1 files changed, 473 insertions, 0 deletions
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
new file mode 100644
index 000000000..ae83d23b0
--- /dev/null
+++ b/debian/patches/selinux-role.patch
@@ -0,0 +1,473 @@
+From e5d3ea2ca423a54b1d53d45252cb7173a15600eb Mon Sep 17 00:00:00 2001
+From: Manoj Srivastava <srivasta@debian.org>
+Date: Sun, 9 Feb 2014 16:09:49 +0000
+Subject: Handle SELinux authorisation roles
+Rejected upstream due to discomfort with magic usernames; a better approach
+will need an SSH protocol change.  In the meantime, this came from Debian's
+SELinux maintainer, so we'll keep it until we have something better.
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
+Bug-Debian: http://bugs.debian.org/394795
+Last-Update: 2015-08-19
+Patch-Name: selinux-role.patch
+---
+ auth.h                      |  1 +
+ auth2.c                     | 10 ++++++++--
+ monitor.c                   | 32 +++++++++++++++++++++++++++++---
+ monitor.h                   |  2 ++
+ monitor_wrap.c              | 22 ++++++++++++++++++++--
+ monitor_wrap.h              |  3 ++-
+ openbsd-compat/port-linux.c | 27 ++++++++++++++++++++-------
+ openbsd-compat/port-linux.h |  4 ++--
+ platform.c                  |  4 ++--
+ platform.h                  |  2 +-
+ session.c                   | 10 +++++-----
+ session.h                   |  2 +-
+ sshd.c                      |  2 +-
+ sshpty.c                    |  4 ++--
+ sshpty.h                    |  2 +-
+ 15 files changed, 97 insertions(+), 30 deletions(-)
+diff --git a/auth.h b/auth.h
+index 338a62da..8c658d16 100644
+--- a/auth.h
+++ b/auth.h
+@@ -62,6 +62,7 @@ struct Authctxt {
+        char            *service;
+        struct passwd   *pw;            /* set if 'valid' */
+        char            *style;
+       char            *role;
+        void            *kbdintctxt;
+        char            *info;          /* Extra info for next auth_log */
+ #ifdef BSD_AUTH
+diff --git a/auth2.c b/auth2.c
+index 946e9235..2f51be23 100644
+--- a/auth2.c
+++ b/auth2.c
+@@ -217,7 +217,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
+        struct ssh *ssh = active_state; /* XXX */
+        Authctxt *authctxt = ctxt;
+        Authmethod *m = NULL;
+-       char *user, *service, *method, *style = NULL;
+       char *user, *service, *method, *style = NULL, *role = NULL;
+        int authenticated = 0;
+ 
+        if (authctxt == NULL)
+@@ -229,8 +229,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
+        debug("userauth-request for user %s service %s method %s", user, service, method);
+        debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
+ 
+       if ((role = strchr(user, '/')) != NULL)
+               *role++ = 0;
+
+        if ((style = strchr(user, ':')) != NULL)
+                *style++ = 0;
+       else if (role && (style = strchr(role, ':')) != NULL)
+               *style++ = '\0';
+ 
+        if (authctxt->attempt++ == 0) {
+                /* setup auth context */
+@@ -257,8 +262,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
+                    use_privsep ? " [net]" : "");
+                authctxt->service = xstrdup(service);
+                authctxt->style = style ? xstrdup(style) : NULL;
+               authctxt->role = role ? xstrdup(role) : NULL;
+                if (use_privsep)
+-                       mm_inform_authserv(service, style);
+                       mm_inform_authserv(service, style, role);
+                userauth_banner();
+                if (auth2_setup_methods_lists(authctxt) != 0)
+                        packet_disconnect("no authentication methods enabled");
+diff --git a/monitor.c b/monitor.c
+index 506645c7..7452e20e 100644
+--- a/monitor.c
+++ b/monitor.c
+@@ -127,6 +127,7 @@ int mm_answer_sign(int, Buffer *);
+ int mm_answer_pwnamallow(int, Buffer *);
+ int mm_answer_auth2_read_banner(int, Buffer *);
+ int mm_answer_authserv(int, Buffer *);
+int mm_answer_authrole(int, Buffer *);
+ int mm_answer_authpassword(int, Buffer *);
+ int mm_answer_bsdauthquery(int, Buffer *);
+ int mm_answer_bsdauthrespond(int, Buffer *);
+@@ -204,6 +205,7 @@ struct mon_table mon_dispatch_proto20[] = {
+     {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
+     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
+     {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
+    {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
+     {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
+     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
+ #ifdef USE_PAM
+@@ -791,6 +793,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
+ 
+        /* Allow service/style information on the auth context */
+        monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
+       monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
+        monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
+ 
+ #ifdef USE_PAM
+@@ -821,14 +824,37 @@ mm_answer_authserv(int sock, Buffer *m)
+ 
+        authctxt->service = buffer_get_string(m, NULL);
+        authctxt->style = buffer_get_string(m, NULL);
+-       debug3("%s: service=%s, style=%s",
+-           __func__, authctxt->service, authctxt->style);
+       authctxt->role = buffer_get_string(m, NULL);
+       debug3("%s: service=%s, style=%s, role=%s",
+           __func__, authctxt->service, authctxt->style, authctxt->role);
+ 
+        if (strlen(authctxt->style) == 0) {
+                free(authctxt->style);
+                authctxt->style = NULL;
+        }
+ 
+       if (strlen(authctxt->role) == 0) {
+               free(authctxt->role);
+               authctxt->role = NULL;
+       }
+
+       return (0);
+}
+
+int
+mm_answer_authrole(int sock, Buffer *m)
+{
+       monitor_permit_authentications(1);
+
+       authctxt->role = buffer_get_string(m, NULL);
+       debug3("%s: role=%s",
+           __func__, authctxt->role);
+
+       if (strlen(authctxt->role) == 0) {
+               free(authctxt->role);
+               authctxt->role = NULL;
+       }
+
+        return (0);
+ }
+ 
+@@ -1463,7 +1489,7 @@ mm_answer_pty(int sock, Buffer *m)
+        res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
+        if (res == 0)
+                goto error;
+-       pty_setowner(authctxt->pw, s->tty);
+       pty_setowner(authctxt->pw, s->tty, authctxt->role);
+ 
+        buffer_put_int(m, 1);
+        buffer_put_cstring(m, s->tty);
+diff --git a/monitor.h b/monitor.h
+index ec41404c..4c7955d7 100644
+--- a/monitor.h
+++ b/monitor.h
+@@ -68,6 +68,8 @@ enum monitor_reqtype {
+        MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151,
+        MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153,
+ 
+       MONITOR_REQ_AUTHROLE = 154,
+
+ };
+ 
+ struct monitor {
+diff --git a/monitor_wrap.c b/monitor_wrap.c
+index d5cb640a..2ff8064a 100644
+--- a/monitor_wrap.c
+++ b/monitor_wrap.c
+@@ -327,10 +327,10 @@ mm_auth2_read_banner(void)
+        return (banner);
+ }
+ 
+-/* Inform the privileged process about service and style */
+/* Inform the privileged process about service, style, and role */
+ 
+ void
+-mm_inform_authserv(char *service, char *style)
+mm_inform_authserv(char *service, char *style, char *role)
+ {
+        Buffer m;
+ 
+@@ -339,12 +339,30 @@ mm_inform_authserv(char *service, char *style)
+        buffer_init(&m);
+        buffer_put_cstring(&m, service);
+        buffer_put_cstring(&m, style ? style : "");
+       buffer_put_cstring(&m, role ? role : "");
+ 
+        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, &m);
+ 
+        buffer_free(&m);
+ }
+ 
+/* Inform the privileged process about role */
+
+void
+mm_inform_authrole(char *role)
+{
+       Buffer m;
+
+       debug3("%s entering", __func__);
+
+       buffer_init(&m);
+       buffer_put_cstring(&m, role ? role : "");
+
+       mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
+
+       buffer_free(&m);
+}
+
+ /* Do the password authentication */
+ int
+ mm_auth_password(Authctxt *authctxt, char *password)
+diff --git a/monitor_wrap.h b/monitor_wrap.h
+index 8f9dd896..3e75867c 100644
+--- a/monitor_wrap.h
+++ b/monitor_wrap.h
+@@ -41,7 +41,8 @@ void mm_log_handler(LogLevel, const char *, void *);
+ int mm_is_monitor(void);
+ DH *mm_choose_dh(int, int, int);
+ int mm_key_sign(Key *, u_char **, u_int *, const u_char *, u_int, const char *);
+-void mm_inform_authserv(char *, char *);
+void mm_inform_authserv(char *, char *, char *);
+void mm_inform_authrole(char *);
+ struct passwd *mm_getpwnamallow(const char *);
+ char *mm_auth2_read_banner(void);
+ int mm_auth_password(struct Authctxt *, char *);
+diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
+index e4c5d1b7..e26faf08 100644
+--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
+@@ -27,6 +27,12 @@
+ #include <string.h>
+ #include <stdio.h>
+ 
+#ifdef WITH_SELINUX
+#include "key.h"
+#include "hostfile.h"
+#include "auth.h"
+#endif
+
+ #include "log.h"
+ #include "xmalloc.h"
+ #include "port-linux.h"
+@@ -56,7 +62,7 @@ ssh_selinux_enabled(void)
+ 
+ /* Return the default security context for the given username */
+ static security_context_t
+-ssh_selinux_getctxbyname(char *pwname)
+ssh_selinux_getctxbyname(char *pwname, const char *role)
+ {
+        security_context_t sc = NULL;
+        char *sename = NULL, *lvl = NULL;
+@@ -71,9 +77,16 @@ ssh_selinux_getctxbyname(char *pwname)
+ #endif
+ 
+ #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
+-       r = get_default_context_with_level(sename, lvl, NULL, &sc);
+       if (role != NULL && role[0])
+               r = get_default_context_with_rolelevel(sename, role, lvl, NULL,
+                                                      &sc);
+       else
+               r = get_default_context_with_level(sename, lvl, NULL, &sc);
+ #else
+-       r = get_default_context(sename, NULL, &sc);
+       if (role != NULL && role[0])
+               r = get_default_context_with_role(sename, role, NULL, &sc);
+       else
+               r = get_default_context(sename, NULL, &sc);
+ #endif
+ 
+        if (r != 0) {
+@@ -103,7 +116,7 @@ ssh_selinux_getctxbyname(char *pwname)
+ 
+ /* Set the execution context to the default for the specified user */
+ void
+-ssh_selinux_setup_exec_context(char *pwname)
+ssh_selinux_setup_exec_context(char *pwname, const char *role)
+ {
+        security_context_t user_ctx = NULL;
+ 
+@@ -112,7 +125,7 @@ ssh_selinux_setup_exec_context(char *pwname)
+ 
+        debug3("%s: setting execution context", __func__);
+ 
+-       user_ctx = ssh_selinux_getctxbyname(pwname);
+       user_ctx = ssh_selinux_getctxbyname(pwname, role);
+        if (setexeccon(user_ctx) != 0) {
+                switch (security_getenforce()) {
+                case -1:
+@@ -134,7 +147,7 @@ ssh_selinux_setup_exec_context(char *pwname)
+ 
+ /* Set the TTY context for the specified user */
+ void
+-ssh_selinux_setup_pty(char *pwname, const char *tty)
+ssh_selinux_setup_pty(char *pwname, const char *tty, const char *role)
+ {
+        security_context_t new_tty_ctx = NULL;
+        security_context_t user_ctx = NULL;
+@@ -145,7 +158,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
+ 
+        debug3("%s: setting TTY context on %s", __func__, tty);
+ 
+-       user_ctx = ssh_selinux_getctxbyname(pwname);
+       user_ctx = ssh_selinux_getctxbyname(pwname, role);
+ 
+        /* XXX: should these calls fatal() upon failure in enforcing mode? */
+ 
+diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
+index 3c22a854..c8812942 100644
+--- a/openbsd-compat/port-linux.h
+++ b/openbsd-compat/port-linux.h
+@@ -19,8 +19,8 @@
+ 
+ #ifdef WITH_SELINUX
+ int ssh_selinux_enabled(void);
+-void ssh_selinux_setup_pty(char *, const char *);
+-void ssh_selinux_setup_exec_context(char *);
+void ssh_selinux_setup_pty(char *, const char *, const char *);
+void ssh_selinux_setup_exec_context(char *, const char *);
+ void ssh_selinux_change_context(const char *);
+ void ssh_selinux_setfscreatecon(const char *);
+ #endif
+diff --git a/platform.c b/platform.c
+index 973a63e4..cd7bf566 100644
+--- a/platform.c
+++ b/platform.c
+@@ -143,7 +143,7 @@ platform_setusercontext(struct passwd *pw)
+  * called if sshd is running as root.
+  */
+ void
+-platform_setusercontext_post_groups(struct passwd *pw)
+platform_setusercontext_post_groups(struct passwd *pw, const char *role)
+ {
+ #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
+        /*
+@@ -184,7 +184,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
+        }
+ #endif /* HAVE_SETPCRED */
+ #ifdef WITH_SELINUX
+-       ssh_selinux_setup_exec_context(pw->pw_name);
+       ssh_selinux_setup_exec_context(pw->pw_name, role);
+ #endif
+ }
+ 
+diff --git a/platform.h b/platform.h
+index ea4f9c58..60d72ffe 100644
+--- a/platform.h
+++ b/platform.h
+@@ -25,7 +25,7 @@ void platform_post_fork_parent(pid_t child_pid);
+ void platform_post_fork_child(void);
+ int  platform_privileged_uidswap(void);
+ void platform_setusercontext(struct passwd *);
+-void platform_setusercontext_post_groups(struct passwd *);
+void platform_setusercontext_post_groups(struct passwd *, const char *);
+ char *platform_get_krb5_client(const char *);
+ char *platform_krb5_get_principal_name(const char *);
+ int platform_sys_dir_uid(uid_t);
+diff --git a/session.c b/session.c
+index a08aa69d..ea3871eb 100644
+--- a/session.c
+++ b/session.c
+@@ -1325,7 +1325,7 @@ safely_chroot(const char *path, uid_t uid)
+ 
+ /* Set login name, uid, gid, and groups. */
+ void
+-do_setusercontext(struct passwd *pw)
+do_setusercontext(struct passwd *pw, const char *role)
+ {
+        char *chroot_path, *tmp;
+ 
+@@ -1353,7 +1353,7 @@ do_setusercontext(struct passwd *pw)
+                endgrent();
+ #endif
+ 
+-               platform_setusercontext_post_groups(pw);
+               platform_setusercontext_post_groups(pw, role);
+ 
+                if (!in_chroot && options.chroot_directory != NULL &&
+                    strcasecmp(options.chroot_directory, "none") != 0) {
+@@ -1489,7 +1489,7 @@ do_child(Session *s, const char *command)
+ 
+        /* Force a password change */
+        if (s->authctxt->force_pwchange) {
+-               do_setusercontext(pw);
+               do_setusercontext(pw, s->authctxt->role);
+                child_close_fds();
+                do_pwchange(s);
+                exit(1);
+@@ -1511,7 +1511,7 @@ do_child(Session *s, const char *command)
+        /* When PAM is enabled we rely on it to do the nologin check */
+        if (!options.use_pam)
+                do_nologin(pw);
+-       do_setusercontext(pw);
+       do_setusercontext(pw, s->authctxt->role);
+        /*
+         * PAM session modules in do_setusercontext may have
+         * generated messages, so if this in an interactive
+@@ -1903,7 +1903,7 @@ session_pty_req(Session *s)
+        tty_parse_modes(s->ttyfd, &n_bytes);
+ 
+        if (!use_privsep)
+-               pty_setowner(s->pw, s->tty);
+               pty_setowner(s->pw, s->tty, s->authctxt->role);
+ 
+        /* Set window size from the packet. */
+        pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
+diff --git a/session.h b/session.h
+index 98e1dafe..0a31dce4 100644
+--- a/session.h
+++ b/session.h
+@@ -76,7 +76,7 @@ void   session_pty_cleanup2(Session *);
+ Session        *session_new(void);
+ Session        *session_by_tty(char *);
+ void    session_close(Session *);
+-void    do_setusercontext(struct passwd *);
+void    do_setusercontext(struct passwd *, const char *);
+ void    child_set_env(char ***envp, u_int *envsizep, const char *name,
+                       const char *value);
+ 
+diff --git a/sshd.c b/sshd.c
+index 38cf9b49..9221632e 100644
+--- a/sshd.c
+++ b/sshd.c
+@@ -678,7 +678,7 @@ privsep_postauth(Authctxt *authctxt)
+        reseed_prngs();
+ 
+        /* Drop privileges */
+-       do_setusercontext(authctxt->pw);
+       do_setusercontext(authctxt->pw, authctxt->role);
+ 
+  skip:
+        /* It is safe now to apply the key state */
+diff --git a/sshpty.c b/sshpty.c
+index fe2fb5aa..feb22b06 100644
+--- a/sshpty.c
+++ b/sshpty.c
+@@ -187,7 +187,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col,
+ }
+ 
+ void
+-pty_setowner(struct passwd *pw, const char *tty)
+pty_setowner(struct passwd *pw, const char *tty, const char *role)
+ {
+        struct group *grp;
+        gid_t gid;
+@@ -209,7 +209,7 @@ pty_setowner(struct passwd *pw, const char *tty)
+                    strerror(errno));
+ 
+ #ifdef WITH_SELINUX
+-       ssh_selinux_setup_pty(pw->pw_name, tty);
+       ssh_selinux_setup_pty(pw->pw_name, tty, role);
+ #endif
+ 
+        if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
+diff --git a/sshpty.h b/sshpty.h
+index 9ec7e9a1..de7e000a 100644
+--- a/sshpty.h
+++ b/sshpty.h
+@@ -24,5 +24,5 @@ int    pty_allocate(int *, int *, char *, size_t);
+ void    pty_release(const char *);
+ void    pty_make_controlling_tty(int *, const char *);
+ void    pty_change_window_size(int, u_int, u_int, u_int, u_int);
+-void    pty_setowner(struct passwd *, const char *);
+void    pty_setowner(struct passwd *, const char *, const char *);
+ void    disconnect_controlling_tty(void);

diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch new file mode 100644 index 000000000..ae83d23b0 --- /dev/null +++ b/debian/patches/selinux-role.patch
@@ -0,0 +1,473 @@
	1	From e5d3ea2ca423a54b1d53d45252cb7173a15600eb Mon Sep 17 00:00:00 2001
	2	From: Manoj Srivastava <srivasta@debian.org>
	3	Date: Sun, 9 Feb 2014 16:09:49 +0000
	4	Subject: Handle SELinux authorisation roles
	5
	6	Rejected upstream due to discomfort with magic usernames; a better approach
	7	will need an SSH protocol change. In the meantime, this came from Debian's
	8	SELinux maintainer, so we'll keep it until we have something better.
	9
	10	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
	11	Bug-Debian: http://bugs.debian.org/394795
	12	Last-Update: 2015-08-19
	13
	14	Patch-Name: selinux-role.patch
	15	---
	16	auth.h \| 1 +
	17	auth2.c \| 10 ++++++++--
	18	monitor.c \| 32 +++++++++++++++++++++++++++++---
	19	monitor.h \| 2 ++
	20	monitor_wrap.c \| 22 ++++++++++++++++++++--
	21	monitor_wrap.h \| 3 ++-
	22	openbsd-compat/port-linux.c \| 27 ++++++++++++++++++++-------
	23	openbsd-compat/port-linux.h \| 4 ++--
	24	platform.c \| 4 ++--
	25	platform.h \| 2 +-
	26	session.c \| 10 +++++-----
	27	session.h \| 2 +-
	28	sshd.c \| 2 +-
	29	sshpty.c \| 4 ++--
	30	sshpty.h \| 2 +-
	31	15 files changed, 97 insertions(+), 30 deletions(-)
	32
	33	diff --git a/auth.h b/auth.h
	34	index 338a62da..8c658d16 100644
	35	--- a/auth.h
	36	+++ b/auth.h
	37	@@ -62,6 +62,7 @@ struct Authctxt {
	38	char *service;
	39	struct passwd pw; / set if 'valid' */
	40	char *style;
	41	+ char *role;
	42	void *kbdintctxt;
	43	char info; / Extra info for next auth_log */
	44	#ifdef BSD_AUTH
	45	diff --git a/auth2.c b/auth2.c
	46	index 946e9235..2f51be23 100644
	47	--- a/auth2.c
	48	+++ b/auth2.c
	49	@@ -217,7 +217,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
	50	struct ssh ssh = active_state; / XXX */
	51	Authctxt *authctxt = ctxt;
	52	Authmethod *m = NULL;
	53	- char user, service, method, style = NULL;
	54	+ char user, service, method, style = NULL, *role = NULL;
	55	int authenticated = 0;
	56
	57	if (authctxt == NULL)
	58	@@ -229,8 +229,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
	59	debug("userauth-request for user %s service %s method %s", user, service, method);
	60	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
	61
	62	+ if ((role = strchr(user, '/')) != NULL)
	63	+ *role++ = 0;
	64	+
	65	if ((style = strchr(user, ':')) != NULL)
	66	*style++ = 0;
	67	+ else if (role && (style = strchr(role, ':')) != NULL)
	68	+ *style++ = '\0';
	69
	70	if (authctxt->attempt++ == 0) {
	71	/* setup auth context */
	72	@@ -257,8 +262,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
	73	use_privsep ? " [net]" : "");
	74	authctxt->service = xstrdup(service);
	75	authctxt->style = style ? xstrdup(style) : NULL;
	76	+ authctxt->role = role ? xstrdup(role) : NULL;
	77	if (use_privsep)
	78	- mm_inform_authserv(service, style);
	79	+ mm_inform_authserv(service, style, role);
	80	userauth_banner();
	81	if (auth2_setup_methods_lists(authctxt) != 0)
	82	packet_disconnect("no authentication methods enabled");
	83	diff --git a/monitor.c b/monitor.c
	84	index 506645c7..7452e20e 100644
	85	--- a/monitor.c
	86	+++ b/monitor.c
	87	@@ -127,6 +127,7 @@ int mm_answer_sign(int, Buffer *);
	88	int mm_answer_pwnamallow(int, Buffer *);
	89	int mm_answer_auth2_read_banner(int, Buffer *);
	90	int mm_answer_authserv(int, Buffer *);
	91	+int mm_answer_authrole(int, Buffer *);
	92	int mm_answer_authpassword(int, Buffer *);
	93	int mm_answer_bsdauthquery(int, Buffer *);
	94	int mm_answer_bsdauthrespond(int, Buffer *);
	95	@@ -204,6 +205,7 @@ struct mon_table mon_dispatch_proto20[] = {
	96	{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
	97	{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
	98	{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
	99	+ {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
	100	{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
	101	{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
	102	#ifdef USE_PAM
	103	@@ -791,6 +793,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
	104
	105	/* Allow service/style information on the auth context */
	106	monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
	107	+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
	108	monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
	109
	110	#ifdef USE_PAM
	111	@@ -821,14 +824,37 @@ mm_answer_authserv(int sock, Buffer *m)
	112
	113	authctxt->service = buffer_get_string(m, NULL);
	114	authctxt->style = buffer_get_string(m, NULL);
	115	- debug3("%s: service=%s, style=%s",
	116	- __func__, authctxt->service, authctxt->style);
	117	+ authctxt->role = buffer_get_string(m, NULL);
	118	+ debug3("%s: service=%s, style=%s, role=%s",
	119	+ __func__, authctxt->service, authctxt->style, authctxt->role);
	120
	121	if (strlen(authctxt->style) == 0) {
	122	free(authctxt->style);
	123	authctxt->style = NULL;
	124	}
	125
	126	+ if (strlen(authctxt->role) == 0) {
	127	+ free(authctxt->role);
	128	+ authctxt->role = NULL;
	129	+ }
	130	+
	131	+ return (0);
	132	+}
	133	+
	134	+int
	135	+mm_answer_authrole(int sock, Buffer *m)
	136	+{
	137	+ monitor_permit_authentications(1);
	138	+
	139	+ authctxt->role = buffer_get_string(m, NULL);
	140	+ debug3("%s: role=%s",
	141	+ __func__, authctxt->role);
	142	+
	143	+ if (strlen(authctxt->role) == 0) {
	144	+ free(authctxt->role);
	145	+ authctxt->role = NULL;
	146	+ }
	147	+
	148	return (0);
	149	}
	150
	151	@@ -1463,7 +1489,7 @@ mm_answer_pty(int sock, Buffer *m)
	152	res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
	153	if (res == 0)
	154	goto error;
	155	- pty_setowner(authctxt->pw, s->tty);
	156	+ pty_setowner(authctxt->pw, s->tty, authctxt->role);
	157
	158	buffer_put_int(m, 1);
	159	buffer_put_cstring(m, s->tty);
	160	diff --git a/monitor.h b/monitor.h
	161	index ec41404c..4c7955d7 100644
	162	--- a/monitor.h
	163	+++ b/monitor.h
	164	@@ -68,6 +68,8 @@ enum monitor_reqtype {
	165	MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151,
	166	MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153,
	167
	168	+ MONITOR_REQ_AUTHROLE = 154,
	169	+
	170	};
	171
	172	struct monitor {
	173	diff --git a/monitor_wrap.c b/monitor_wrap.c
	174	index d5cb640a..2ff8064a 100644
	175	--- a/monitor_wrap.c
	176	+++ b/monitor_wrap.c
	177	@@ -327,10 +327,10 @@ mm_auth2_read_banner(void)
	178	return (banner);
	179	}
	180
	181	-/* Inform the privileged process about service and style */
	182	+/* Inform the privileged process about service, style, and role */
	183
	184	void
	185	-mm_inform_authserv(char service, char style)
	186	+mm_inform_authserv(char service, char style, char *role)
	187	{
	188	Buffer m;
	189
	190	@@ -339,12 +339,30 @@ mm_inform_authserv(char service, char style)
	191	buffer_init(&m);
	192	buffer_put_cstring(&m, service);
	193	buffer_put_cstring(&m, style ? style : "");
	194	+ buffer_put_cstring(&m, role ? role : "");
	195
	196	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, &m);
	197
	198	buffer_free(&m);
	199	}
	200
	201	+/* Inform the privileged process about role */
	202	+
	203	+void
	204	+mm_inform_authrole(char *role)
	205	+{
	206	+ Buffer m;
	207	+
	208	+ debug3("%s entering", __func__);
	209	+
	210	+ buffer_init(&m);
	211	+ buffer_put_cstring(&m, role ? role : "");
	212	+
	213	+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
	214	+
	215	+ buffer_free(&m);
	216	+}
	217	+
	218	/* Do the password authentication */
	219	int
	220	mm_auth_password(Authctxt authctxt, char password)
	221	diff --git a/monitor_wrap.h b/monitor_wrap.h
	222	index 8f9dd896..3e75867c 100644
	223	--- a/monitor_wrap.h
	224	+++ b/monitor_wrap.h
	225	@@ -41,7 +41,8 @@ void mm_log_handler(LogLevel, const char , void );
	226	int mm_is_monitor(void);
	227	DH *mm_choose_dh(int, int, int);
	228	int mm_key_sign(Key , u_char , u_int , const u_char , u_int, const char );
	229	-void mm_inform_authserv(char , char );
	230	+void mm_inform_authserv(char , char , char *);
	231	+void mm_inform_authrole(char *);
	232	struct passwd mm_getpwnamallow(const char );
	233	char *mm_auth2_read_banner(void);
	234	int mm_auth_password(struct Authctxt , char );
	235	diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
	236	index e4c5d1b7..e26faf08 100644
	237	--- a/openbsd-compat/port-linux.c
	238	+++ b/openbsd-compat/port-linux.c
	239	@@ -27,6 +27,12 @@
	240	#include <string.h>
	241	#include <stdio.h>
	242
	243	+#ifdef WITH_SELINUX
	244	+#include "key.h"
	245	+#include "hostfile.h"
	246	+#include "auth.h"
	247	+#endif
	248	+
	249	#include "log.h"
	250	#include "xmalloc.h"
	251	#include "port-linux.h"
	252	@@ -56,7 +62,7 @@ ssh_selinux_enabled(void)
	253
	254	/* Return the default security context for the given username */
	255	static security_context_t
	256	-ssh_selinux_getctxbyname(char *pwname)
	257	+ssh_selinux_getctxbyname(char pwname, const char role)
	258	{
	259	security_context_t sc = NULL;
	260	char sename = NULL, lvl = NULL;
	261	@@ -71,9 +77,16 @@ ssh_selinux_getctxbyname(char *pwname)
	262	#endif
	263
	264	#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
	265	- r = get_default_context_with_level(sename, lvl, NULL, &sc);
	266	+ if (role != NULL && role[0])
	267	+ r = get_default_context_with_rolelevel(sename, role, lvl, NULL,
	268	+ &sc);
	269	+ else
	270	+ r = get_default_context_with_level(sename, lvl, NULL, &sc);
	271	#else
	272	- r = get_default_context(sename, NULL, &sc);
	273	+ if (role != NULL && role[0])
	274	+ r = get_default_context_with_role(sename, role, NULL, &sc);
	275	+ else
	276	+ r = get_default_context(sename, NULL, &sc);
	277	#endif
	278
	279	if (r != 0) {
	280	@@ -103,7 +116,7 @@ ssh_selinux_getctxbyname(char *pwname)
	281
	282	/* Set the execution context to the default for the specified user */
	283	void
	284	-ssh_selinux_setup_exec_context(char *pwname)
	285	+ssh_selinux_setup_exec_context(char pwname, const char role)
	286	{
	287	security_context_t user_ctx = NULL;
	288
	289	@@ -112,7 +125,7 @@ ssh_selinux_setup_exec_context(char *pwname)
	290
	291	debug3("%s: setting execution context", __func__);
	292
	293	- user_ctx = ssh_selinux_getctxbyname(pwname);
	294	+ user_ctx = ssh_selinux_getctxbyname(pwname, role);
	295	if (setexeccon(user_ctx) != 0) {
	296	switch (security_getenforce()) {
	297	case -1:
	298	@@ -134,7 +147,7 @@ ssh_selinux_setup_exec_context(char *pwname)
	299
	300	/* Set the TTY context for the specified user */
	301	void
	302	-ssh_selinux_setup_pty(char pwname, const char tty)
	303	+ssh_selinux_setup_pty(char pwname, const char tty, const char *role)
	304	{
	305	security_context_t new_tty_ctx = NULL;
	306	security_context_t user_ctx = NULL;
	307	@@ -145,7 +158,7 @@ ssh_selinux_setup_pty(char pwname, const char tty)
	308
	309	debug3("%s: setting TTY context on %s", __func__, tty);
	310
	311	- user_ctx = ssh_selinux_getctxbyname(pwname);
	312	+ user_ctx = ssh_selinux_getctxbyname(pwname, role);
	313
	314	/* XXX: should these calls fatal() upon failure in enforcing mode? */
	315
	316	diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
	317	index 3c22a854..c8812942 100644
	318	--- a/openbsd-compat/port-linux.h
	319	+++ b/openbsd-compat/port-linux.h
	320	@@ -19,8 +19,8 @@
	321
	322	#ifdef WITH_SELINUX
	323	int ssh_selinux_enabled(void);
	324	-void ssh_selinux_setup_pty(char , const char );
	325	-void ssh_selinux_setup_exec_context(char *);
	326	+void ssh_selinux_setup_pty(char , const char , const char *);
	327	+void ssh_selinux_setup_exec_context(char , const char );
	328	void ssh_selinux_change_context(const char *);
	329	void ssh_selinux_setfscreatecon(const char *);
	330	#endif
	331	diff --git a/platform.c b/platform.c
	332	index 973a63e4..cd7bf566 100644
	333	--- a/platform.c
	334	+++ b/platform.c
	335	@@ -143,7 +143,7 @@ platform_setusercontext(struct passwd *pw)
	336	* called if sshd is running as root.
	337	*/
	338	void
	339	-platform_setusercontext_post_groups(struct passwd *pw)
	340	+platform_setusercontext_post_groups(struct passwd pw, const char role)
	341	{
	342	#if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
	343	/*
	344	@@ -184,7 +184,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
	345	}
	346	#endif /* HAVE_SETPCRED */
	347	#ifdef WITH_SELINUX
	348	- ssh_selinux_setup_exec_context(pw->pw_name);
	349	+ ssh_selinux_setup_exec_context(pw->pw_name, role);
	350	#endif
	351	}
	352
	353	diff --git a/platform.h b/platform.h
	354	index ea4f9c58..60d72ffe 100644
	355	--- a/platform.h
	356	+++ b/platform.h
	357	@@ -25,7 +25,7 @@ void platform_post_fork_parent(pid_t child_pid);
	358	void platform_post_fork_child(void);
	359	int platform_privileged_uidswap(void);
	360	void platform_setusercontext(struct passwd *);
	361	-void platform_setusercontext_post_groups(struct passwd *);
	362	+void platform_setusercontext_post_groups(struct passwd , const char );
	363	char platform_get_krb5_client(const char );
	364	char platform_krb5_get_principal_name(const char );
	365	int platform_sys_dir_uid(uid_t);
	366	diff --git a/session.c b/session.c
	367	index a08aa69d..ea3871eb 100644
	368	--- a/session.c
	369	+++ b/session.c
	370	@@ -1325,7 +1325,7 @@ safely_chroot(const char *path, uid_t uid)
	371
	372	/* Set login name, uid, gid, and groups. */
	373	void
	374	-do_setusercontext(struct passwd *pw)
	375	+do_setusercontext(struct passwd pw, const char role)
	376	{
	377	char chroot_path, tmp;
	378
	379	@@ -1353,7 +1353,7 @@ do_setusercontext(struct passwd *pw)
	380	endgrent();
	381	#endif
	382
	383	- platform_setusercontext_post_groups(pw);
	384	+ platform_setusercontext_post_groups(pw, role);
	385
	386	if (!in_chroot && options.chroot_directory != NULL &&
	387	strcasecmp(options.chroot_directory, "none") != 0) {
	388	@@ -1489,7 +1489,7 @@ do_child(Session s, const char command)
	389
	390	/* Force a password change */
	391	if (s->authctxt->force_pwchange) {
	392	- do_setusercontext(pw);
	393	+ do_setusercontext(pw, s->authctxt->role);
	394	child_close_fds();
	395	do_pwchange(s);
	396	exit(1);
	397	@@ -1511,7 +1511,7 @@ do_child(Session s, const char command)
	398	/* When PAM is enabled we rely on it to do the nologin check */
	399	if (!options.use_pam)
	400	do_nologin(pw);
	401	- do_setusercontext(pw);
	402	+ do_setusercontext(pw, s->authctxt->role);
	403	/*
	404	* PAM session modules in do_setusercontext may have
	405	* generated messages, so if this in an interactive
	406	@@ -1903,7 +1903,7 @@ session_pty_req(Session *s)
	407	tty_parse_modes(s->ttyfd, &n_bytes);
	408
	409	if (!use_privsep)
	410	- pty_setowner(s->pw, s->tty);
	411	+ pty_setowner(s->pw, s->tty, s->authctxt->role);
	412
	413	/* Set window size from the packet. */
	414	pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
	415	diff --git a/session.h b/session.h
	416	index 98e1dafe..0a31dce4 100644
	417	--- a/session.h
	418	+++ b/session.h
	419	@@ -76,7 +76,7 @@ void session_pty_cleanup2(Session *);
	420	Session *session_new(void);
	421	Session session_by_tty(char );
	422	void session_close(Session *);
	423	-void do_setusercontext(struct passwd *);
	424	+void do_setusercontext(struct passwd , const char );
	425	void child_set_env(char **envp, u_int envsizep, const char *name,
	426	const char *value);
	427
	428	diff --git a/sshd.c b/sshd.c
	429	index 38cf9b49..9221632e 100644
	430	--- a/sshd.c
	431	+++ b/sshd.c
	432	@@ -678,7 +678,7 @@ privsep_postauth(Authctxt *authctxt)
	433	reseed_prngs();
	434
	435	/* Drop privileges */
	436	- do_setusercontext(authctxt->pw);
	437	+ do_setusercontext(authctxt->pw, authctxt->role);
	438
	439	skip:
	440	/* It is safe now to apply the key state */
	441	diff --git a/sshpty.c b/sshpty.c
	442	index fe2fb5aa..feb22b06 100644
	443	--- a/sshpty.c
	444	+++ b/sshpty.c
	445	@@ -187,7 +187,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col,
	446	}
	447
	448	void
	449	-pty_setowner(struct passwd pw, const char tty)
	450	+pty_setowner(struct passwd pw, const char tty, const char *role)
	451	{
	452	struct group *grp;
	453	gid_t gid;
	454	@@ -209,7 +209,7 @@ pty_setowner(struct passwd pw, const char tty)
	455	strerror(errno));
	456
	457	#ifdef WITH_SELINUX
	458	- ssh_selinux_setup_pty(pw->pw_name, tty);
	459	+ ssh_selinux_setup_pty(pw->pw_name, tty, role);
	460	#endif
	461
	462	if (st.st_uid != pw->pw_uid \|\| st.st_gid != gid) {
	463	diff --git a/sshpty.h b/sshpty.h
	464	index 9ec7e9a1..de7e000a 100644
	465	--- a/sshpty.h
	466	+++ b/sshpty.h
	467	@@ -24,5 +24,5 @@ int pty_allocate(int , int , char *, size_t);
	468	void pty_release(const char *);
	469	void pty_make_controlling_tty(int , const char );
	470	void pty_change_window_size(int, u_int, u_int, u_int, u_int);
	471	-void pty_setowner(struct passwd , const char );
	472	+void pty_setowner(struct passwd , const char , const char *);
	473	void disconnect_controlling_tty(void);