3 files changed, 29 insertions, 9 deletions

diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c
index 98876673d..011821198 100644
--- a/openbsd-compat/getrrsetbyname.c
+++ b/openbsd-compat/getrrsetbyname.c
@@ -209,8 +209,8 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
                 goto fail;
         }
 
-        /* don't allow flags yet, unimplemented */
-        if (flags) {
+        /* Allow RRSET_FORCE_EDNS0 flag only. */
+        if ((flags & !RRSET_FORCE_EDNS0) != 0) {
                 result = ERRSET_INVAL;
                 goto fail;
         }
@@ -226,9 +226,9 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
 #endif /* DEBUG */
 
 #ifdef RES_USE_DNSSEC
-        /* turn on DNSSEC if EDNS0 is configured */
-        if (_resp->options & RES_USE_EDNS0)
-                _resp->options |= RES_USE_DNSSEC;
+        /* turn on DNSSEC if required  */
+        if (flags & RRSET_FORCE_EDNS0)
+                _resp->options |= (RES_USE_EDNS0|RES_USE_DNSSEC);
 #endif /* RES_USE_DNSEC */
 
         /* make query */
diff --git a/openbsd-compat/getrrsetbyname.h b/openbsd-compat/getrrsetbyname.h
index 1283f5506..dbbc85a2a 100644
--- a/openbsd-compat/getrrsetbyname.h
+++ b/openbsd-compat/getrrsetbyname.h
@@ -72,6 +72,9 @@
 #ifndef RRSET_VALIDATED
 # define RRSET_VALIDATED        1
 #endif
+#ifndef RRSET_FORCE_EDNS0
+# define RRSET_FORCE_EDNS0      0x0001
+#endif
 
 /*
  * Return codes for getrrsetbyname()
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
index 89b9a7340..c0ac9065e 100644
--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
@@ -29,6 +29,12 @@
 #include <string.h>
 #include <stdio.h>
 
+#ifdef WITH_SELINUX
+#include "key.h"
+#include "hostfile.h"
+#include "auth.h"
+#endif
+
 #include "log.h"
 #include "xmalloc.h"
 #include "port-linux.h"
@@ -38,6 +44,8 @@
 #include <selinux/flask.h>
 #include <selinux/get_context_list.h>
 
+extern Authctxt *the_authctxt;
+
 /* Wrapper around is_selinux_enabled() to log its return value once only */
 int
 ssh_selinux_enabled(void)
@@ -56,8 +64,8 @@ ssh_selinux_enabled(void)
 static security_context_t
 ssh_selinux_getctxbyname(char *pwname)
 {
-        security_context_t sc;
-        char *sename = NULL, *lvl = NULL;
+        security_context_t sc = NULL;
+        char *sename = NULL, *role = NULL, *lvl = NULL;
         int r;
 
 #ifdef HAVE_GETSEUSERBYNAME
@@ -67,11 +75,20 @@ ssh_selinux_getctxbyname(char *pwname)
         sename = pwname;
         lvl = NULL;
 #endif
+        if (the_authctxt)
+                role = the_authctxt->role;
 
 #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
-        r = get_default_context_with_level(sename, lvl, NULL, &sc);
+        if (role != NULL && role[0])
+                r = get_default_context_with_rolelevel(sename, role, lvl, NULL,
+                                                       &sc);
+        else
+                r = get_default_context_with_level(sename, lvl, NULL, &sc);
 #else
-        r = get_default_context(sename, NULL, &sc);
+        if (role != NULL && role[0])
+                r = get_default_context_with_role(sename, role, NULL, &sc);
+        else
+                r = get_default_context(sename, NULL, &sc);
 #endif
 
         if (r != 0) {