481-void pty_setowner(struct passwd *, const char *);
482+void pty_setowner(struct passwd *, const char *, const char *);