diff -ruN openssh-4.3p2.orig/Makefile.in openssh-4.3p2/Makefile.in --- openssh-4.3p2.orig/Makefile.in 2006-09-27 20:29:53.779114312 +0200 +++ openssh-4.3p2/Makefile.in 2006-09-27 20:31:08.721982692 +0200 @@ -43,6 +43,7 @@ CFLAGS=@CFLAGS@ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ LIBS=@LIBS@ +LIBSELINUX=@LIBSELINUX@ LIBEDIT=@LIBEDIT@ LIBPAM=@LIBPAM@ LIBWRAP=@LIBWRAP@ @@ -77,7 +78,7 @@ sshconnect.o sshconnect1.o sshconnect2.o SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ - sshpty.o sshlogin.o servconf.o serverloop.o \ + sshpty.o sshlogin.o servconf.o serverloop.o selinux.o \ auth.o auth1.o auth2.o auth-options.o session.o \ auth-chall.o auth2-chall.o groupaccess.o \ auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ @@ -136,7 +137,7 @@ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) - $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS) + $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBS) scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) diff -ruN openssh-4.3p2.orig/auth.h openssh-4.3p2/auth.h --- openssh-4.3p2.orig/auth.h 2006-09-27 20:29:53.786116916 +0200 +++ openssh-4.3p2/auth.h 2006-09-27 20:33:16.947664908 +0200 @@ -58,6 +58,9 @@ char *service; struct passwd *pw; /* set if 'valid' */ char *style; +#ifdef WITH_SELINUX + char *role; +#endif void *kbdintctxt; #ifdef BSD_AUTH auth_session_t *as; diff -ruN openssh-4.3p2.orig/auth1.c openssh-4.3p2/auth1.c --- openssh-4.3p2.orig/auth1.c 2006-09-27 20:29:53.787117288 +0200 +++ openssh-4.3p2/auth1.c 2006-09-27 20:34:47.852468920 +0200 @@ -370,7 +370,10 @@ do_authentication(Authctxt *authctxt) { u_int ulen; - char *user, *style = NULL; + char *user, *style = NULL; +#ifdef WITH_SELINUX + char *role=NULL; +#endif /* Get the name of the user that we wish to log in as. */ packet_read_expect(SSH_CMSG_USER); @@ -379,11 +382,24 @@ user = packet_get_string(&ulen); packet_check_eom(); +#ifdef WITH_SELINUX + if ((role = strchr(user, '/')) != NULL) + *role++ = '\0'; +#endif + if ((style = strchr(user, ':')) != NULL) *style++ = '\0'; +#ifdef WITH_SELINUX + else + if (role && (style = strchr(role, ':')) != NULL) + *style++ = '\0'; +#endif authctxt->user = user; authctxt->style = style; +#ifdef WITH_SELINUX + authctxt->role = role; +#endif /* Verify that the user is a valid user. */ if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) diff -ruN openssh-4.3p2.orig/auth2.c openssh-4.3p2/auth2.c --- openssh-4.3p2.orig/auth2.c 2006-09-27 20:29:53.788117660 +0200 +++ openssh-4.3p2/auth2.c 2006-09-27 20:35:22.412320404 +0200 @@ -134,7 +134,11 @@ { Authctxt *authctxt = ctxt; Authmethod *m = NULL; - char *user, *service, *method, *style = NULL; + char *user, *service, *method, *style = NULL; +#ifdef WITH_SELINUX + char *role = NULL; +#endif + int authenticated = 0; if (authctxt == NULL) @@ -171,8 +175,15 @@ use_privsep ? " [net]" : ""); authctxt->service = xstrdup(service); authctxt->style = style ? xstrdup(style) : NULL; - if (use_privsep) +#ifdef WITH_SELINUX + authctxt->role = role ? xstrdup(role) : NULL; +#endif + if (use_privsep) { mm_inform_authserv(service, style); +#ifdef WITH_SELINUX + mm_inform_authrole(role); +#endif + } } else if (strcmp(user, authctxt->user) != 0 || strcmp(service, authctxt->service) != 0) { packet_disconnect("Change of username or service not allowed: " diff -ruN openssh-4.3p2.orig/configure.ac openssh-4.3p2/configure.ac --- openssh-4.3p2.orig/configure.ac 2006-09-27 20:29:53.800122124 +0200 +++ openssh-4.3p2/configure.ac 2006-09-27 20:31:08.760997200 +0200 @@ -2952,6 +2952,20 @@ [#include ]) ]) +# Check whether user wants SELinux support +SELINUX_MSG="no" +LIBSELINUX="" +AC_ARG_WITH(selinux, + [ --with-selinux Enable SELinux support], + [ if test "x$withval" != "xno" ; then + AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.]) + SELINUX_MSG="yes" + AC_CHECK_HEADERS(selinux.h) + LIBSELINUX="-lselinux" + fi + ]) +AC_SUBST(LIBSELINUX) + # Check whether user wants Kerberos 5 support KRB5_MSG="no" AC_ARG_WITH(kerberos5, @@ -3770,6 +3784,7 @@ echo " Manpage format: $MANTYPE" echo " PAM support: $PAM_MSG" echo " KerberosV support: $KRB5_MSG" +echo " SELinux support: $SELINUX_MSG" echo " Smartcard support: $SCARD_MSG" echo " S/KEY support: $SKEY_MSG" echo " TCP Wrappers support: $TCPW_MSG" diff -ruN openssh-4.3p2.orig/monitor.c openssh-4.3p2/monitor.c --- openssh-4.3p2.orig/monitor.c 2006-09-27 20:29:53.812126588 +0200 +++ openssh-4.3p2/monitor.c 2006-09-27 20:36:51.506451096 +0200 @@ -114,6 +114,9 @@ int mm_answer_authpassword(int, Buffer *); int mm_answer_bsdauthquery(int, Buffer *); int mm_answer_bsdauthrespond(int, Buffer *); +#ifdef WITH_SELINUX +int mm_answer_authrole(int, Buffer *); +#endif int mm_answer_skeyquery(int, Buffer *); int mm_answer_skeyrespond(int, Buffer *); int mm_answer_keyallowed(int, Buffer *); @@ -181,6 +184,9 @@ {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, +#ifdef WITH_SELINUX + {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole}, +#endif {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, #ifdef USE_PAM @@ -623,6 +629,9 @@ else { /* Allow service/style information on the auth context */ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); +#ifdef WITH_SELINUX + monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1); +#endif monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); } @@ -670,6 +679,25 @@ return (0); } +#ifdef WITH_SELINUX +int +mm_answer_authrole(int sock, Buffer *m) +{ + monitor_permit_authentications(1); + + authctxt->role = buffer_get_string(m, NULL); + debug3("%s: role=%s", + __func__, authctxt->role); + + if (strlen(authctxt->role) == 0) { + xfree(authctxt->role); + authctxt->role = NULL; + } + + return (0); +} +#endif + int mm_answer_authpassword(int sock, Buffer *m) { diff -ruN openssh-4.3p2.orig/monitor.h openssh-4.3p2/monitor.h --- openssh-4.3p2.orig/monitor.h 2006-09-27 20:29:53.812126588 +0200 +++ openssh-4.3p2/monitor.h 2006-09-27 20:37:38.463912776 +0200 @@ -31,6 +31,9 @@ enum monitor_reqtype { MONITOR_REQ_MODULI, MONITOR_ANS_MODULI, MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, +#ifdef WITH_SELINUX + MONITOR_REQ_AUTHROLE, +#endif MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, diff -ruN openssh-4.3p2.orig/monitor_wrap.c openssh-4.3p2/monitor_wrap.c --- openssh-4.3p2.orig/monitor_wrap.c 2006-09-27 20:29:53.813126960 +0200 +++ openssh-4.3p2/monitor_wrap.c 2006-09-27 20:38:08.458066452 +0200 @@ -271,6 +271,25 @@ buffer_free(&m); } +#ifdef WITH_SELINUX +/* Inform the privileged process about role */ + +void +mm_inform_authrole(char *role) +{ + Buffer m; + + debug3("%s entering", __func__); + + buffer_init(&m); + buffer_put_cstring(&m, role ? role : ""); + + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m); + + buffer_free(&m); +} +#endif + /* Do the password authentication */ int mm_auth_password(Authctxt *authctxt, char *password) diff -ruN openssh-4.3p2.orig/monitor_wrap.h openssh-4.3p2/monitor_wrap.h --- openssh-4.3p2.orig/monitor_wrap.h 2006-09-27 20:29:53.813126960 +0200 +++ openssh-4.3p2/monitor_wrap.h 2006-09-27 20:38:27.184029920 +0200 @@ -44,6 +44,9 @@ DH *mm_choose_dh(int, int, int); int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); void mm_inform_authserv(char *, char *); +#ifdef WITH_SELINUX +void mm_inform_authrole(char *); +#endif struct passwd *mm_getpwnamallow(const char *); char *mm_auth2_read_banner(void); int mm_auth_password(struct Authctxt *, char *); diff -ruN openssh-4.3p2.orig/selinux.c openssh-4.3p2/selinux.c --- openssh-4.3p2.orig/selinux.c 1970-01-01 01:00:00.000000000 +0100 +++ openssh-4.3p2/selinux.c 2006-09-27 20:31:08.770000548 +0200 @@ -0,0 +1,86 @@ +#include "includes.h" +#include "auth.h" +#include "log.h" + +#ifdef WITH_SELINUX +#include +#include +#include +#include +#include +extern Authctxt *the_authctxt; + +static const security_context_t selinux_get_user_context(const char *name) { + security_context_t user_context=NULL; + char *role=NULL; + int ret=-1; + char *seuser=NULL; + char *level=NULL; + + if (the_authctxt) + role=the_authctxt->role; + + if (getseuserbyname(name, &seuser, &level)==0) { + if (role != NULL && role[0]) + ret=get_default_context_with_rolelevel(seuser, role, level,NULL,&user_context); + else + ret=get_default_context_with_level(seuser, level, NULL,&user_context); + } + + if ( ret < 0 ) { + if (security_getenforce() > 0) + fatal("Failed to get default security context for %s.", name); + else + error("Failed to get default security context for %s. Continuing in permissive mode", name); + } + return user_context; +} + +void setup_selinux_pty(const char *name, const char *tty) { + if (is_selinux_enabled() > 0) { + security_context_t new_tty_context=NULL, user_context=NULL, old_tty_context=NULL; + + user_context=selinux_get_user_context(name); + + if (getfilecon(tty, &old_tty_context) < 0) { + error("getfilecon(%.100s) failed: %.100s", tty, strerror(errno)); + } else { + if (security_compute_relabel(user_context,old_tty_context, + SECCLASS_CHR_FILE, + &new_tty_context) != 0) { + error("security_compute_relabel(%.100s) failed: %.100s", tty, + strerror(errno)); + } else { + if (setfilecon (tty, new_tty_context) != 0) + error("setfilecon(%.100s, %s) failed: %.100s", + tty, new_tty_context, + strerror(errno)); + freecon(new_tty_context); + } + freecon(old_tty_context); + } + if (user_context) { + freecon(user_context); + } + } +} + +void setup_selinux_exec_context(char *name) { + + if (is_selinux_enabled() > 0) { + security_context_t user_context=selinux_get_user_context(name); + if (setexeccon(user_context)) { + if (security_getenforce() > 0) + fatal("Failed to set exec security context %s for %s.", user_context, name); + else + error("Failed to set exec security context %s for %s. Continuing in permissive mode", user_context, name); + } + if (user_context) { + freecon(user_context); + } + } +} +#else +inline void setup_selinux_pty(const char *name, const char *tty) {} +inline void setup_selinux_exec_context(const char *name) {} +#endif /* WITH_SELINUX */ diff -ruN openssh-4.3p2.orig/selinux.h openssh-4.3p2/selinux.h --- openssh-4.3p2.orig/selinux.h 1970-01-01 01:00:00.000000000 +0100 +++ openssh-4.3p2/selinux.h 2006-09-27 20:39:03.941698688 +0200 @@ -0,0 +1,9 @@ +#ifndef __SELINUX_H_ +#define __SELINUX_H_ + +#ifdef WITH_SELINUX +extern void setup_selinux_pty(const char *name, const char *tty); +extern void setup_selinux_exec_context(const char *name); +#endif + +#endif /* __SELINUX_H_ */ diff -ruN openssh-4.3p2.orig/session.c openssh-4.3p2/session.c --- openssh-4.3p2.orig/session.c 2006-09-27 20:29:53.822130308 +0200 +++ openssh-4.3p2/session.c 2006-09-27 20:39:34.031888076 +0200 @@ -59,6 +59,10 @@ #include "kex.h" #include "monitor_wrap.h" +#ifdef WITH_SELINUX +#include "selinux.h" +#endif + #if defined(KRB5) && defined(USE_AFS) #include #endif @@ -1340,6 +1344,10 @@ #endif if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); + +#ifdef WITH_SELINUX + setup_selinux_exec_context(pw->pw_name); +#endif } static void diff -ruN openssh-4.3p2.orig/sshpty.c openssh-4.3p2/sshpty.c --- openssh-4.3p2.orig/sshpty.c 2006-09-27 20:29:53.834134772 +0200 +++ openssh-4.3p2/sshpty.c 2006-09-27 20:40:05.663650716 +0200 @@ -22,6 +22,10 @@ #include "log.h" #include "misc.h" +#ifdef WITH_SELINUX +#include "selinux.h" +#endif + #ifdef HAVE_PTY_H # include #endif @@ -200,6 +204,10 @@ fatal("stat(%.100s) failed: %.100s", tty, strerror(errno)); +#ifdef WITH_SELINUX + setup_selinux_pty(pw->pw_name, tty); +#endif + if (st.st_uid != pw->pw_uid || st.st_gid != gid) { if (chown(tty, pw->pw_uid, gid) < 0) { if (errno == EROFS &&