1 files changed, 479 insertions, 0 deletions
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
new file mode 100644
index 000000000..80fe3247b
--- /dev/null
+++ b/debian/patches/selinux-role.patch
@@ -0,0 +1,479 @@
+Description: Handle SELinux authorisation roles
+ Rejected upstream due to discomfort with magic usernames; a better approach
+ will need an SSH protocol change.  In the meantime, this came from Debian's
+ SELinux maintainer, so we'll keep it until we have something better.
+Author: Manoj Srivastava <srivasta@debian.org>
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
+Bug-Debian: http://bugs.debian.org/394795
+Last-Update: 2010-02-27
+Index: b/auth.h
+===================================================================
+--- a/auth.h
+++ b/auth.h
+@@ -59,6 +59,7 @@
+        char            *service;
+        struct passwd   *pw;            /* set if 'valid' */
+        char            *style;
+       char            *role;
+        void            *kbdintctxt;
+        void            *jpake_ctx;
+ #ifdef BSD_AUTH
+Index: b/auth1.c
+===================================================================
+--- a/auth1.c
+++ b/auth1.c
+@@ -383,7 +383,7 @@
+ do_authentication(Authctxt *authctxt)
+ {
+        u_int ulen;
+-       char *user, *style = NULL;
+       char *user, *style = NULL, *role = NULL;
+ 
+        /* Get the name of the user that we wish to log in as. */
+        packet_read_expect(SSH_CMSG_USER);
+@@ -392,11 +392,17 @@
+        user = packet_get_cstring(&ulen);
+        packet_check_eom();
+ 
+       if ((role = strchr(user, '/')) != NULL)
+               *role++ = '\0';
+
+        if ((style = strchr(user, ':')) != NULL)
+                *style++ = '\0';
+       else if (role && (style = strchr(role, ':')) != NULL)
+               *style++ = '\0';
+ 
+        authctxt->user = user;
+        authctxt->style = style;
+       authctxt->role = role;
+ 
+        /* Verify that the user is a valid user. */
+        if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
+Index: b/auth2.c
+===================================================================
+--- a/auth2.c
+++ b/auth2.c
+@@ -217,7 +217,7 @@
+ {
+        Authctxt *authctxt = ctxt;
+        Authmethod *m = NULL;
+-       char *user, *service, *method, *style = NULL;
+       char *user, *service, *method, *style = NULL, *role = NULL;
+        int authenticated = 0;
+ 
+        if (authctxt == NULL)
+@@ -229,8 +229,13 @@
+        debug("userauth-request for user %s service %s method %s", user, service, method);
+        debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
+ 
+       if ((role = strchr(user, '/')) != NULL)
+               *role++ = 0;
+
+        if ((style = strchr(user, ':')) != NULL)
+                *style++ = 0;
+       else if (role && (style = strchr(role, ':')) != NULL)
+               *style++ = '\0';
+ 
+        if (authctxt->attempt++ == 0) {
+                /* setup auth context */
+@@ -254,8 +259,9 @@
+                    use_privsep ? " [net]" : "");
+                authctxt->service = xstrdup(service);
+                authctxt->style = style ? xstrdup(style) : NULL;
+               authctxt->role = role ? xstrdup(role) : NULL;
+                if (use_privsep)
+-                       mm_inform_authserv(service, style);
+                       mm_inform_authserv(service, style, role);
+                userauth_banner();
+        } else if (strcmp(user, authctxt->user) != 0 ||
+            strcmp(service, authctxt->service) != 0) {
+Index: b/monitor.c
+===================================================================
+--- a/monitor.c
+++ b/monitor.c
+@@ -145,6 +145,7 @@
+ int mm_answer_pwnamallow(int, Buffer *);
+ int mm_answer_auth2_read_banner(int, Buffer *);
+ int mm_answer_authserv(int, Buffer *);
+int mm_answer_authrole(int, Buffer *);
+ int mm_answer_authpassword(int, Buffer *);
+ int mm_answer_bsdauthquery(int, Buffer *);
+ int mm_answer_bsdauthrespond(int, Buffer *);
+@@ -225,6 +226,7 @@
+     {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
+     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
+     {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
+    {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
+     {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
+     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
+ #ifdef USE_PAM
+@@ -808,6 +810,7 @@
+        else {
+                /* Allow service/style information on the auth context */
+                monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
+               monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
+                monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
+        }
+ #ifdef USE_PAM
+@@ -840,14 +843,37 @@
+ 
+        authctxt->service = buffer_get_string(m, NULL);
+        authctxt->style = buffer_get_string(m, NULL);
+-       debug3("%s: service=%s, style=%s",
+-           __func__, authctxt->service, authctxt->style);
+       authctxt->role = buffer_get_string(m, NULL);
+       debug3("%s: service=%s, style=%s, role=%s",
+           __func__, authctxt->service, authctxt->style, authctxt->role);
+ 
+        if (strlen(authctxt->style) == 0) {
+                xfree(authctxt->style);
+                authctxt->style = NULL;
+        }
+ 
+       if (strlen(authctxt->role) == 0) {
+               xfree(authctxt->role);
+               authctxt->role = NULL;
+       }
+
+       return (0);
+}
+
+int
+mm_answer_authrole(int sock, Buffer *m)
+{
+       monitor_permit_authentications(1);
+
+       authctxt->role = buffer_get_string(m, NULL);
+       debug3("%s: role=%s",
+           __func__, authctxt->role);
+
+       if (strlen(authctxt->role) == 0) {
+               xfree(authctxt->role);
+               authctxt->role = NULL;
+       }
+
+        return (0);
+ }
+ 
+@@ -1435,7 +1461,7 @@
+        res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
+        if (res == 0)
+                goto error;
+-       pty_setowner(authctxt->pw, s->tty);
+       pty_setowner(authctxt->pw, s->tty, authctxt->role);
+ 
+        buffer_put_int(m, 1);
+        buffer_put_cstring(m, s->tty);
+Index: b/monitor.h
+===================================================================
+--- a/monitor.h
+++ b/monitor.h
+@@ -30,7 +30,7 @@
+ 
+ enum monitor_reqtype {
+        MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
+-       MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
+       MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, MONITOR_REQ_AUTHROLE,
+        MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
+        MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
+        MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
+Index: b/monitor_wrap.c
+===================================================================
+--- a/monitor_wrap.c
+++ b/monitor_wrap.c
+@@ -318,10 +318,10 @@
+        return (banner);
+ }
+ 
+-/* Inform the privileged process about service and style */
+/* Inform the privileged process about service, style, and role */
+ 
+ void
+-mm_inform_authserv(char *service, char *style)
+mm_inform_authserv(char *service, char *style, char *role)
+ {
+        Buffer m;
+ 
+@@ -330,11 +330,29 @@
+        buffer_init(&m);
+        buffer_put_cstring(&m, service);
+        buffer_put_cstring(&m, style ? style : "");
+       buffer_put_cstring(&m, role ? role : "");
+ 
+        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, &m);
+ 
+        buffer_free(&m);
+ }
+
+/* Inform the privileged process about role */
+
+void
+mm_inform_authrole(char *role)
+{
+       Buffer m;
+
+       debug3("%s entering", __func__);
+
+       buffer_init(&m);
+       buffer_put_cstring(&m, role ? role : "");
+
+       mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
+
+       buffer_free(&m);
+}
+ 
+ /* Do the password authentication */
+ int
+Index: b/monitor_wrap.h
+===================================================================
+--- a/monitor_wrap.h
+++ b/monitor_wrap.h
+@@ -41,7 +41,8 @@
+ int mm_is_monitor(void);
+ DH *mm_choose_dh(int, int, int);
+ int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
+-void mm_inform_authserv(char *, char *);
+void mm_inform_authserv(char *, char *, char *);
+void mm_inform_authrole(char *);
+ struct passwd *mm_getpwnamallow(const char *);
+ char *mm_auth2_read_banner(void);
+ int mm_auth_password(struct Authctxt *, char *);
+Index: b/openbsd-compat/port-linux.c
+===================================================================
+--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
+@@ -29,6 +29,12 @@
+ #include <string.h>
+ #include <stdio.h>
+ 
+#ifdef WITH_SELINUX
+#include "key.h"
+#include "hostfile.h"
+#include "auth.h"
+#endif
+
+ #include "log.h"
+ #include "xmalloc.h"
+ #include "port-linux.h"
+@@ -58,7 +64,7 @@
+ 
+ /* Return the default security context for the given username */
+ static security_context_t
+-ssh_selinux_getctxbyname(char *pwname)
+ssh_selinux_getctxbyname(char *pwname, const char *role)
+ {
+        security_context_t sc = NULL;
+        char *sename = NULL, *lvl = NULL;
+@@ -73,9 +79,16 @@
+ #endif
+ 
+ #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
+-       r = get_default_context_with_level(sename, lvl, NULL, &sc);
+       if (role != NULL && role[0])
+               r = get_default_context_with_rolelevel(sename, role, lvl, NULL,
+                                                      &sc);
+       else
+               r = get_default_context_with_level(sename, lvl, NULL, &sc);
+ #else
+-       r = get_default_context(sename, NULL, &sc);
+       if (role != NULL && role[0])
+               r = get_default_context_with_role(sename, role, NULL, &sc);
+       else
+               r = get_default_context(sename, NULL, &sc);
+ #endif
+ 
+        if (r != 0) {
+@@ -107,7 +120,7 @@
+ 
+ /* Set the execution context to the default for the specified user */
+ void
+-ssh_selinux_setup_exec_context(char *pwname)
+ssh_selinux_setup_exec_context(char *pwname, const char *role)
+ {
+        security_context_t user_ctx = NULL;
+ 
+@@ -116,7 +129,7 @@
+ 
+        debug3("%s: setting execution context", __func__);
+ 
+-       user_ctx = ssh_selinux_getctxbyname(pwname);
+       user_ctx = ssh_selinux_getctxbyname(pwname, role);
+        if (setexeccon(user_ctx) != 0) {
+                switch (security_getenforce()) {
+                case -1:
+@@ -138,7 +151,7 @@
+ 
+ /* Set the TTY context for the specified user */
+ void
+-ssh_selinux_setup_pty(char *pwname, const char *tty)
+ssh_selinux_setup_pty(char *pwname, const char *tty, const char *role)
+ {
+        security_context_t new_tty_ctx = NULL;
+        security_context_t user_ctx = NULL;
+@@ -149,7 +162,7 @@
+ 
+        debug3("%s: setting TTY context on %s", __func__, tty);
+ 
+-       user_ctx = ssh_selinux_getctxbyname(pwname);
+       user_ctx = ssh_selinux_getctxbyname(pwname, role);
+ 
+        /* XXX: should these calls fatal() upon failure in enforcing mode? */
+ 
+Index: b/openbsd-compat/port-linux.h
+===================================================================
+--- a/openbsd-compat/port-linux.h
+++ b/openbsd-compat/port-linux.h
+@@ -21,8 +21,8 @@
+ 
+ #ifdef WITH_SELINUX
+ int ssh_selinux_enabled(void);
+-void ssh_selinux_setup_pty(char *, const char *);
+-void ssh_selinux_setup_exec_context(char *);
+void ssh_selinux_setup_pty(char *, const char *, const char *);
+void ssh_selinux_setup_exec_context(char *, const char *);
+ void ssh_selinux_change_context(const char *);
+ void ssh_selinux_setfscreatecon(const char *);
+ #endif
+Index: b/platform.c
+===================================================================
+--- a/platform.c
+++ b/platform.c
+@@ -134,7 +134,7 @@
+  * called if sshd is running as root.
+  */
+ void
+-platform_setusercontext_post_groups(struct passwd *pw)
+platform_setusercontext_post_groups(struct passwd *pw, const char *role)
+ {
+ #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
+        /*
+@@ -181,7 +181,7 @@
+        }
+ #endif /* HAVE_SETPCRED */
+ #ifdef WITH_SELINUX
+-       ssh_selinux_setup_exec_context(pw->pw_name);
+       ssh_selinux_setup_exec_context(pw->pw_name, role);
+ #endif
+ }
+ 
+Index: b/platform.h
+===================================================================
+--- a/platform.h
+++ b/platform.h
+@@ -26,7 +26,7 @@
+ void platform_post_fork_child(void);
+ int  platform_privileged_uidswap(void);
+ void platform_setusercontext(struct passwd *);
+-void platform_setusercontext_post_groups(struct passwd *);
+void platform_setusercontext_post_groups(struct passwd *, const char *);
+ char *platform_get_krb5_client(const char *);
+ char *platform_krb5_get_principal_name(const char *);
+ 
+Index: b/session.c
+===================================================================
+--- a/session.c
+++ b/session.c
+@@ -1471,7 +1471,7 @@
+ 
+ /* Set login name, uid, gid, and groups. */
+ void
+-do_setusercontext(struct passwd *pw)
+do_setusercontext(struct passwd *pw, const char *role)
+ {
+        char *chroot_path, *tmp;
+ 
+@@ -1499,7 +1499,7 @@
+                endgrent();
+ #endif
+ 
+-               platform_setusercontext_post_groups(pw);
+               platform_setusercontext_post_groups(pw, role);
+ 
+                if (options.chroot_directory != NULL &&
+                    strcasecmp(options.chroot_directory, "none") != 0) {
+@@ -1625,7 +1625,7 @@
+ 
+        /* Force a password change */
+        if (s->authctxt->force_pwchange) {
+-               do_setusercontext(pw);
+               do_setusercontext(pw, s->authctxt->role);
+                child_close_fds();
+                do_pwchange(s);
+                exit(1);
+@@ -1652,7 +1652,7 @@
+                /* When PAM is enabled we rely on it to do the nologin check */
+                if (!options.use_pam)
+                        do_nologin(pw);
+-               do_setusercontext(pw);
+               do_setusercontext(pw, s->authctxt->role);
+                /*
+                 * PAM session modules in do_setusercontext may have
+                 * generated messages, so if this in an interactive
+@@ -2064,7 +2064,7 @@
+        tty_parse_modes(s->ttyfd, &n_bytes);
+ 
+        if (!use_privsep)
+-               pty_setowner(s->pw, s->tty);
+               pty_setowner(s->pw, s->tty, s->authctxt->role);
+ 
+        /* Set window size from the packet. */
+        pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
+Index: b/session.h
+===================================================================
+--- a/session.h
+++ b/session.h
+@@ -76,7 +76,7 @@
+ Session        *session_new(void);
+ Session        *session_by_tty(char *);
+ void    session_close(Session *);
+-void    do_setusercontext(struct passwd *);
+void    do_setusercontext(struct passwd *, const char *);
+ void    child_set_env(char ***envp, u_int *envsizep, const char *name,
+                       const char *value);
+ 
+Index: b/sshd.c
+===================================================================
+--- a/sshd.c
+++ b/sshd.c
+@@ -736,7 +736,7 @@
+        RAND_seed(rnd, sizeof(rnd));
+ 
+        /* Drop privileges */
+-       do_setusercontext(authctxt->pw);
+       do_setusercontext(authctxt->pw, authctxt->role);
+ 
+  skip:
+        /* It is safe now to apply the key state */
+Index: b/sshpty.c
+===================================================================
+--- a/sshpty.c
+++ b/sshpty.c
+@@ -200,7 +200,7 @@
+ }
+ 
+ void
+-pty_setowner(struct passwd *pw, const char *tty)
+pty_setowner(struct passwd *pw, const char *tty, const char *role)
+ {
+        struct group *grp;
+        gid_t gid;
+@@ -227,7 +227,7 @@
+                    strerror(errno));
+ 
+ #ifdef WITH_SELINUX
+-       ssh_selinux_setup_pty(pw->pw_name, tty);
+       ssh_selinux_setup_pty(pw->pw_name, tty, role);
+ #endif
+ 
+        if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
+Index: b/sshpty.h
+===================================================================
+--- a/sshpty.h
+++ b/sshpty.h
+@@ -24,4 +24,4 @@
+ void    pty_release(const char *);
+ void    pty_make_controlling_tty(int *, const char *);
+ void    pty_change_window_size(int, u_int, u_int, u_int, u_int);
+-void    pty_setowner(struct passwd *, const char *);
+void    pty_setowner(struct passwd *, const char *, const char *);

diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch new file mode 100644 index 000000000..80fe3247b --- /dev/null +++ b/debian/patches/selinux-role.patch
@@ -0,0 +1,479 @@
	1	Description: Handle SELinux authorisation roles
	2	Rejected upstream due to discomfort with magic usernames; a better approach
	3	will need an SSH protocol change. In the meantime, this came from Debian's
	4	SELinux maintainer, so we'll keep it until we have something better.
	5	Author: Manoj Srivastava <srivasta@debian.org>
	6	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
	7	Bug-Debian: http://bugs.debian.org/394795
	8	Last-Update: 2010-02-27
	9
	10	Index: b/auth.h
	11	===================================================================
	12	--- a/auth.h
	13	+++ b/auth.h
	14	@@ -59,6 +59,7 @@
	15	char *service;
	16	struct passwd pw; / set if 'valid' */
	17	char *style;
	18	+ char *role;
	19	void *kbdintctxt;
	20	void *jpake_ctx;
	21	#ifdef BSD_AUTH
	22	Index: b/auth1.c
	23	===================================================================
	24	--- a/auth1.c
	25	+++ b/auth1.c
	26	@@ -383,7 +383,7 @@
	27	do_authentication(Authctxt *authctxt)
	28	{
	29	u_int ulen;
	30	- char user, style = NULL;
	31	+ char user, style = NULL, *role = NULL;
	32
	33	/* Get the name of the user that we wish to log in as. */
	34	packet_read_expect(SSH_CMSG_USER);
	35	@@ -392,11 +392,17 @@
	36	user = packet_get_cstring(&ulen);
	37	packet_check_eom();
	38
	39	+ if ((role = strchr(user, '/')) != NULL)
	40	+ *role++ = '\0';
	41	+
	42	if ((style = strchr(user, ':')) != NULL)
	43	*style++ = '\0';
	44	+ else if (role && (style = strchr(role, ':')) != NULL)
	45	+ *style++ = '\0';
	46
	47	authctxt->user = user;
	48	authctxt->style = style;
	49	+ authctxt->role = role;
	50
	51	/* Verify that the user is a valid user. */
	52	if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
	53	Index: b/auth2.c
	54	===================================================================
	55	--- a/auth2.c
	56	+++ b/auth2.c
	57	@@ -217,7 +217,7 @@
	58	{
	59	Authctxt *authctxt = ctxt;
	60	Authmethod *m = NULL;
	61	- char user, service, method, style = NULL;
	62	+ char user, service, method, style = NULL, *role = NULL;
	63	int authenticated = 0;
	64
	65	if (authctxt == NULL)
	66	@@ -229,8 +229,13 @@
	67	debug("userauth-request for user %s service %s method %s", user, service, method);
	68	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
	69
	70	+ if ((role = strchr(user, '/')) != NULL)
	71	+ *role++ = 0;
	72	+
	73	if ((style = strchr(user, ':')) != NULL)
	74	*style++ = 0;
	75	+ else if (role && (style = strchr(role, ':')) != NULL)
	76	+ *style++ = '\0';
	77
	78	if (authctxt->attempt++ == 0) {
	79	/* setup auth context */
	80	@@ -254,8 +259,9 @@
	81	use_privsep ? " [net]" : "");
	82	authctxt->service = xstrdup(service);
	83	authctxt->style = style ? xstrdup(style) : NULL;
	84	+ authctxt->role = role ? xstrdup(role) : NULL;
	85	if (use_privsep)
	86	- mm_inform_authserv(service, style);
	87	+ mm_inform_authserv(service, style, role);
	88	userauth_banner();
	89	} else if (strcmp(user, authctxt->user) != 0 \|\|
	90	strcmp(service, authctxt->service) != 0) {
	91	Index: b/monitor.c
	92	===================================================================
	93	--- a/monitor.c
	94	+++ b/monitor.c
	95	@@ -145,6 +145,7 @@
	96	int mm_answer_pwnamallow(int, Buffer *);
	97	int mm_answer_auth2_read_banner(int, Buffer *);
	98	int mm_answer_authserv(int, Buffer *);
	99	+int mm_answer_authrole(int, Buffer *);
	100	int mm_answer_authpassword(int, Buffer *);
	101	int mm_answer_bsdauthquery(int, Buffer *);
	102	int mm_answer_bsdauthrespond(int, Buffer *);
	103	@@ -225,6 +226,7 @@
	104	{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
	105	{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
	106	{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
	107	+ {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
	108	{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
	109	{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
	110	#ifdef USE_PAM
	111	@@ -808,6 +810,7 @@
	112	else {
	113	/* Allow service/style information on the auth context */
	114	monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
	115	+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
	116	monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
	117	}
	118	#ifdef USE_PAM
	119	@@ -840,14 +843,37 @@
	120
	121	authctxt->service = buffer_get_string(m, NULL);
	122	authctxt->style = buffer_get_string(m, NULL);
	123	- debug3("%s: service=%s, style=%s",
	124	- __func__, authctxt->service, authctxt->style);
	125	+ authctxt->role = buffer_get_string(m, NULL);
	126	+ debug3("%s: service=%s, style=%s, role=%s",
	127	+ __func__, authctxt->service, authctxt->style, authctxt->role);
	128
	129	if (strlen(authctxt->style) == 0) {
	130	xfree(authctxt->style);
	131	authctxt->style = NULL;
	132	}
	133
	134	+ if (strlen(authctxt->role) == 0) {
	135	+ xfree(authctxt->role);
	136	+ authctxt->role = NULL;
	137	+ }
	138	+
	139	+ return (0);
	140	+}
	141	+
	142	+int
	143	+mm_answer_authrole(int sock, Buffer *m)
	144	+{
	145	+ monitor_permit_authentications(1);
	146	+
	147	+ authctxt->role = buffer_get_string(m, NULL);
	148	+ debug3("%s: role=%s",
	149	+ __func__, authctxt->role);
	150	+
	151	+ if (strlen(authctxt->role) == 0) {
	152	+ xfree(authctxt->role);
	153	+ authctxt->role = NULL;
	154	+ }
	155	+
	156	return (0);
	157	}
	158
	159	@@ -1435,7 +1461,7 @@
	160	res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
	161	if (res == 0)
	162	goto error;
	163	- pty_setowner(authctxt->pw, s->tty);
	164	+ pty_setowner(authctxt->pw, s->tty, authctxt->role);
	165
	166	buffer_put_int(m, 1);
	167	buffer_put_cstring(m, s->tty);
	168	Index: b/monitor.h
	169	===================================================================
	170	--- a/monitor.h
	171	+++ b/monitor.h
	172	@@ -30,7 +30,7 @@
	173
	174	enum monitor_reqtype {
	175	MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
	176	- MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
	177	+ MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, MONITOR_REQ_AUTHROLE,
	178	MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
	179	MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
	180	MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
	181	Index: b/monitor_wrap.c
	182	===================================================================
	183	--- a/monitor_wrap.c
	184	+++ b/monitor_wrap.c
	185	@@ -318,10 +318,10 @@
	186	return (banner);
	187	}
	188
	189	-/* Inform the privileged process about service and style */
	190	+/* Inform the privileged process about service, style, and role */
	191
	192	void
	193	-mm_inform_authserv(char service, char style)
	194	+mm_inform_authserv(char service, char style, char *role)
	195	{
	196	Buffer m;
	197
	198	@@ -330,11 +330,29 @@
	199	buffer_init(&m);
	200	buffer_put_cstring(&m, service);
	201	buffer_put_cstring(&m, style ? style : "");
	202	+ buffer_put_cstring(&m, role ? role : "");
	203
	204	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, &m);
	205
	206	buffer_free(&m);
	207	}
	208	+
	209	+/* Inform the privileged process about role */
	210	+
	211	+void
	212	+mm_inform_authrole(char *role)
	213	+{
	214	+ Buffer m;
	215	+
	216	+ debug3("%s entering", __func__);
	217	+
	218	+ buffer_init(&m);
	219	+ buffer_put_cstring(&m, role ? role : "");
	220	+
	221	+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
	222	+
	223	+ buffer_free(&m);
	224	+}
	225
	226	/* Do the password authentication */
	227	int
	228	Index: b/monitor_wrap.h
	229	===================================================================
	230	--- a/monitor_wrap.h
	231	+++ b/monitor_wrap.h
	232	@@ -41,7 +41,8 @@
	233	int mm_is_monitor(void);
	234	DH *mm_choose_dh(int, int, int);
	235	int mm_key_sign(Key , u_char , u_int , u_char *, u_int);
	236	-void mm_inform_authserv(char , char );
	237	+void mm_inform_authserv(char , char , char *);
	238	+void mm_inform_authrole(char *);
	239	struct passwd mm_getpwnamallow(const char );
	240	char *mm_auth2_read_banner(void);
	241	int mm_auth_password(struct Authctxt , char );
	242	Index: b/openbsd-compat/port-linux.c
	243	===================================================================
	244	--- a/openbsd-compat/port-linux.c
	245	+++ b/openbsd-compat/port-linux.c
	246	@@ -29,6 +29,12 @@
	247	#include <string.h>
	248	#include <stdio.h>
	249
	250	+#ifdef WITH_SELINUX
	251	+#include "key.h"
	252	+#include "hostfile.h"
	253	+#include "auth.h"
	254	+#endif
	255	+
	256	#include "log.h"
	257	#include "xmalloc.h"
	258	#include "port-linux.h"
	259	@@ -58,7 +64,7 @@
	260
	261	/* Return the default security context for the given username */
	262	static security_context_t
	263	-ssh_selinux_getctxbyname(char *pwname)
	264	+ssh_selinux_getctxbyname(char pwname, const char role)
	265	{
	266	security_context_t sc = NULL;
	267	char sename = NULL, lvl = NULL;
	268	@@ -73,9 +79,16 @@
	269	#endif
	270
	271	#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
	272	- r = get_default_context_with_level(sename, lvl, NULL, &sc);
	273	+ if (role != NULL && role[0])
	274	+ r = get_default_context_with_rolelevel(sename, role, lvl, NULL,
	275	+ &sc);
	276	+ else
	277	+ r = get_default_context_with_level(sename, lvl, NULL, &sc);
	278	#else
	279	- r = get_default_context(sename, NULL, &sc);
	280	+ if (role != NULL && role[0])
	281	+ r = get_default_context_with_role(sename, role, NULL, &sc);
	282	+ else
	283	+ r = get_default_context(sename, NULL, &sc);
	284	#endif
	285
	286	if (r != 0) {
	287	@@ -107,7 +120,7 @@
	288
	289	/* Set the execution context to the default for the specified user */
	290	void
	291	-ssh_selinux_setup_exec_context(char *pwname)
	292	+ssh_selinux_setup_exec_context(char pwname, const char role)
	293	{
	294	security_context_t user_ctx = NULL;
	295
	296	@@ -116,7 +129,7 @@
	297
	298	debug3("%s: setting execution context", __func__);
	299
	300	- user_ctx = ssh_selinux_getctxbyname(pwname);
	301	+ user_ctx = ssh_selinux_getctxbyname(pwname, role);
	302	if (setexeccon(user_ctx) != 0) {
	303	switch (security_getenforce()) {
	304	case -1:
	305	@@ -138,7 +151,7 @@
	306
	307	/* Set the TTY context for the specified user */
	308	void
	309	-ssh_selinux_setup_pty(char pwname, const char tty)
	310	+ssh_selinux_setup_pty(char pwname, const char tty, const char *role)
	311	{
	312	security_context_t new_tty_ctx = NULL;
	313	security_context_t user_ctx = NULL;
	314	@@ -149,7 +162,7 @@
	315
	316	debug3("%s: setting TTY context on %s", __func__, tty);
	317
	318	- user_ctx = ssh_selinux_getctxbyname(pwname);
	319	+ user_ctx = ssh_selinux_getctxbyname(pwname, role);
	320
	321	/* XXX: should these calls fatal() upon failure in enforcing mode? */
	322
	323	Index: b/openbsd-compat/port-linux.h
	324	===================================================================
	325	--- a/openbsd-compat/port-linux.h
	326	+++ b/openbsd-compat/port-linux.h
	327	@@ -21,8 +21,8 @@
	328
	329	#ifdef WITH_SELINUX
	330	int ssh_selinux_enabled(void);
	331	-void ssh_selinux_setup_pty(char , const char );
	332	-void ssh_selinux_setup_exec_context(char *);
	333	+void ssh_selinux_setup_pty(char , const char , const char *);
	334	+void ssh_selinux_setup_exec_context(char , const char );
	335	void ssh_selinux_change_context(const char *);
	336	void ssh_selinux_setfscreatecon(const char *);
	337	#endif
	338	Index: b/platform.c
	339	===================================================================
	340	--- a/platform.c
	341	+++ b/platform.c
	342	@@ -134,7 +134,7 @@
	343	* called if sshd is running as root.
	344	*/
	345	void
	346	-platform_setusercontext_post_groups(struct passwd *pw)
	347	+platform_setusercontext_post_groups(struct passwd pw, const char role)
	348	{
	349	#if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
	350	/*
	351	@@ -181,7 +181,7 @@
	352	}
	353	#endif /* HAVE_SETPCRED */
	354	#ifdef WITH_SELINUX
	355	- ssh_selinux_setup_exec_context(pw->pw_name);
	356	+ ssh_selinux_setup_exec_context(pw->pw_name, role);
	357	#endif
	358	}
	359
	360	Index: b/platform.h
	361	===================================================================
	362	--- a/platform.h
	363	+++ b/platform.h
	364	@@ -26,7 +26,7 @@
	365	void platform_post_fork_child(void);
	366	int platform_privileged_uidswap(void);
	367	void platform_setusercontext(struct passwd *);
	368	-void platform_setusercontext_post_groups(struct passwd *);
	369	+void platform_setusercontext_post_groups(struct passwd , const char );
	370	char platform_get_krb5_client(const char );
	371	char platform_krb5_get_principal_name(const char );
	372
	373	Index: b/session.c
	374	===================================================================
	375	--- a/session.c
	376	+++ b/session.c
	377	@@ -1471,7 +1471,7 @@
	378
	379	/* Set login name, uid, gid, and groups. */
	380	void
	381	-do_setusercontext(struct passwd *pw)
	382	+do_setusercontext(struct passwd pw, const char role)
	383	{
	384	char chroot_path, tmp;
	385
	386	@@ -1499,7 +1499,7 @@
	387	endgrent();
	388	#endif
	389
	390	- platform_setusercontext_post_groups(pw);
	391	+ platform_setusercontext_post_groups(pw, role);
	392
	393	if (options.chroot_directory != NULL &&
	394	strcasecmp(options.chroot_directory, "none") != 0) {
	395	@@ -1625,7 +1625,7 @@
	396
	397	/* Force a password change */
	398	if (s->authctxt->force_pwchange) {
	399	- do_setusercontext(pw);
	400	+ do_setusercontext(pw, s->authctxt->role);
	401	child_close_fds();
	402	do_pwchange(s);
	403	exit(1);
	404	@@ -1652,7 +1652,7 @@
	405	/* When PAM is enabled we rely on it to do the nologin check */
	406	if (!options.use_pam)
	407	do_nologin(pw);
	408	- do_setusercontext(pw);
	409	+ do_setusercontext(pw, s->authctxt->role);
	410	/*
	411	* PAM session modules in do_setusercontext may have
	412	* generated messages, so if this in an interactive
	413	@@ -2064,7 +2064,7 @@
	414	tty_parse_modes(s->ttyfd, &n_bytes);
	415
	416	if (!use_privsep)
	417	- pty_setowner(s->pw, s->tty);
	418	+ pty_setowner(s->pw, s->tty, s->authctxt->role);
	419
	420	/* Set window size from the packet. */
	421	pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
	422	Index: b/session.h
	423	===================================================================
	424	--- a/session.h
	425	+++ b/session.h
	426	@@ -76,7 +76,7 @@
	427	Session *session_new(void);
	428	Session session_by_tty(char );
	429	void session_close(Session *);
	430	-void do_setusercontext(struct passwd *);
	431	+void do_setusercontext(struct passwd , const char );
	432	void child_set_env(char **envp, u_int envsizep, const char *name,
	433	const char *value);
	434
	435	Index: b/sshd.c
	436	===================================================================
	437	--- a/sshd.c
	438	+++ b/sshd.c
	439	@@ -736,7 +736,7 @@
	440	RAND_seed(rnd, sizeof(rnd));
	441
	442	/* Drop privileges */
	443	- do_setusercontext(authctxt->pw);
	444	+ do_setusercontext(authctxt->pw, authctxt->role);
	445
	446	skip:
	447	/* It is safe now to apply the key state */
	448	Index: b/sshpty.c
	449	===================================================================
	450	--- a/sshpty.c
	451	+++ b/sshpty.c
	452	@@ -200,7 +200,7 @@
	453	}
	454
	455	void
	456	-pty_setowner(struct passwd pw, const char tty)
	457	+pty_setowner(struct passwd pw, const char tty, const char *role)
	458	{
	459	struct group *grp;
	460	gid_t gid;
	461	@@ -227,7 +227,7 @@
	462	strerror(errno));
	463
	464	#ifdef WITH_SELINUX
	465	- ssh_selinux_setup_pty(pw->pw_name, tty);
	466	+ ssh_selinux_setup_pty(pw->pw_name, tty, role);
	467	#endif
	468
	469	if (st.st_uid != pw->pw_uid \|\| st.st_gid != gid) {
	470	Index: b/sshpty.h
	471	===================================================================
	472	--- a/sshpty.h
	473	+++ b/sshpty.h
	474	@@ -24,4 +24,4 @@
	475	void pty_release(const char *);
	476	void pty_make_controlling_tty(int , const char );
	477	void pty_change_window_size(int, u_int, u_int, u_int, u_int);
	478	-void pty_setowner(struct passwd , const char );
	479	+void pty_setowner(struct passwd , const char , const char *);