10 files changed, 247 insertions, 10 deletions
diff --git a/ChangeLog b/ChangeLog
index 5328aa9c4..92a2f25d6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,14 @@
+20060421
+ - (djm) [Makefile.in configure.ac session.c sshpty.c]
+   [contrib/redhat/sshd.init openbsd-compat/Makefile.in]
+   [openbsd-compat/openbsd-compat.h openbsd-compat/port-linux.c]
+   [openbsd-compat/port-linux.h] Add support for SELinux, setting 
+   the execution and TTY contexts. based on patch from Daniel Walsh,
+   bz #880; ok dtucker@
 20060418
- - (djm) Reorder IP options check so that it isn't broken by 
+ - (djm) [canohost.c] Reorder IP options check so that it isn't broken
-   mapped addresses; bz #1179 reported by markw wtech-llc.com;
+   by mapped addresses; bz #1179 reported by markw wtech-llc.com;
   ok dtucker@
 20060331
@@ -4500,4 +4508,4 @@
   - (djm) Trim deprecated options from INSTALL. Mention UsePAM
   - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
-$Id: ChangeLog,v 1.4301 2006/04/18 05:13:16 djm Exp $
+$Id: ChangeLog,v 1.4302 2006/04/22 11:26:08 djm Exp $
diff --git a/Makefile.in b/Makefile.in
index 57475f003..9bc25e7a7 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.276 2006/03/15 02:09:18 djm Exp $
+# $Id: Makefile.in,v 1.277 2006/04/22 11:26:08 djm Exp $
 # uncomment if you run a non bourne compatable shell. Ie. csh
 #SHELL = @SH@
@@ -43,6 +43,7 @@ LD=@LD@
 CFLAGS=@CFLAGS@
 CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
 LIBS=@LIBS@
+LIBSELINUX=@LIBSELINUX@
 LIBEDIT=@LIBEDIT@
 LIBPAM=@LIBPAM@
 LIBWRAP=@LIBWRAP@
@@ -136,7 +137,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
        $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
-        $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS)
+        $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBS)
 scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
        $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff --git a/configure.ac b/configure.ac
index 9e037ab0e..093c17643 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.338 2006/03/15 21:14:34 dtucker Exp $
+# $Id: configure.ac,v 1.339 2006/04/22 11:26:08 djm Exp $
 #
 # Copyright (c) 1999-2004 Damien Miller
 #
@@ -15,7 +15,7 @@
 # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org)
-AC_REVISION($Revision: 1.338 $)
+AC_REVISION($Revision: 1.339 $)
 AC_CONFIG_SRCDIR([ssh.c])
 AC_CONFIG_HEADER(config.h)
@@ -3000,6 +3000,23 @@ int main()
                        [#include <arpa/nameser.h>])
        ])
+# Check whether user wants SELinux support
+SELINUX_MSG="no"
+LIBSELINUX=""
+AC_ARG_WITH(selinux,
+        [  --with-selinux   Enable SELinux support],
+        [ if test "x$withval" != "xno" ; then
+                AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.])
+                SELINUX_MSG="yes"
+                AC_CHECK_HEADER([selinux/selinux.h], ,
+                    AC_MSG_ERROR(SELinux support requires selinux.h header))
+                AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ],
+                    AC_MSG_ERROR(SELinux support requires libselinux library))
+                AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
+        fi ]
+)
+AC_SUBST(LIBSELINUX)
 # Check whether user wants Kerberos 5 support
 KRB5_MSG="no"
 AC_ARG_WITH(kerberos5,
@@ -3818,6 +3835,7 @@ fi
 echo "                    Manpage format: $MANTYPE"
 echo "                       PAM support: $PAM_MSG"
 echo "                 KerberosV support: $KRB5_MSG"
+echo "                   SELinux support: $SELINUX_MSG"
 echo "                 Smartcard support: $SCARD_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
 echo "              TCP Wrappers support: $TCPW_MSG"
diff --git a/contrib/redhat/sshd.init b/contrib/redhat/sshd.init
index 4ee8630c3..e5d837cbc 100755
--- a/contrib/redhat/sshd.init
+++ b/contrib/redhat/sshd.init
@@ -35,6 +35,9 @@ do_rsa1_keygen() {
                if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
                        chmod 600 $RSA1_KEY
                        chmod 644 $RSA1_KEY.pub
+                        if [ -x /sbin/restorecon ]; then
+                            /sbin/restorecon $RSA1_KEY.pub
+                        fi
                        success $"RSA1 key generation"
                        echo
                else
@@ -51,6 +54,9 @@ do_rsa_keygen() {
                if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
                        chmod 600 $RSA_KEY
                        chmod 644 $RSA_KEY.pub
+                        if [ -x /sbin/restorecon ]; then
+                            /sbin/restorecon $RSA_KEY.pub
+                        fi
                        success $"RSA key generation"
                        echo
                else
@@ -67,6 +73,9 @@ do_dsa_keygen() {
                if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
                        chmod 600 $DSA_KEY
                        chmod 644 $DSA_KEY.pub
+                        if [ -x /sbin/restorecon ]; then
+                            /sbin/restorecon $DSA_KEY.pub
+                        fi
                        success $"DSA key generation"
                        echo
                else
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
index f1a706241..67e521bfe 100644
--- a/openbsd-compat/Makefile.in
+++ b/openbsd-compat/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.38 2006/03/15 02:09:20 djm Exp $
+# $Id: Makefile.in,v 1.39 2006/04/22 11:26:08 djm Exp $
 sysconfdir=@sysconfdir@
 piddir=@piddir@
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgroupl
 COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
-PORTS=port-irix.o port-aix.o port-uw.o port-tun.o
+PORTS=port-irix.o port-linux.o port-aix.o port-uw.o port-tun.o
 .c.o:
        $(CC) $(CFLAGS) $(CPPFLAGS) -c $<
diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
index 432b183e7..eda9c49eb 100644
--- a/openbsd-compat/openbsd-compat.h
+++ b/openbsd-compat/openbsd-compat.h
@@ -1,4 +1,4 @@
-/* $Id: openbsd-compat.h,v 1.35 2006/03/15 11:25:55 dtucker Exp $ */
+/* $Id: openbsd-compat.h,v 1.36 2006/04/22 11:26:08 djm Exp $ */
 /*
 * Copyright (c) 1999-2003 Damien Miller.  All rights reserved.
@@ -185,6 +185,7 @@ char *shadow_pw(struct passwd *pw);
 #include "bsd-cray.h"
 #include "bsd-cygwin_util.h"
 #include "port-irix.h"
+#include "port-linux.h"
 #include "port-aix.h"
 #include "port-uw.h"
 #include "port-tun.h"
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
new file mode 100644
index 000000000..54ec2910e
--- /dev/null
+++ b/openbsd-compat/port-linux.c
@@ -0,0 +1,165 @@
+/* $Id: port-linux.c,v 1.1 2006/04/22 11:26:08 djm Exp $ */
+/*
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
+ * Copyright (c) 2006 Damien Miller <djm@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+/*
+ * Linux-specific portability code - just SELinux support at present
+ */
+#include "includes.h"
+#ifdef WITH_SELINUX
+#include "log.h"
+#include "port-linux.h"
+#include <selinux/selinux.h>
+#include <selinux/flask.h>
+#include <selinux/get_context_list.h>
+/* Wrapper around is_selinux_enabled() to log its return value once only */
+static int
+ssh_selinux_enabled(void)
+{
+        static int enabled = -1;
+        if (enabled == -1) {
+                enabled = is_selinux_enabled();
+                debug("SELinux support %s", enabled ? "enabled" : "disabled");
+        }
+        return (enabled);
+}
+/* Return the default security context for the given username */
+static security_context_t
+ssh_selinux_getctxbyname(char *pwname)
+{
+        security_context_t sc;
+        char *sename = NULL, *lvl = NULL;
+        int r;
+#ifdef HAVE_GETSEUSERBYNAME
+        if (getseuserbyname(pwname, &sename, &lvl) != 0)
+                return NULL;
+#else
+        sename = pwname;
+        lvl = NULL;
+#endif
+#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
+        r = get_default_context_with_level(sename, lvl, NULL, &sc);
+#else
+        r = get_default_context(sename, NULL, &sc);
+#endif
+        if (r != 0) {
+                switch (security_getenforce()) {
+                case -1:
+                        fatal("%s: ssh_selinux_getctxbyname: "
+                            "security_getenforce() failed", __func__);
+                case 0:
+                        error("%s: Failed to get default SELinux security "
+                            "context for %s", __func__, pwname);
+                default:
+                        fatal("%s: Failed to get default SELinux security "
+                            "context for %s (in enforcing mode)",
+                            __func__, pwname);
+                }
+        }
+#ifdef HAVE_GETSEUSERBYNAME
+        if (sename != NULL)
+                xfree(sename);
+        if (lvl != NULL)
+                xfree(lvl);
+#endif
+        return (sc);
+}
+/* Set the execution context to the default for the specified user */
+void
+ssh_selinux_setup_exec_context(char *pwname)
+{
+        security_context_t user_ctx = NULL;
+        if (!ssh_selinux_enabled())
+                return;
+        debug3("%s: setting execution context", __func__);
+        user_ctx = ssh_selinux_getctxbyname(pwname);
+        if (setexeccon(user_ctx) != 0) {
+                switch (security_getenforce()) {
+                case -1:
+                        fatal("%s: security_getenforce() failed", __func__);
+                case 0:
+                        error("%s: Failed to set SELinux execution "
+                            "context for %s", __func__, pwname);
+                default:
+                        fatal("%s: Failed to set SELinux execution context "
+                            "for %s (in enforcing mode)", __func__, pwname);
+                }
+        }
+        if (user_ctx != NULL)
+                freecon(user_ctx);
+        debug3("%s: done", __func__);
+}
+/* Set the TTY context for the specified user */
+void
+ssh_selinux_setup_pty(char *pwname, const char *tty)
+{
+        security_context_t new_tty_ctx = NULL;
+        security_context_t user_ctx = NULL;
+        security_context_t old_tty_ctx = NULL;
+        if (!ssh_selinux_enabled())
+                return;
+        debug3("%s: setting TTY context on %s", __func__, tty);
+        user_ctx = ssh_selinux_getctxbyname(pwname);
+        /* XXX: should these calls fatal() upon failure in enforcing mode? */
+        if (getfilecon(tty, &old_tty_ctx) == -1) {
+                error("%s: getfilecon: %s", __func__, strerror(errno));
+                goto out;
+        }
+        if (security_compute_relabel(user_ctx, old_tty_ctx,
+            SECCLASS_CHR_FILE, &new_tty_ctx) != 0) {
+                error("%s: security_compute_relabel: %s",
+                    __func__, strerror(errno));
+                goto out;
+        }
+        if (setfilecon(tty, new_tty_ctx) != 0)
+                error("%s: setfilecon: %s", __func__, strerror(errno));
+ out:
+        if (new_tty_ctx != NULL)
+                freecon(new_tty_ctx);
+        if (old_tty_ctx != NULL)
+                freecon(old_tty_ctx);
+        if (user_ctx != NULL)
+                freecon(user_ctx);
+        debug3("%s: done", __func__);
+}
+#endif /* WITH_SELINUX */
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
new file mode 100644
index 000000000..05e520e1c
--- /dev/null
+++ b/openbsd-compat/port-linux.h
@@ -0,0 +1,27 @@
+/* $Id: port-linux.h,v 1.1 2006/04/22 11:26:08 djm Exp $ */
+/*
+ * Copyright (c) 2006 Damien Miller <djm@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#ifndef _PORT_LINUX_H
+#define _PORT_LINUX_H
+#ifdef WITH_SELINUX
+void ssh_selinux_setup_pty(char *, const char *);
+void ssh_selinux_setup_exec_context(char *);
+#endif
+#endif /* ! _PORT_LINUX_H */
diff --git a/session.c b/session.c
index 8b837d07d..bba3fa21f 100644
--- a/session.c
+++ b/session.c
@@ -1352,6 +1352,10 @@ do_setusercontext(struct passwd *pw)
 #endif
        if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
                fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
+#ifdef WITH_SELINUX
+        ssh_selinux_setup_exec_context(pw->pw_name);
+#endif
 }
 static void
diff --git a/sshpty.c b/sshpty.c
index a15df0414..0e49e9a16 100644
--- a/sshpty.c
+++ b/sshpty.c
@@ -210,6 +210,10 @@ pty_setowner(struct passwd *pw, const char *tty)
                fatal("stat(%.100s) failed: %.100s", tty,
                    strerror(errno));
+#ifdef WITH_SELINUX
+        ssh_selinux_setup_pty(pw->pw_name, tty);
+#endif
        if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
                if (chown(tty, pw->pw_uid, gid) < 0) {
                        if (errno == EROFS &&

diff --git a/ChangeLog b/ChangeLog index 5328aa9c4..92a2f25d6 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -1,6 +1,14 @@
		1	20060421
		2	- (djm) [Makefile.in configure.ac session.c sshpty.c]
		3	[contrib/redhat/sshd.init openbsd-compat/Makefile.in]
		4	[openbsd-compat/openbsd-compat.h openbsd-compat/port-linux.c]
		5	[openbsd-compat/port-linux.h] Add support for SELinux, setting
		6	the execution and TTY contexts. based on patch from Daniel Walsh,
		7	bz #880; ok dtucker@
		8
1	20060418	9	20060418
2	- (djm) Reorder IP options check so that it isn't broken by	10	- (djm) [canohost.c] Reorder IP options check so that it isn't broken
3	mapped addresses; bz #1179 reported by markw wtech-llc.com;	11	by mapped addresses; bz #1179 reported by markw wtech-llc.com;
4	ok dtucker@	12	ok dtucker@
5		13
6	20060331	14	20060331
@@ -4500,4 +4508,4 @@
4500	- (djm) Trim deprecated options from INSTALL. Mention UsePAM	4508	- (djm) Trim deprecated options from INSTALL. Mention UsePAM
4501	- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu	4509	- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
4502		4510
4503	$Id: ChangeLog,v 1.4301 2006/04/18 05:13:16 djm Exp $	4511	$Id: ChangeLog,v 1.4302 2006/04/22 11:26:08 djm Exp $


diff --git a/Makefile.in b/Makefile.in index 57475f003..9bc25e7a7 100644 --- a/Makefile.in +++ b/Makefile.in
@@ -1,4 +1,4 @@
1	# $Id: Makefile.in,v 1.276 2006/03/15 02:09:18 djm Exp $	1	# $Id: Makefile.in,v 1.277 2006/04/22 11:26:08 djm Exp $
2		2
3	# uncomment if you run a non bourne compatable shell. Ie. csh	3	# uncomment if you run a non bourne compatable shell. Ie. csh
4	#SHELL = @SH@	4	#SHELL = @SH@
@@ -43,6 +43,7 @@ LD=@LD@
43	CFLAGS=@CFLAGS@	43	CFLAGS=@CFLAGS@
44	CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@	44	CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
45	LIBS=@LIBS@	45	LIBS=@LIBS@
		46	LIBSELINUX=@LIBSELINUX@
46	LIBEDIT=@LIBEDIT@	47	LIBEDIT=@LIBEDIT@
47	LIBPAM=@LIBPAM@	48	LIBPAM=@LIBPAM@
48	LIBWRAP=@LIBWRAP@	49	LIBWRAP=@LIBWRAP@
@@ -136,7 +137,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
136	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)	137	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
137		138
138	sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)	139	sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
139	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS)	140	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBS)
140		141
141	scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o	142	scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
142	$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)	143	$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)


diff --git a/configure.ac b/configure.ac index 9e037ab0e..093c17643 100644 --- a/configure.ac +++ b/configure.ac
@@ -1,4 +1,4 @@
1	# $Id: configure.ac,v 1.338 2006/03/15 21:14:34 dtucker Exp $	1	# $Id: configure.ac,v 1.339 2006/04/22 11:26:08 djm Exp $
2	#	2	#
3	# Copyright (c) 1999-2004 Damien Miller	3	# Copyright (c) 1999-2004 Damien Miller
4	#	4	#
@@ -15,7 +15,7 @@
15	# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16		16
17	AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org)	17	AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org)
18	AC_REVISION($Revision: 1.338 $)	18	AC_REVISION($Revision: 1.339 $)
19	AC_CONFIG_SRCDIR([ssh.c])	19	AC_CONFIG_SRCDIR([ssh.c])
20		20
21	AC_CONFIG_HEADER(config.h)	21	AC_CONFIG_HEADER(config.h)
@@ -3000,6 +3000,23 @@ int main()
3000	[#include <arpa/nameser.h>])	3000	[#include <arpa/nameser.h>])
3001	])	3001	])
3002		3002
		3003	# Check whether user wants SELinux support
		3004	SELINUX_MSG="no"
		3005	LIBSELINUX=""
		3006	AC_ARG_WITH(selinux,
		3007	[ --with-selinux Enable SELinux support],
		3008	[ if test "x$withval" != "xno" ; then
		3009	AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.])
		3010	SELINUX_MSG="yes"
		3011	AC_CHECK_HEADER([selinux/selinux.h], ,
		3012	AC_MSG_ERROR(SELinux support requires selinux.h header))
		3013	AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ],
		3014	AC_MSG_ERROR(SELinux support requires libselinux library))
		3015	AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
		3016	fi ]
		3017	)
		3018	AC_SUBST(LIBSELINUX)
		3019
3003	# Check whether user wants Kerberos 5 support	3020	# Check whether user wants Kerberos 5 support
3004	KRB5_MSG="no"	3021	KRB5_MSG="no"
3005	AC_ARG_WITH(kerberos5,	3022	AC_ARG_WITH(kerberos5,
@@ -3818,6 +3835,7 @@ fi
3818	echo " Manpage format: $MANTYPE"	3835	echo " Manpage format: $MANTYPE"
3819	echo " PAM support: $PAM_MSG"	3836	echo " PAM support: $PAM_MSG"
3820	echo " KerberosV support: $KRB5_MSG"	3837	echo " KerberosV support: $KRB5_MSG"
		3838	echo " SELinux support: $SELINUX_MSG"
3821	echo " Smartcard support: $SCARD_MSG"	3839	echo " Smartcard support: $SCARD_MSG"
3822	echo " S/KEY support: $SKEY_MSG"	3840	echo " S/KEY support: $SKEY_MSG"
3823	echo " TCP Wrappers support: $TCPW_MSG"	3841	echo " TCP Wrappers support: $TCPW_MSG"


diff --git a/contrib/redhat/sshd.init b/contrib/redhat/sshd.init index 4ee8630c3..e5d837cbc 100755 --- a/contrib/redhat/sshd.init +++ b/contrib/redhat/sshd.init
@@ -35,6 +35,9 @@ do_rsa1_keygen() {
35	if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then	35	if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
36	chmod 600 $RSA1_KEY	36	chmod 600 $RSA1_KEY
37	chmod 644 $RSA1_KEY.pub	37	chmod 644 $RSA1_KEY.pub
		38	if [ -x /sbin/restorecon ]; then
		39	/sbin/restorecon $RSA1_KEY.pub
		40	fi
38	success $"RSA1 key generation"	41	success $"RSA1 key generation"
39	echo	42	echo
40	else	43	else
@@ -51,6 +54,9 @@ do_rsa_keygen() {
51	if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then	54	if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
52	chmod 600 $RSA_KEY	55	chmod 600 $RSA_KEY
53	chmod 644 $RSA_KEY.pub	56	chmod 644 $RSA_KEY.pub
		57	if [ -x /sbin/restorecon ]; then
		58	/sbin/restorecon $RSA_KEY.pub
		59	fi
54	success $"RSA key generation"	60	success $"RSA key generation"
55	echo	61	echo
56	else	62	else
@@ -67,6 +73,9 @@ do_dsa_keygen() {
67	if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then	73	if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
68	chmod 600 $DSA_KEY	74	chmod 600 $DSA_KEY
69	chmod 644 $DSA_KEY.pub	75	chmod 644 $DSA_KEY.pub
		76	if [ -x /sbin/restorecon ]; then
		77	/sbin/restorecon $DSA_KEY.pub
		78	fi
70	success $"DSA key generation"	79	success $"DSA key generation"
71	echo	80	echo
72	else	81	else


diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in index f1a706241..67e521bfe 100644 --- a/openbsd-compat/Makefile.in +++ b/openbsd-compat/Makefile.in
@@ -1,4 +1,4 @@
1	# $Id: Makefile.in,v 1.38 2006/03/15 02:09:20 djm Exp $	1	# $Id: Makefile.in,v 1.39 2006/04/22 11:26:08 djm Exp $
2		2
3	sysconfdir=@sysconfdir@	3	sysconfdir=@sysconfdir@
4	piddir=@piddir@	4	piddir=@piddir@
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgroupl
20		20
21	COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o	21	COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
22		22
23	PORTS=port-irix.o port-aix.o port-uw.o port-tun.o	23	PORTS=port-irix.o port-linux.o port-aix.o port-uw.o port-tun.o
24		24
25	.c.o:	25	.c.o:
26	$(CC) $(CFLAGS) $(CPPFLAGS) -c $<	26	$(CC) $(CFLAGS) $(CPPFLAGS) -c $<


diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h index 432b183e7..eda9c49eb 100644 --- a/openbsd-compat/openbsd-compat.h +++ b/openbsd-compat/openbsd-compat.h
@@ -1,4 +1,4 @@
1	/* $Id: openbsd-compat.h,v 1.35 2006/03/15 11:25:55 dtucker Exp $ */	1	/* $Id: openbsd-compat.h,v 1.36 2006/04/22 11:26:08 djm Exp $ */
2		2
3	/*	3	/*
4	* Copyright (c) 1999-2003 Damien Miller. All rights reserved.	4	* Copyright (c) 1999-2003 Damien Miller. All rights reserved.
@@ -185,6 +185,7 @@ char shadow_pw(struct passwd pw);
185	#include "bsd-cray.h"	185	#include "bsd-cray.h"
186	#include "bsd-cygwin_util.h"	186	#include "bsd-cygwin_util.h"
187	#include "port-irix.h"	187	#include "port-irix.h"
		188	#include "port-linux.h"
188	#include "port-aix.h"	189	#include "port-aix.h"
189	#include "port-uw.h"	190	#include "port-uw.h"
190	#include "port-tun.h"	191	#include "port-tun.h"


diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c new file mode 100644 index 000000000..54ec2910e --- /dev/null +++ b/openbsd-compat/port-linux.c
@@ -0,0 +1,165 @@
		1	/* $Id: port-linux.c,v 1.1 2006/04/22 11:26:08 djm Exp $ */
		2
		3	/*
		4	* Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
		5	* Copyright (c) 2006 Damien Miller <djm@openbsd.org>
		6	*
		7	* Permission to use, copy, modify, and distribute this software for any
		8	* purpose with or without fee is hereby granted, provided that the above
		9	* copyright notice and this permission notice appear in all copies.
		10	*
		11	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
		12	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
		13	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
		14	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
		15	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
		16	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
		17	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
		18	*/
		19
		20	/*
		21	* Linux-specific portability code - just SELinux support at present
		22	*/
		23
		24	#include "includes.h"
		25
		26	#ifdef WITH_SELINUX
		27	#include "log.h"
		28	#include "port-linux.h"
		29
		30	#include <selinux/selinux.h>
		31	#include <selinux/flask.h>
		32	#include <selinux/get_context_list.h>
		33
		34	/* Wrapper around is_selinux_enabled() to log its return value once only */
		35	static int
		36	ssh_selinux_enabled(void)
		37	{
		38	static int enabled = -1;
		39
		40	if (enabled == -1) {
		41	enabled = is_selinux_enabled();
		42	debug("SELinux support %s", enabled ? "enabled" : "disabled");
		43	}
		44
		45	return (enabled);
		46	}
		47
		48	/* Return the default security context for the given username */
		49	static security_context_t
		50	ssh_selinux_getctxbyname(char *pwname)
		51	{
		52	security_context_t sc;
		53	char sename = NULL, lvl = NULL;
		54	int r;
		55
		56	#ifdef HAVE_GETSEUSERBYNAME
		57	if (getseuserbyname(pwname, &sename, &lvl) != 0)
		58	return NULL;
		59	#else
		60	sename = pwname;
		61	lvl = NULL;
		62	#endif
		63
		64	#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
		65	r = get_default_context_with_level(sename, lvl, NULL, &sc);
		66	#else
		67	r = get_default_context(sename, NULL, &sc);
		68	#endif
		69
		70	if (r != 0) {
		71	switch (security_getenforce()) {
		72	case -1:
		73	fatal("%s: ssh_selinux_getctxbyname: "
		74	"security_getenforce() failed", __func__);
		75	case 0:
		76	error("%s: Failed to get default SELinux security "
		77	"context for %s", __func__, pwname);
		78	default:
		79	fatal("%s: Failed to get default SELinux security "
		80	"context for %s (in enforcing mode)",
		81	__func__, pwname);
		82	}
		83	}
		84
		85	#ifdef HAVE_GETSEUSERBYNAME
		86	if (sename != NULL)
		87	xfree(sename);
		88	if (lvl != NULL)
		89	xfree(lvl);
		90	#endif
		91
		92	return (sc);
		93	}
		94
		95	/* Set the execution context to the default for the specified user */
		96	void
		97	ssh_selinux_setup_exec_context(char *pwname)
		98	{
		99	security_context_t user_ctx = NULL;
		100
		101	if (!ssh_selinux_enabled())
		102	return;
		103
		104	debug3("%s: setting execution context", __func__);
		105
		106	user_ctx = ssh_selinux_getctxbyname(pwname);
		107	if (setexeccon(user_ctx) != 0) {
		108	switch (security_getenforce()) {
		109	case -1:
		110	fatal("%s: security_getenforce() failed", __func__);
		111	case 0:
		112	error("%s: Failed to set SELinux execution "
		113	"context for %s", __func__, pwname);
		114	default:
		115	fatal("%s: Failed to set SELinux execution context "
		116	"for %s (in enforcing mode)", __func__, pwname);
		117	}
		118	}
		119	if (user_ctx != NULL)
		120	freecon(user_ctx);
		121
		122	debug3("%s: done", __func__);
		123	}
		124
		125	/* Set the TTY context for the specified user */
		126	void
		127	ssh_selinux_setup_pty(char pwname, const char tty)
		128	{
		129	security_context_t new_tty_ctx = NULL;
		130	security_context_t user_ctx = NULL;
		131	security_context_t old_tty_ctx = NULL;
		132
		133	if (!ssh_selinux_enabled())
		134	return;
		135
		136	debug3("%s: setting TTY context on %s", __func__, tty);
		137
		138	user_ctx = ssh_selinux_getctxbyname(pwname);
		139
		140	/* XXX: should these calls fatal() upon failure in enforcing mode? */
		141
		142	if (getfilecon(tty, &old_tty_ctx) == -1) {
		143	error("%s: getfilecon: %s", __func__, strerror(errno));
		144	goto out;
		145	}
		146
		147	if (security_compute_relabel(user_ctx, old_tty_ctx,
		148	SECCLASS_CHR_FILE, &new_tty_ctx) != 0) {
		149	error("%s: security_compute_relabel: %s",
		150	__func__, strerror(errno));
		151	goto out;
		152	}
		153
		154	if (setfilecon(tty, new_tty_ctx) != 0)
		155	error("%s: setfilecon: %s", __func__, strerror(errno));
		156	out:
		157	if (new_tty_ctx != NULL)
		158	freecon(new_tty_ctx);
		159	if (old_tty_ctx != NULL)
		160	freecon(old_tty_ctx);
		161	if (user_ctx != NULL)
		162	freecon(user_ctx);
		163	debug3("%s: done", __func__);
		164	}
		165	#endif /* WITH_SELINUX */


diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h new file mode 100644 index 000000000..05e520e1c --- /dev/null +++ b/openbsd-compat/port-linux.h
@@ -0,0 +1,27 @@
		1	/* $Id: port-linux.h,v 1.1 2006/04/22 11:26:08 djm Exp $ */
		2
		3	/*
		4	* Copyright (c) 2006 Damien Miller <djm@openbsd.org>
		5	*
		6	* Permission to use, copy, modify, and distribute this software for any
		7	* purpose with or without fee is hereby granted, provided that the above
		8	* copyright notice and this permission notice appear in all copies.
		9	*
		10	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
		11	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
		12	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
		13	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
		14	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
		15	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
		16	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
		17	*/
		18
		19	#ifndef _PORT_LINUX_H
		20	#define _PORT_LINUX_H
		21
		22	#ifdef WITH_SELINUX
		23	void ssh_selinux_setup_pty(char , const char );
		24	void ssh_selinux_setup_exec_context(char *);
		25	#endif
		26
		27	#endif /* ! _PORT_LINUX_H */


diff --git a/session.c b/session.c index 8b837d07d..bba3fa21f 100644 --- a/session.c +++ b/session.c
@@ -1352,6 +1352,10 @@ do_setusercontext(struct passwd *pw)
1352	#endif	1352	#endif
1353	if (getuid() != pw->pw_uid \|\| geteuid() != pw->pw_uid)	1353	if (getuid() != pw->pw_uid \|\| geteuid() != pw->pw_uid)
1354	fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);	1354	fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
		1355
		1356	#ifdef WITH_SELINUX
		1357	ssh_selinux_setup_exec_context(pw->pw_name);
		1358	#endif
1355	}	1359	}
1356		1360
1357	static void	1361	static void


diff --git a/sshpty.c b/sshpty.c index a15df0414..0e49e9a16 100644 --- a/sshpty.c +++ b/sshpty.c
@@ -210,6 +210,10 @@ pty_setowner(struct passwd pw, const char tty)
210	fatal("stat(%.100s) failed: %.100s", tty,	210	fatal("stat(%.100s) failed: %.100s", tty,
211	strerror(errno));	211	strerror(errno));
212		212
		213	#ifdef WITH_SELINUX
		214	ssh_selinux_setup_pty(pw->pw_name, tty);
		215	#endif
		216
213	if (st.st_uid != pw->pw_uid \|\| st.st_gid != gid) {	217	if (st.st_uid != pw->pw_uid \|\| st.st_gid != gid) {
214	if (chown(tty, pw->pw_uid, gid) < 0) {	218	if (chown(tty, pw->pw_uid, gid) < 0) {
215	if (errno == EROFS &&	219	if (errno == EROFS &&