summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--ChangeLog5
-rw-r--r--openbsd-compat/port-linux.c25
2 files changed, 24 insertions, 6 deletions
diff --git a/ChangeLog b/ChangeLog
index 3c557ed5b..9bf90758c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
120110829
2 - (djm) [openbsd-compat/port-linux.c] Suppress logging when attempting
3 to switch SELinux context away from unconfined_t, based on patch from
4 Jan Chadima; bz#1919 ok dtucker@
5
120110827 620110827
2 - (dtucker) [auth-skey.c] Add log.h to fix build --with-skey. 7 - (dtucker) [auth-skey.c] Add log.h to fix build --with-skey.
3 8
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
index be763656e..ea8dff40f 100644
--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
@@ -1,4 +1,4 @@
1/* $Id: port-linux.c,v 1.15 2011/08/12 00:12:55 dtucker Exp $ */ 1/* $Id: port-linux.c,v 1.16 2011/08/29 06:09:57 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com> 4 * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
@@ -38,6 +38,10 @@
38#include <selinux/flask.h> 38#include <selinux/flask.h>
39#include <selinux/get_context_list.h> 39#include <selinux/get_context_list.h>
40 40
41#ifndef SSH_SELINUX_UNCONFINED_TYPE
42# define SSH_SELINUX_UNCONFINED_TYPE ":unconfined_t:"
43#endif
44
41/* Wrapper around is_selinux_enabled() to log its return value once only */ 45/* Wrapper around is_selinux_enabled() to log its return value once only */
42int 46int
43ssh_selinux_enabled(void) 47ssh_selinux_enabled(void)
@@ -177,12 +181,13 @@ ssh_selinux_change_context(const char *newname)
177{ 181{
178 int len, newlen; 182 int len, newlen;
179 char *oldctx, *newctx, *cx; 183 char *oldctx, *newctx, *cx;
184 void (*switchlog) (const char *fmt,...) = logit;
180 185
181 if (!ssh_selinux_enabled()) 186 if (!ssh_selinux_enabled())
182 return; 187 return;
183 188
184 if (getcon((security_context_t *)&oldctx) < 0) { 189 if (getcon((security_context_t *)&oldctx) < 0) {
185 logit("%s: getcon failed with %s", __func__, strerror (errno)); 190 logit("%s: getcon failed with %s", __func__, strerror(errno));
186 return; 191 return;
187 } 192 }
188 if ((cx = index(oldctx, ':')) == NULL || (cx = index(cx + 1, ':')) == 193 if ((cx = index(oldctx, ':')) == NULL || (cx = index(cx + 1, ':')) ==
@@ -191,6 +196,14 @@ ssh_selinux_change_context(const char *newname)
191 return; 196 return;
192 } 197 }
193 198
199 /*
200 * Check whether we are attempting to switch away from an unconfined
201 * security context.
202 */
203 if (strncmp(cx, SSH_SELINUX_UNCONFINED_TYPE,
204 sizeof(SSH_SELINUX_UNCONFINED_TYPE) - 1) == 0)
205 switchlog = debug3;
206
194 newlen = strlen(oldctx) + strlen(newname) + 1; 207 newlen = strlen(oldctx) + strlen(newname) + 1;
195 newctx = xmalloc(newlen); 208 newctx = xmalloc(newlen);
196 len = cx - oldctx + 1; 209 len = cx - oldctx + 1;
@@ -198,11 +211,11 @@ ssh_selinux_change_context(const char *newname)
198 strlcpy(newctx + len, newname, newlen - len); 211 strlcpy(newctx + len, newname, newlen - len);
199 if ((cx = index(cx + 1, ':'))) 212 if ((cx = index(cx + 1, ':')))
200 strlcat(newctx, cx, newlen); 213 strlcat(newctx, cx, newlen);
201 debug3("%s: setting context from '%s' to '%s'", __func__, oldctx, 214 debug3("%s: setting context from '%s' to '%s'", __func__,
202 newctx); 215 oldctx, newctx);
203 if (setcon(newctx) < 0) 216 if (setcon(newctx) < 0)
204 logit("%s: setcon %s from %s failed with %s", __func__, newctx, 217 switchlog("%s: setcon %s from %s failed with %s", __func__,
205 oldctx, strerror (errno)); 218 newctx, oldctx, strerror(errno));
206 xfree(oldctx); 219 xfree(oldctx);
207 xfree(newctx); 220 xfree(newctx);
208} 221}
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-01 08:39:41 +0000