2 files changed, 221 insertions, 31 deletions
diff --git a/debian/patches/selinux-build-failure.patch b/debian/patches/selinux-build-failure.patch
index 47c953009..fb96e87b9 100644
--- a/debian/patches/selinux-build-failure.patch
+++ b/debian/patches/selinux-build-failure.patch
@@ -90,7 +90,7 @@ Index: b/configure
 KRB5CONF
 PRIVSEP_PATH
 xauth_path
-@@ -9047,7 +9159,6 @@
+@@ -9047,7 +9048,6 @@
 _ACEOF
 
                          SSHDLIBS="$SSHDLIBS -lcontract"
@@ -98,7 +98,7 @@ Index: b/configure
                          SPC_MSG="yes"
 fi
 
-@@ -9126,7 +9237,6 @@
+@@ -9126,7 +9126,6 @@
 _ACEOF
 
                        SSHDLIBS="$SSHDLIBS -lproject"
@@ -106,7 +106,7 @@ Index: b/configure
                        SP_MSG="yes"
 fi
 
-@@ -27806,6 +27916,7 @@
+@@ -27806,6 +27805,7 @@
    { (exit 1); exit 1; }; }
 fi
 
@@ -114,7 +114,7 @@ Index: b/configure
                SSHDLIBS="$SSHDLIBS $LIBSELINUX"
 
 
-@@ -27908,6 +28019,8 @@
+@@ -27908,6 +27908,8 @@
 fi
 
 
@@ -123,7 +123,7 @@ Index: b/configure
 # Check whether user wants Kerberos 5 support
 KRB5_MSG="no"
 
-@@ -31416,7 +31529,6 @@
+@@ -31416,7 +31418,6 @@
 LOGIN_PROGRAM_FALLBACK!$LOGIN_PROGRAM_FALLBACK$ac_delim
 PATH_PASSWD_PROG!$PATH_PASSWD_PROG$ac_delim
 LD!$LD$ac_delim
@@ -131,7 +131,7 @@ Index: b/configure
 PKGCONFIG!$PKGCONFIG$ac_delim
 LIBEDIT!$LIBEDIT$ac_delim
 TEST_SSH_SHA256!$TEST_SSH_SHA256$ac_delim
-@@ -31433,6 +31545,7 @@
+@@ -31433,6 +31434,7 @@
 PROG_SAR!$PROG_SAR$ac_delim
 PROG_W!$PROG_W$ac_delim
 PROG_WHO!$PROG_WHO$ac_delim
@@ -139,7 +139,7 @@ Index: b/configure
 _ACEOF
 
   if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
-@@ -31474,7 +31587,6 @@
+@@ -31474,7 +31476,6 @@
 ac_delim='%!_!# '
 for ac_last_try in false false false false false :; do
   cat >conf$$subs.sed <<_ACEOF
@@ -147,7 +147,7 @@ Index: b/configure
 PROG_LASTLOG!$PROG_LASTLOG$ac_delim
 PROG_DF!$PROG_DF$ac_delim
 PROG_VMSTAT!$PROG_VMSTAT$ac_delim
-@@ -31482,6 +31594,8 @@
+@@ -31482,6 +31483,8 @@
 PROG_IPCS!$PROG_IPCS$ac_delim
 PROG_TAIL!$PROG_TAIL$ac_delim
 INSTALL_SSH_PRNG_CMDS!$INSTALL_SSH_PRNG_CMDS$ac_delim
@@ -156,7 +156,7 @@ Index: b/configure
 KRB5CONF!$KRB5CONF$ac_delim
 PRIVSEP_PATH!$PRIVSEP_PATH$ac_delim
 xauth_path!$xauth_path$ac_delim
-@@ -31496,7 +31610,7 @@
+@@ -31496,7 +31499,7 @@
 LTLIBOBJS!$LTLIBOBJS$ac_delim
 _ACEOF
 
@@ -165,7 +165,7 @@ Index: b/configure
     break
   elif $ac_last_try; then
     { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
-@@ -31993,6 +32107,9 @@
+@@ -31993,6 +31996,9 @@
 if test ! -z "${SSHDLIBS}"; then
 echo "         +for sshd: ${SSHDLIBS}"
 fi
@@ -179,7 +179,7 @@ Index: b/openbsd-compat/port-linux.c
 ===================================================================
 --- a/openbsd-compat/port-linux.c
 +++ b/openbsd-compat/port-linux.c
-@@ -222,6 +222,20 @@
+@@ -218,6 +218,20 @@
        xfree(oldctx);
        xfree(newctx);
 }
@@ -205,8 +205,8 @@ Index: b/openbsd-compat/port-linux.h
 --- a/openbsd-compat/port-linux.h
 +++ b/openbsd-compat/port-linux.h
 @@ -24,6 +24,7 @@
- void ssh_selinux_setup_pty(char *, const char *);
+ void ssh_selinux_setup_pty(char *, const char *, const char *);
- void ssh_selinux_setup_exec_context(char *);
+ void ssh_selinux_setup_exec_context(char *, const char *);
 void ssh_selinux_change_context(const char *);
 +void ssh_selinux_setfscreatecon(const char *);
 #endif
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index 74cd06201..30db352dd 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -156,6 +156,15 @@ Index: b/monitor.c
        return (0);
 }
 
+@@ -1327,7 +1353,7 @@
+        res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
+        if (res == 0)
+                goto error;
+-       pty_setowner(authctxt->pw, s->tty);
+       pty_setowner(authctxt->pw, s->tty, authctxt->role);
+ 
+        buffer_put_int(m, 1);
+        buffer_put_cstring(m, s->tty);
 Index: b/monitor.h
 ===================================================================
 --- a/monitor.h
@@ -247,32 +256,20 @@ Index: b/openbsd-compat/port-linux.c
 #include "log.h"
 #include "xmalloc.h"
 #include "port-linux.h"
-@@ -38,6 +44,8 @@
+@@ -54,9 +60,9 @@
- #include <selinux/flask.h>
- #include <selinux/get_context_list.h>
 
-+extern Authctxt *the_authctxt;
+ /* Return the default security context for the given username */
-+
- /* Wrapper around is_selinux_enabled() to log its return value once only */
- int
- ssh_selinux_enabled(void)
-@@ -56,8 +64,8 @@
 static security_context_t
- ssh_selinux_getctxbyname(char *pwname)
+-ssh_selinux_getctxbyname(char *pwname)
+ssh_selinux_getctxbyname(char *pwname, const char *role)
 {
 -       security_context_t sc;
-       char *sename = NULL, *lvl = NULL;
 +       security_context_t sc = NULL;
-+       char *sename = NULL, *role = NULL, *lvl = NULL;
+        char *sename = NULL, *lvl = NULL;
        int r;
 
- #ifdef HAVE_GETSEUSERBYNAME
+@@ -69,9 +75,16 @@
-@@ -67,11 +75,20 @@
-        sename = pwname;
-        lvl = NULL;
 #endif
-+       if (the_authctxt)
-+               role = the_authctxt->role;
 
 #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
 -       r = get_default_context_with_level(sename, lvl, NULL, &sc);
@@ -290,3 +287,196 @@ Index: b/openbsd-compat/port-linux.c
 #endif
 
        if (r != 0) {
+@@ -102,7 +115,7 @@
+ 
+ /* Set the execution context to the default for the specified user */
+ void
+-ssh_selinux_setup_exec_context(char *pwname)
+ssh_selinux_setup_exec_context(char *pwname, const char *role)
+ {
+        security_context_t user_ctx = NULL;
+ 
+@@ -111,7 +124,7 @@
+ 
+        debug3("%s: setting execution context", __func__);
+ 
+-       user_ctx = ssh_selinux_getctxbyname(pwname);
+       user_ctx = ssh_selinux_getctxbyname(pwname, role);
+        if (setexeccon(user_ctx) != 0) {
+                switch (security_getenforce()) {
+                case -1:
+@@ -133,7 +146,7 @@
+ 
+ /* Set the TTY context for the specified user */
+ void
+-ssh_selinux_setup_pty(char *pwname, const char *tty)
+ssh_selinux_setup_pty(char *pwname, const char *tty, const char *role)
+ {
+        security_context_t new_tty_ctx = NULL;
+        security_context_t user_ctx = NULL;
+@@ -144,7 +157,7 @@
+ 
+        debug3("%s: setting TTY context on %s", __func__, tty);
+ 
+-       user_ctx = ssh_selinux_getctxbyname(pwname);
+       user_ctx = ssh_selinux_getctxbyname(pwname, role);
+ 
+        /* XXX: should these calls fatal() upon failure in enforcing mode? */
+ 
+Index: b/openbsd-compat/port-linux.h
+===================================================================
+--- a/openbsd-compat/port-linux.h
+++ b/openbsd-compat/port-linux.h
+@@ -21,8 +21,8 @@
+ 
+ #ifdef WITH_SELINUX
+ int ssh_selinux_enabled(void);
+-void ssh_selinux_setup_pty(char *, const char *);
+-void ssh_selinux_setup_exec_context(char *);
+void ssh_selinux_setup_pty(char *, const char *, const char *);
+void ssh_selinux_setup_exec_context(char *, const char *);
+ void ssh_selinux_change_context(const char *);
+ #endif
+ 
+Index: b/platform.c
+===================================================================
+--- a/platform.c
+++ b/platform.c
+@@ -134,7 +134,7 @@
+  * called if sshd is running as root.
+  */
+ void
+-platform_setusercontext_post_groups(struct passwd *pw)
+platform_setusercontext_post_groups(struct passwd *pw, const char *role)
+ {
+ #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
+        /*
+@@ -181,7 +181,7 @@
+        }
+ #endif /* HAVE_SETPCRED */
+ #ifdef WITH_SELINUX
+-       ssh_selinux_setup_exec_context(pw->pw_name);
+       ssh_selinux_setup_exec_context(pw->pw_name, role);
+ #endif
+ }
+ 
+Index: b/platform.h
+===================================================================
+--- a/platform.h
+++ b/platform.h
+@@ -26,7 +26,7 @@
+ void platform_post_fork_child(void);
+ int  platform_privileged_uidswap(void);
+ void platform_setusercontext(struct passwd *);
+-void platform_setusercontext_post_groups(struct passwd *);
+void platform_setusercontext_post_groups(struct passwd *, const char *);
+ char *platform_get_krb5_client(const char *);
+ char *platform_krb5_get_principal_name(const char *);
+ 
+Index: b/session.c
+===================================================================
+--- a/session.c
+++ b/session.c
+@@ -1467,7 +1467,7 @@
+ 
+ /* Set login name, uid, gid, and groups. */
+ void
+-do_setusercontext(struct passwd *pw)
+do_setusercontext(struct passwd *pw, const char *role)
+ {
+        char *chroot_path, *tmp;
+ 
+@@ -1495,7 +1495,7 @@
+                endgrent();
+ #endif
+ 
+-               platform_setusercontext_post_groups(pw);
+               platform_setusercontext_post_groups(pw, role);
+ 
+                if (options.chroot_directory != NULL &&
+                    strcasecmp(options.chroot_directory, "none") != 0) {
+@@ -1618,7 +1618,7 @@
+ 
+        /* Force a password change */
+        if (s->authctxt->force_pwchange) {
+-               do_setusercontext(pw);
+               do_setusercontext(pw, s->authctxt->role);
+                child_close_fds();
+                do_pwchange(s);
+                exit(1);
+@@ -1645,7 +1645,7 @@
+                /* When PAM is enabled we rely on it to do the nologin check */
+                if (!options.use_pam)
+                        do_nologin(pw);
+-               do_setusercontext(pw);
+               do_setusercontext(pw, s->authctxt->role);
+                /*
+                 * PAM session modules in do_setusercontext may have
+                 * generated messages, so if this in an interactive
+@@ -2057,7 +2057,7 @@
+        tty_parse_modes(s->ttyfd, &n_bytes);
+ 
+        if (!use_privsep)
+-               pty_setowner(s->pw, s->tty);
+               pty_setowner(s->pw, s->tty, s->authctxt->role);
+ 
+        /* Set window size from the packet. */
+        pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
+Index: b/session.h
+===================================================================
+--- a/session.h
+++ b/session.h
+@@ -76,7 +76,7 @@
+ Session        *session_new(void);
+ Session        *session_by_tty(char *);
+ void    session_close(Session *);
+-void    do_setusercontext(struct passwd *);
+void    do_setusercontext(struct passwd *, const char *);
+ void    child_set_env(char ***envp, u_int *envsizep, const char *name,
+                       const char *value);
+ 
+Index: b/sshd.c
+===================================================================
+--- a/sshd.c
+++ b/sshd.c
+@@ -707,7 +707,7 @@
+        RAND_seed(rnd, sizeof(rnd));
+ 
+        /* Drop privileges */
+-       do_setusercontext(authctxt->pw);
+       do_setusercontext(authctxt->pw, authctxt->role);
+ 
+  skip:
+        /* It is safe now to apply the key state */
+Index: b/sshpty.c
+===================================================================
+--- a/sshpty.c
+++ b/sshpty.c
+@@ -200,7 +200,7 @@
+ }
+ 
+ void
+-pty_setowner(struct passwd *pw, const char *tty)
+pty_setowner(struct passwd *pw, const char *tty, const char *role)
+ {
+        struct group *grp;
+        gid_t gid;
+@@ -227,7 +227,7 @@
+                    strerror(errno));
+ 
+ #ifdef WITH_SELINUX
+-       ssh_selinux_setup_pty(pw->pw_name, tty);
+       ssh_selinux_setup_pty(pw->pw_name, tty, role);
+ #endif
+ 
+        if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
+Index: b/sshpty.h
+===================================================================
+--- a/sshpty.h
+++ b/sshpty.h
+@@ -24,4 +24,4 @@
+ void    pty_release(const char *);
+ void    pty_make_controlling_tty(int *, const char *);
+ void    pty_change_window_size(int, u_int, u_int, u_int, u_int);
+-void    pty_setowner(struct passwd *, const char *);
+void    pty_setowner(struct passwd *, const char *, const char *);

diff --git a/debian/patches/selinux-build-failure.patch b/debian/patches/selinux-build-failure.patch index 47c953009..fb96e87b9 100644 --- a/debian/patches/selinux-build-failure.patch +++ b/debian/patches/selinux-build-failure.patch
@@ -90,7 +90,7 @@ Index: b/configure
90	KRB5CONF	90	KRB5CONF
91	PRIVSEP_PATH	91	PRIVSEP_PATH
92	xauth_path	92	xauth_path
93	@@ -9047,7 +9159,6 @@	93	@@ -9047,7 +9048,6 @@
94	_ACEOF	94	_ACEOF
95		95
96	SSHDLIBS="$SSHDLIBS -lcontract"	96	SSHDLIBS="$SSHDLIBS -lcontract"
@@ -98,7 +98,7 @@ Index: b/configure
98	SPC_MSG="yes"	98	SPC_MSG="yes"
99	fi	99	fi
100		100
101	@@ -9126,7 +9237,6 @@	101	@@ -9126,7 +9126,6 @@
102	_ACEOF	102	_ACEOF
103		103
104	SSHDLIBS="$SSHDLIBS -lproject"	104	SSHDLIBS="$SSHDLIBS -lproject"
@@ -106,7 +106,7 @@ Index: b/configure
106	SP_MSG="yes"	106	SP_MSG="yes"
107	fi	107	fi
108		108
109	@@ -27806,6 +27916,7 @@	109	@@ -27806,6 +27805,7 @@
110	{ (exit 1); exit 1; }; }	110	{ (exit 1); exit 1; }; }
111	fi	111	fi
112		112
@@ -114,7 +114,7 @@ Index: b/configure
114	SSHDLIBS="$SSHDLIBS $LIBSELINUX"	114	SSHDLIBS="$SSHDLIBS $LIBSELINUX"
115		115
116		116
117	@@ -27908,6 +28019,8 @@	117	@@ -27908,6 +27908,8 @@
118	fi	118	fi
119		119
120		120
@@ -123,7 +123,7 @@ Index: b/configure
123	# Check whether user wants Kerberos 5 support	123	# Check whether user wants Kerberos 5 support
124	KRB5_MSG="no"	124	KRB5_MSG="no"
125		125
126	@@ -31416,7 +31529,6 @@	126	@@ -31416,7 +31418,6 @@
127	LOGIN_PROGRAM_FALLBACK!$LOGIN_PROGRAM_FALLBACK$ac_delim	127	LOGIN_PROGRAM_FALLBACK!$LOGIN_PROGRAM_FALLBACK$ac_delim
128	PATH_PASSWD_PROG!$PATH_PASSWD_PROG$ac_delim	128	PATH_PASSWD_PROG!$PATH_PASSWD_PROG$ac_delim
129	LD!$LD$ac_delim	129	LD!$LD$ac_delim
@@ -131,7 +131,7 @@ Index: b/configure
131	PKGCONFIG!$PKGCONFIG$ac_delim	131	PKGCONFIG!$PKGCONFIG$ac_delim
132	LIBEDIT!$LIBEDIT$ac_delim	132	LIBEDIT!$LIBEDIT$ac_delim
133	TEST_SSH_SHA256!$TEST_SSH_SHA256$ac_delim	133	TEST_SSH_SHA256!$TEST_SSH_SHA256$ac_delim
134	@@ -31433,6 +31545,7 @@	134	@@ -31433,6 +31434,7 @@
135	PROG_SAR!$PROG_SAR$ac_delim	135	PROG_SAR!$PROG_SAR$ac_delim
136	PROG_W!$PROG_W$ac_delim	136	PROG_W!$PROG_W$ac_delim
137	PROG_WHO!$PROG_WHO$ac_delim	137	PROG_WHO!$PROG_WHO$ac_delim
@@ -139,7 +139,7 @@ Index: b/configure
139	_ACEOF	139	_ACEOF
140		140
141	if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed \| grep -c X` = 97; then	141	if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed \| grep -c X` = 97; then
142	@@ -31474,7 +31587,6 @@	142	@@ -31474,7 +31476,6 @@
143	ac_delim='%!_!# '	143	ac_delim='%!_!# '
144	for ac_last_try in false false false false false :; do	144	for ac_last_try in false false false false false :; do
145	cat >conf$$subs.sed <<_ACEOF	145	cat >conf$$subs.sed <<_ACEOF
@@ -147,7 +147,7 @@ Index: b/configure
147	PROG_LASTLOG!$PROG_LASTLOG$ac_delim	147	PROG_LASTLOG!$PROG_LASTLOG$ac_delim
148	PROG_DF!$PROG_DF$ac_delim	148	PROG_DF!$PROG_DF$ac_delim
149	PROG_VMSTAT!$PROG_VMSTAT$ac_delim	149	PROG_VMSTAT!$PROG_VMSTAT$ac_delim
150	@@ -31482,6 +31594,8 @@	150	@@ -31482,6 +31483,8 @@
151	PROG_IPCS!$PROG_IPCS$ac_delim	151	PROG_IPCS!$PROG_IPCS$ac_delim
152	PROG_TAIL!$PROG_TAIL$ac_delim	152	PROG_TAIL!$PROG_TAIL$ac_delim
153	INSTALL_SSH_PRNG_CMDS!$INSTALL_SSH_PRNG_CMDS$ac_delim	153	INSTALL_SSH_PRNG_CMDS!$INSTALL_SSH_PRNG_CMDS$ac_delim
@@ -156,7 +156,7 @@ Index: b/configure
156	KRB5CONF!$KRB5CONF$ac_delim	156	KRB5CONF!$KRB5CONF$ac_delim
157	PRIVSEP_PATH!$PRIVSEP_PATH$ac_delim	157	PRIVSEP_PATH!$PRIVSEP_PATH$ac_delim
158	xauth_path!$xauth_path$ac_delim	158	xauth_path!$xauth_path$ac_delim
159	@@ -31496,7 +31610,7 @@	159	@@ -31496,7 +31499,7 @@
160	LTLIBOBJS!$LTLIBOBJS$ac_delim	160	LTLIBOBJS!$LTLIBOBJS$ac_delim
161	_ACEOF	161	_ACEOF
162		162
@@ -165,7 +165,7 @@ Index: b/configure
165	break	165	break
166	elif $ac_last_try; then	166	elif $ac_last_try; then
167	{ { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5	167	{ { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
168	@@ -31993,6 +32107,9 @@	168	@@ -31993,6 +31996,9 @@
169	if test ! -z "${SSHDLIBS}"; then	169	if test ! -z "${SSHDLIBS}"; then
170	echo " +for sshd: ${SSHDLIBS}"	170	echo " +for sshd: ${SSHDLIBS}"
171	fi	171	fi
@@ -179,7 +179,7 @@ Index: b/openbsd-compat/port-linux.c
179	===================================================================	179	===================================================================
180	--- a/openbsd-compat/port-linux.c	180	--- a/openbsd-compat/port-linux.c
181	+++ b/openbsd-compat/port-linux.c	181	+++ b/openbsd-compat/port-linux.c
182	@@ -222,6 +222,20 @@	182	@@ -218,6 +218,20 @@
183	xfree(oldctx);	183	xfree(oldctx);
184	xfree(newctx);	184	xfree(newctx);
185	}	185	}
@@ -205,8 +205,8 @@ Index: b/openbsd-compat/port-linux.h
205	--- a/openbsd-compat/port-linux.h	205	--- a/openbsd-compat/port-linux.h
206	+++ b/openbsd-compat/port-linux.h	206	+++ b/openbsd-compat/port-linux.h
207	@@ -24,6 +24,7 @@	207	@@ -24,6 +24,7 @@
208	void ssh_selinux_setup_pty(char , const char );	208	void ssh_selinux_setup_pty(char , const char , const char *);
209	void ssh_selinux_setup_exec_context(char *);	209	void ssh_selinux_setup_exec_context(char , const char );
210	void ssh_selinux_change_context(const char *);	210	void ssh_selinux_change_context(const char *);
211	+void ssh_selinux_setfscreatecon(const char *);	211	+void ssh_selinux_setfscreatecon(const char *);
212	#endif	212	#endif


diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch index 74cd06201..30db352dd 100644 --- a/debian/patches/selinux-role.patch +++ b/debian/patches/selinux-role.patch
@@ -156,6 +156,15 @@ Index: b/monitor.c
156	return (0);	156	return (0);
157	}	157	}
158		158
		159	@@ -1327,7 +1353,7 @@
		160	res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
		161	if (res == 0)
		162	goto error;
		163	- pty_setowner(authctxt->pw, s->tty);
		164	+ pty_setowner(authctxt->pw, s->tty, authctxt->role);
		165
		166	buffer_put_int(m, 1);
		167	buffer_put_cstring(m, s->tty);
159	Index: b/monitor.h	168	Index: b/monitor.h
160	===================================================================	169	===================================================================
161	--- a/monitor.h	170	--- a/monitor.h
@@ -247,32 +256,20 @@ Index: b/openbsd-compat/port-linux.c
247	#include "log.h"	256	#include "log.h"
248	#include "xmalloc.h"	257	#include "xmalloc.h"
249	#include "port-linux.h"	258	#include "port-linux.h"
250	@@ -38,6 +44,8 @@	259	@@ -54,9 +60,9 @@
251	#include <selinux/flask.h>
252	#include <selinux/get_context_list.h>
253		260
254	+extern Authctxt *the_authctxt;	261	/* Return the default security context for the given username */
255	+
256	/* Wrapper around is_selinux_enabled() to log its return value once only */
257	int
258	ssh_selinux_enabled(void)
259	@@ -56,8 +64,8 @@
260	static security_context_t	262	static security_context_t
261	ssh_selinux_getctxbyname(char *pwname)	263	-ssh_selinux_getctxbyname(char *pwname)
		264	+ssh_selinux_getctxbyname(char pwname, const char role)
262	{	265	{
263	- security_context_t sc;	266	- security_context_t sc;
264	- char sename = NULL, lvl = NULL;
265	+ security_context_t sc = NULL;	267	+ security_context_t sc = NULL;
266	+ char sename = NULL, role = NULL, *lvl = NULL;	268	char sename = NULL, lvl = NULL;
267	int r;	269	int r;
268		270
269	#ifdef HAVE_GETSEUSERBYNAME	271	@@ -69,9 +75,16 @@
270	@@ -67,11 +75,20 @@
271	sename = pwname;
272	lvl = NULL;
273	#endif	272	#endif
274	+ if (the_authctxt)
275	+ role = the_authctxt->role;
276		273
277	#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL	274	#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
278	- r = get_default_context_with_level(sename, lvl, NULL, &sc);	275	- r = get_default_context_with_level(sename, lvl, NULL, &sc);
@@ -290,3 +287,196 @@ Index: b/openbsd-compat/port-linux.c
290	#endif	287	#endif
291		288
292	if (r != 0) {	289	if (r != 0) {
		290	@@ -102,7 +115,7 @@
		291
		292	/* Set the execution context to the default for the specified user */
		293	void
		294	-ssh_selinux_setup_exec_context(char *pwname)
		295	+ssh_selinux_setup_exec_context(char pwname, const char role)
		296	{
		297	security_context_t user_ctx = NULL;
		298
		299	@@ -111,7 +124,7 @@
		300
		301	debug3("%s: setting execution context", __func__);
		302
		303	- user_ctx = ssh_selinux_getctxbyname(pwname);
		304	+ user_ctx = ssh_selinux_getctxbyname(pwname, role);
		305	if (setexeccon(user_ctx) != 0) {
		306	switch (security_getenforce()) {
		307	case -1:
		308	@@ -133,7 +146,7 @@
		309
		310	/* Set the TTY context for the specified user */
		311	void
		312	-ssh_selinux_setup_pty(char pwname, const char tty)
		313	+ssh_selinux_setup_pty(char pwname, const char tty, const char *role)
		314	{
		315	security_context_t new_tty_ctx = NULL;
		316	security_context_t user_ctx = NULL;
		317	@@ -144,7 +157,7 @@
		318
		319	debug3("%s: setting TTY context on %s", __func__, tty);
		320
		321	- user_ctx = ssh_selinux_getctxbyname(pwname);
		322	+ user_ctx = ssh_selinux_getctxbyname(pwname, role);
		323
		324	/* XXX: should these calls fatal() upon failure in enforcing mode? */
		325
		326	Index: b/openbsd-compat/port-linux.h
		327	===================================================================
		328	--- a/openbsd-compat/port-linux.h
		329	+++ b/openbsd-compat/port-linux.h
		330	@@ -21,8 +21,8 @@
		331
		332	#ifdef WITH_SELINUX
		333	int ssh_selinux_enabled(void);
		334	-void ssh_selinux_setup_pty(char , const char );
		335	-void ssh_selinux_setup_exec_context(char *);
		336	+void ssh_selinux_setup_pty(char , const char , const char *);
		337	+void ssh_selinux_setup_exec_context(char , const char );
		338	void ssh_selinux_change_context(const char *);
		339	#endif
		340
		341	Index: b/platform.c
		342	===================================================================
		343	--- a/platform.c
		344	+++ b/platform.c
		345	@@ -134,7 +134,7 @@
		346	* called if sshd is running as root.
		347	*/
		348	void
		349	-platform_setusercontext_post_groups(struct passwd *pw)
		350	+platform_setusercontext_post_groups(struct passwd pw, const char role)
		351	{
		352	#if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
		353	/*
		354	@@ -181,7 +181,7 @@
		355	}
		356	#endif /* HAVE_SETPCRED */
		357	#ifdef WITH_SELINUX
		358	- ssh_selinux_setup_exec_context(pw->pw_name);
		359	+ ssh_selinux_setup_exec_context(pw->pw_name, role);
		360	#endif
		361	}
		362
		363	Index: b/platform.h
		364	===================================================================
		365	--- a/platform.h
		366	+++ b/platform.h
		367	@@ -26,7 +26,7 @@
		368	void platform_post_fork_child(void);
		369	int platform_privileged_uidswap(void);
		370	void platform_setusercontext(struct passwd *);
		371	-void platform_setusercontext_post_groups(struct passwd *);
		372	+void platform_setusercontext_post_groups(struct passwd , const char );
		373	char platform_get_krb5_client(const char );
		374	char platform_krb5_get_principal_name(const char );
		375
		376	Index: b/session.c
		377	===================================================================
		378	--- a/session.c
		379	+++ b/session.c
		380	@@ -1467,7 +1467,7 @@
		381
		382	/* Set login name, uid, gid, and groups. */
		383	void
		384	-do_setusercontext(struct passwd *pw)
		385	+do_setusercontext(struct passwd pw, const char role)
		386	{
		387	char chroot_path, tmp;
		388
		389	@@ -1495,7 +1495,7 @@
		390	endgrent();
		391	#endif
		392
		393	- platform_setusercontext_post_groups(pw);
		394	+ platform_setusercontext_post_groups(pw, role);
		395
		396	if (options.chroot_directory != NULL &&
		397	strcasecmp(options.chroot_directory, "none") != 0) {
		398	@@ -1618,7 +1618,7 @@
		399
		400	/* Force a password change */
		401	if (s->authctxt->force_pwchange) {
		402	- do_setusercontext(pw);
		403	+ do_setusercontext(pw, s->authctxt->role);
		404	child_close_fds();
		405	do_pwchange(s);
		406	exit(1);
		407	@@ -1645,7 +1645,7 @@
		408	/* When PAM is enabled we rely on it to do the nologin check */
		409	if (!options.use_pam)
		410	do_nologin(pw);
		411	- do_setusercontext(pw);
		412	+ do_setusercontext(pw, s->authctxt->role);
		413	/*
		414	* PAM session modules in do_setusercontext may have
		415	* generated messages, so if this in an interactive
		416	@@ -2057,7 +2057,7 @@
		417	tty_parse_modes(s->ttyfd, &n_bytes);
		418
		419	if (!use_privsep)
		420	- pty_setowner(s->pw, s->tty);
		421	+ pty_setowner(s->pw, s->tty, s->authctxt->role);
		422
		423	/* Set window size from the packet. */
		424	pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
		425	Index: b/session.h
		426	===================================================================
		427	--- a/session.h
		428	+++ b/session.h
		429	@@ -76,7 +76,7 @@
		430	Session *session_new(void);
		431	Session session_by_tty(char );
		432	void session_close(Session *);
		433	-void do_setusercontext(struct passwd *);
		434	+void do_setusercontext(struct passwd , const char );
		435	void child_set_env(char **envp, u_int envsizep, const char *name,
		436	const char *value);
		437
		438	Index: b/sshd.c
		439	===================================================================
		440	--- a/sshd.c
		441	+++ b/sshd.c
		442	@@ -707,7 +707,7 @@
		443	RAND_seed(rnd, sizeof(rnd));
		444
		445	/* Drop privileges */
		446	- do_setusercontext(authctxt->pw);
		447	+ do_setusercontext(authctxt->pw, authctxt->role);
		448
		449	skip:
		450	/* It is safe now to apply the key state */
		451	Index: b/sshpty.c
		452	===================================================================
		453	--- a/sshpty.c
		454	+++ b/sshpty.c
		455	@@ -200,7 +200,7 @@
		456	}
		457
		458	void
		459	-pty_setowner(struct passwd pw, const char tty)
		460	+pty_setowner(struct passwd pw, const char tty, const char *role)
		461	{
		462	struct group *grp;
		463	gid_t gid;
		464	@@ -227,7 +227,7 @@
		465	strerror(errno));
		466
		467	#ifdef WITH_SELINUX
		468	- ssh_selinux_setup_pty(pw->pw_name, tty);
		469	+ ssh_selinux_setup_pty(pw->pw_name, tty, role);
		470	#endif
		471
		472	if (st.st_uid != pw->pw_uid \|\| st.st_gid != gid) {
		473	Index: b/sshpty.h
		474	===================================================================
		475	--- a/sshpty.h
		476	+++ b/sshpty.h
		477	@@ -24,4 +24,4 @@
		478	void pty_release(const char *);
		479	void pty_make_controlling_tty(int , const char );
		480	void pty_change_window_size(int, u_int, u_int, u_int, u_int);
		481	-void pty_setowner(struct passwd , const char );
		482	+void pty_setowner(struct passwd , const char , const char *);