Manoj Srivastava:

- Added SELinux capability, and turned it on be default. Added
  restorecon calls in preinst and postinst (should not matter if the
  machine is not SELinux aware). By and large, the changes made should
  have no effect unless the rules file calls --with-selinux; and even
  then there should be no performance hit for machines not actively
  running SELinux.
- Modified the preinst and postinst to call restorecon to set the
  security context for the generated public key files.
- Added a comment to /etc/pam.d/ssh to indicate that an SELinux system
  may want to also include pam_selinux.so.

1 files changed, 4 insertions, 0 deletions

diff --git a/session.c b/session.c
index 8ac476c69..bdfcb26f9 100644
--- a/session.c
+++ b/session.c
@@ -58,6 +58,8 @@ RCSID("$OpenBSD: session.c,v 1.181 2004/12/23 17:35:48 markus Exp $");
 #include "session.h"
 #include "monitor_wrap.h"
 
+#include "selinux.h"
+
 #if defined(KRB5) && defined(USE_AFS)
 #include <kafs.h>
 #endif
@@ -1342,6 +1344,8 @@ do_setusercontext(struct passwd *pw)
 #endif
         if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
                 fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
+
+        setup_selinux_exec_context(pw->pw_name);
 }
 
 static void