summaryrefslogtreecommitdiff
path: root/openbsd-compat/port-linux.c
diff options
context:
space:
mode:
Diffstat (limited to 'openbsd-compat/port-linux.c')
-rw-r--r--openbsd-compat/port-linux.c27
1 files changed, 20 insertions, 7 deletions
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
index e4c5d1b7c..e26faf08c 100644
--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
@@ -27,6 +27,12 @@
27#include <string.h> 27#include <string.h>
28#include <stdio.h> 28#include <stdio.h>
29 29
30#ifdef WITH_SELINUX
31#include "key.h"
32#include "hostfile.h"
33#include "auth.h"
34#endif
35
30#include "log.h" 36#include "log.h"
31#include "xmalloc.h" 37#include "xmalloc.h"
32#include "port-linux.h" 38#include "port-linux.h"
@@ -56,7 +62,7 @@ ssh_selinux_enabled(void)
56 62
57/* Return the default security context for the given username */ 63/* Return the default security context for the given username */
58static security_context_t 64static security_context_t
59ssh_selinux_getctxbyname(char *pwname) 65ssh_selinux_getctxbyname(char *pwname, const char *role)
60{ 66{
61 security_context_t sc = NULL; 67 security_context_t sc = NULL;
62 char *sename = NULL, *lvl = NULL; 68 char *sename = NULL, *lvl = NULL;
@@ -71,9 +77,16 @@ ssh_selinux_getctxbyname(char *pwname)
71#endif 77#endif
72 78
73#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL 79#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
74 r = get_default_context_with_level(sename, lvl, NULL, &sc); 80 if (role != NULL && role[0])
81 r = get_default_context_with_rolelevel(sename, role, lvl, NULL,
82 &sc);
83 else
84 r = get_default_context_with_level(sename, lvl, NULL, &sc);
75#else 85#else
76 r = get_default_context(sename, NULL, &sc); 86 if (role != NULL && role[0])
87 r = get_default_context_with_role(sename, role, NULL, &sc);
88 else
89 r = get_default_context(sename, NULL, &sc);
77#endif 90#endif
78 91
79 if (r != 0) { 92 if (r != 0) {
@@ -103,7 +116,7 @@ ssh_selinux_getctxbyname(char *pwname)
103 116
104/* Set the execution context to the default for the specified user */ 117/* Set the execution context to the default for the specified user */
105void 118void
106ssh_selinux_setup_exec_context(char *pwname) 119ssh_selinux_setup_exec_context(char *pwname, const char *role)
107{ 120{
108 security_context_t user_ctx = NULL; 121 security_context_t user_ctx = NULL;
109 122
@@ -112,7 +125,7 @@ ssh_selinux_setup_exec_context(char *pwname)
112 125
113 debug3("%s: setting execution context", __func__); 126 debug3("%s: setting execution context", __func__);
114 127
115 user_ctx = ssh_selinux_getctxbyname(pwname); 128 user_ctx = ssh_selinux_getctxbyname(pwname, role);
116 if (setexeccon(user_ctx) != 0) { 129 if (setexeccon(user_ctx) != 0) {
117 switch (security_getenforce()) { 130 switch (security_getenforce()) {
118 case -1: 131 case -1:
@@ -134,7 +147,7 @@ ssh_selinux_setup_exec_context(char *pwname)
134 147
135/* Set the TTY context for the specified user */ 148/* Set the TTY context for the specified user */
136void 149void
137ssh_selinux_setup_pty(char *pwname, const char *tty) 150ssh_selinux_setup_pty(char *pwname, const char *tty, const char *role)
138{ 151{
139 security_context_t new_tty_ctx = NULL; 152 security_context_t new_tty_ctx = NULL;
140 security_context_t user_ctx = NULL; 153 security_context_t user_ctx = NULL;
@@ -145,7 +158,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
145 158
146 debug3("%s: setting TTY context on %s", __func__, tty); 159 debug3("%s: setting TTY context on %s", __func__, tty);
147 160
148 user_ctx = ssh_selinux_getctxbyname(pwname); 161 user_ctx = ssh_selinux_getctxbyname(pwname, role);
149 162
150 /* XXX: should these calls fatal() upon failure in enforcing mode? */ 163 /* XXX: should these calls fatal() upon failure in enforcing mode? */
151 164