Attachment #98256 for bug #147605




CFLAGS=@CFLAGS@
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
LIBS=@LIBS@
LIBSELINUX=@LIBSELINUX@
LIBEDIT=@LIBEDIT@
LIBPAM=@LIBPAM@
LIBWRAP=@LIBWRAP@

	sshconnect.o sshconnect1.o sshconnect2.o

SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
	sshpty.o sshlogin.o servconf.o serverloop.o selinux.o \
	auth.o auth1.o auth2.o auth-options.o session.o \
	auth-chall.o auth2-chall.o groupaccess.o \
	auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \

	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)

sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBS)

scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
	$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)

Lines 58-63 Link Here

(-)openssh-4.3p2.orig/auth.h (+3 lines)
58	char *service;	58	char *service;
59	struct passwd pw; / set if 'valid' */	59	struct passwd pw; / set if 'valid' */
60	char *style;	60	char *style;
		61	#ifdef WITH_SELINUX
		62	char *role;
		63	#endif
61	void *kbdintctxt;	64	void *kbdintctxt;
62	#ifdef BSD_AUTH	65	#ifdef BSD_AUTH
63	auth_session_t *as;	66	auth_session_t *as;

Lines 370-376 Link Here

(-)openssh-4.3p2.orig/auth1.c (-1 / +17 lines)
370	do_authentication(Authctxt *authctxt)	370	do_authentication(Authctxt *authctxt)
371	{	371	{
372	u_int ulen;	372	u_int ulen;
373	char user, style = NULL;	373	char user, style = NULL;
		374	#ifdef WITH_SELINUX
		375	char *role=NULL;
		376	#endif
374		377
375	/* Get the name of the user that we wish to log in as. */	378	/* Get the name of the user that we wish to log in as. */
376	packet_read_expect(SSH_CMSG_USER);	379	packet_read_expect(SSH_CMSG_USER);
Lines 379-389 Link Here
379	user = packet_get_string(&ulen);	382	user = packet_get_string(&ulen);
380	packet_check_eom();	383	packet_check_eom();
381		384
		385	#ifdef WITH_SELINUX
		386	if ((role = strchr(user, '/')) != NULL)
		387	*role++ = '\0';
		388	#endif
		389
382	if ((style = strchr(user, ':')) != NULL)	390	if ((style = strchr(user, ':')) != NULL)
383	*style++ = '\0';	391	*style++ = '\0';
		392	#ifdef WITH_SELINUX
		393	else
		394	if (role && (style = strchr(role, ':')) != NULL)
		395	*style++ = '\0';
		396	#endif
384		397
385	authctxt->user = user;	398	authctxt->user = user;
386	authctxt->style = style;	399	authctxt->style = style;
		400	#ifdef WITH_SELINUX
		401	authctxt->role = role;
		402	#endif
387		403
388	/* Verify that the user is a valid user. */	404	/* Verify that the user is a valid user. */
389	if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)	405	if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)

Lines 134-140 Link Here

(-)openssh-4.3p2.orig/auth2.c (-2 / +13 lines)
134	{	134	{
135	Authctxt *authctxt = ctxt;	135	Authctxt *authctxt = ctxt;
136	Authmethod *m = NULL;	136	Authmethod *m = NULL;
137	char user, service, method, style = NULL;	137	char user, service, method, style = NULL;
		138	#ifdef WITH_SELINUX
		139	char *role = NULL;
		140	#endif
		141
138	int authenticated = 0;	142	int authenticated = 0;
139		143
140	if (authctxt == NULL)	144	if (authctxt == NULL)
Lines 171-178 Link Here
171	use_privsep ? " [net]" : "");	175	use_privsep ? " [net]" : "");
172	authctxt->service = xstrdup(service);	176	authctxt->service = xstrdup(service);
173	authctxt->style = style ? xstrdup(style) : NULL;	177	authctxt->style = style ? xstrdup(style) : NULL;
174	if (use_privsep)	178	#ifdef WITH_SELINUX
		179	authctxt->role = role ? xstrdup(role) : NULL;
		180	#endif
		181	if (use_privsep) {
175	mm_inform_authserv(service, style);	182	mm_inform_authserv(service, style);
		183	#ifdef WITH_SELINUX
		184	mm_inform_authrole(role);
		185	#endif
		186	}
176	} else if (strcmp(user, authctxt->user) != 0 \|\|	187	} else if (strcmp(user, authctxt->user) != 0 \|\|
177	strcmp(service, authctxt->service) != 0) {	188	strcmp(service, authctxt->service) != 0) {
178	packet_disconnect("Change of username or service not allowed: "	189	packet_disconnect("Change of username or service not allowed: "




			[#include <arpa/nameser.h>])
	])

# Check whether user wants SELinux support
SELINUX_MSG="no"
LIBSELINUX=""
AC_ARG_WITH(selinux,
	[  --with-selinux   Enable SELinux support],
	[ if test "x$withval" != "xno" ; then
		AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.])
		SELINUX_MSG="yes"
		AC_CHECK_HEADERS(selinux.h)
		LIBSELINUX="-lselinux"
	fi
	])
AC_SUBST(LIBSELINUX)

# Check whether user wants Kerberos 5 support
KRB5_MSG="no"
AC_ARG_WITH(kerberos5,

echo "                    Manpage format: $MANTYPE"
echo "                       PAM support: $PAM_MSG"
echo "                 KerberosV support: $KRB5_MSG"
echo "                   SELinux support: $SELINUX_MSG"
echo "                 Smartcard support: $SCARD_MSG"
echo "                     S/KEY support: $SKEY_MSG"
echo "              TCP Wrappers support: $TCPW_MSG"

Lines 114-119 Link Here

(-)openssh-4.3p2.orig/monitor.c (+28 lines)
114	int mm_answer_authpassword(int, Buffer *);	114	int mm_answer_authpassword(int, Buffer *);
115	int mm_answer_bsdauthquery(int, Buffer *);	115	int mm_answer_bsdauthquery(int, Buffer *);
116	int mm_answer_bsdauthrespond(int, Buffer *);	116	int mm_answer_bsdauthrespond(int, Buffer *);
		117	#ifdef WITH_SELINUX
		118	int mm_answer_authrole(int, Buffer *);
		119	#endif
117	int mm_answer_skeyquery(int, Buffer *);	120	int mm_answer_skeyquery(int, Buffer *);
118	int mm_answer_skeyrespond(int, Buffer *);	121	int mm_answer_skeyrespond(int, Buffer *);
119	int mm_answer_keyallowed(int, Buffer *);	122	int mm_answer_keyallowed(int, Buffer *);
Lines 181-186 Link Here
181	{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},	184	{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
182	{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},	185	{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
183	{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},	186	{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
		187	#ifdef WITH_SELINUX
		188	{MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
		189	#endif
184	{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},	190	{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
185	{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},	191	{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
186	#ifdef USE_PAM	192	#ifdef USE_PAM
Lines 623-628 Link Here
623	else {	629	else {
624	/* Allow service/style information on the auth context */	630	/* Allow service/style information on the auth context */
625	monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);	631	monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
		632	#ifdef WITH_SELINUX
		633	monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
		634	#endif
626	monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);	635	monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
627	}	636	}
628		637
Lines 670-675 Link Here
670	return (0);	679	return (0);
671	}	680	}
672		681
		682	#ifdef WITH_SELINUX
		683	int
		684	mm_answer_authrole(int sock, Buffer *m)
		685	{
		686	monitor_permit_authentications(1);
		687
		688	authctxt->role = buffer_get_string(m, NULL);
		689	debug3("%s: role=%s",
		690	__func__, authctxt->role);
		691
		692	if (strlen(authctxt->role) == 0) {
		693	xfree(authctxt->role);
		694	authctxt->role = NULL;
		695	}
		696
		697	return (0);
		698	}
		699	#endif
		700
673	int	701	int
674	mm_answer_authpassword(int sock, Buffer *m)	702	mm_answer_authpassword(int sock, Buffer *m)
675	{	703	{

Lines 31-36 Link Here

(-)openssh-4.3p2.orig/monitor.h (+3 lines)
31	enum monitor_reqtype {	31	enum monitor_reqtype {
32	MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,	32	MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
33	MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,	33	MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
		34	#ifdef WITH_SELINUX
		35	MONITOR_REQ_AUTHROLE,
		36	#endif
34	MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,	37	MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
35	MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,	38	MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
36	MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,	39	MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,




	buffer_free(&m);
}

#ifdef WITH_SELINUX
/* Inform the privileged process about role */

void
mm_inform_authrole(char *role)
{
	Buffer m;

	debug3("%s entering", __func__);

	buffer_init(&m);
	buffer_put_cstring(&m, role ? role : "");

	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);

	buffer_free(&m);
}
#endif

/* Do the password authentication */
int
mm_auth_password(Authctxt *authctxt, char *password)

Lines 44-49 Link Here

(-)openssh-4.3p2.orig/monitor_wrap.h (+3 lines)
44	DH *mm_choose_dh(int, int, int);	44	DH *mm_choose_dh(int, int, int);
45	int mm_key_sign(Key , u_char , u_int , u_char *, u_int);	45	int mm_key_sign(Key , u_char , u_int , u_char *, u_int);
46	void mm_inform_authserv(char , char );	46	void mm_inform_authserv(char , char );
		47	#ifdef WITH_SELINUX
		48	void mm_inform_authrole(char *);
		49	#endif
47	struct passwd mm_getpwnamallow(const char );	50	struct passwd mm_getpwnamallow(const char );
48	char *mm_auth2_read_banner(void);	51	char *mm_auth2_read_banner(void);
49	int mm_auth_password(struct Authctxt , char );	52	int mm_auth_password(struct Authctxt , char );




#include "includes.h"
#include "auth.h"
#include "log.h"

#ifdef WITH_SELINUX
#include <selinux/selinux.h>
#include <selinux/flask.h>
#include <selinux/context.h>
#include <selinux/get_context_list.h>
#include <selinux/get_default_type.h>
extern Authctxt *the_authctxt;

static const security_context_t selinux_get_user_context(const char *name) {
	security_context_t user_context=NULL;
	char *role=NULL;
	int ret=-1;
	char *seuser=NULL;
	char *level=NULL;

	if (the_authctxt) 
		role=the_authctxt->role;

	if (getseuserbyname(name, &seuser, &level)==0) {
		if (role != NULL && role[0]) 
			ret=get_default_context_with_rolelevel(seuser, role, level,NULL,&user_context);
		else
			ret=get_default_context_with_level(seuser, level, NULL,&user_context);
	}

	if ( ret < 0 ) {
		if (security_getenforce() > 0) 
			fatal("Failed to get default security context for %s.", name);
		else 
			error("Failed to get default security context for %s. Continuing in permissive mode", name);
	} 
	return user_context;
}

void setup_selinux_pty(const char *name, const char *tty) {
	if (is_selinux_enabled() > 0) {
		security_context_t new_tty_context=NULL, user_context=NULL, old_tty_context=NULL; 

		user_context=selinux_get_user_context(name);

		if (getfilecon(tty, &old_tty_context) < 0) {
			error("getfilecon(%.100s) failed: %.100s", tty, strerror(errno));
		} else {
			if (security_compute_relabel(user_context,old_tty_context,
						     SECCLASS_CHR_FILE,
						     &new_tty_context) != 0) {
				error("security_compute_relabel(%.100s) failed: %.100s", tty,
				      strerror(errno));
			} else {
				if (setfilecon (tty, new_tty_context) != 0) 
					error("setfilecon(%.100s, %s) failed: %.100s",
					      tty, new_tty_context, 
					      strerror(errno));
				freecon(new_tty_context);
			}
			freecon(old_tty_context);
		}
		if (user_context) {
			freecon(user_context);
		}
	}
}

void setup_selinux_exec_context(char *name) {

	if (is_selinux_enabled() > 0) {
		security_context_t user_context=selinux_get_user_context(name);
		if (setexeccon(user_context)) {
			if (security_getenforce() > 0) 
				fatal("Failed to set exec security context %s for %s.", user_context, name);
			else 
				error("Failed to set exec security context %s for %s. Continuing in permissive mode", user_context, name);
		}
		if (user_context) {
			freecon(user_context);
		}
	}
}
#else
inline void setup_selinux_pty(const char *name, const char *tty) {}
inline void setup_selinux_exec_context(const char *name) {} 
#endif /* WITH_SELINUX */

Line 0 Link Here

(-)openssh-4.3p2.orig/selinux.h (+9 lines)
	1	#ifndef __SELINUX_H_
	2	#define __SELINUX_H_
	3
	4	#ifdef WITH_SELINUX
	5	extern void setup_selinux_pty(const char name, const char tty);
	6	extern void setup_selinux_exec_context(const char *name);
	7	#endif
	8
	9	#endif /* __SELINUX_H_ */

Lines 59-64 Link Here

(-)openssh-4.3p2.orig/session.c (+8 lines)
59	#include "kex.h"	59	#include "kex.h"
60	#include "monitor_wrap.h"	60	#include "monitor_wrap.h"
61		61
		62	#ifdef WITH_SELINUX
		63	#include "selinux.h"
		64	#endif
		65
62	#if defined(KRB5) && defined(USE_AFS)	66	#if defined(KRB5) && defined(USE_AFS)
63	#include <kafs.h>	67	#include <kafs.h>
64	#endif	68	#endif
Lines 1340-1345 Link Here
1340	#endif	1344	#endif
1341	if (getuid() != pw->pw_uid \|\| geteuid() != pw->pw_uid)	1345	if (getuid() != pw->pw_uid \|\| geteuid() != pw->pw_uid)
1342	fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);	1346	fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
		1347
		1348	#ifdef WITH_SELINUX
		1349	setup_selinux_exec_context(pw->pw_name);
		1350	#endif
1343	}	1351	}
1344		1352
1345	static void	1353	static void

Lines 22-27 Link Here

(-)openssh-4.3p2.orig/sshpty.c (+8 lines)
22	#include "log.h"	22	#include "log.h"
23	#include "misc.h"	23	#include "misc.h"
24		24
		25	#ifdef WITH_SELINUX
		26	#include "selinux.h"
		27	#endif
		28
25	#ifdef HAVE_PTY_H	29	#ifdef HAVE_PTY_H
26	# include <pty.h>	30	# include <pty.h>
27	#endif	31	#endif
Lines 200-205 Link Here
200	fatal("stat(%.100s) failed: %.100s", tty,	204	fatal("stat(%.100s) failed: %.100s", tty,
201	strerror(errno));	205	strerror(errno));
202		206
		207	#ifdef WITH_SELINUX
		208	setup_selinux_pty(pw->pw_name, tty);
		209	#endif
		210
203	if (st.st_uid != pw->pw_uid \|\| st.st_gid != gid) {	211	if (st.st_uid != pw->pw_uid \|\| st.st_gid != gid) {
204	if (chown(tty, pw->pw_uid, gid) < 0) {	212	if (chown(tty, pw->pw_uid, gid) < 0) {
205	if (errno == EROFS &&	213	if (errno == EROFS &&

Return to bug 147605

Lines 2952-2957 Link Here

(-)openssh-4.3p2.orig/configure.ac (+15 lines)
2952	[#include <arpa/nameser.h>])	2952	[#include <arpa/nameser.h>])
2953	])	2953	])
2954		2954
		2955	# Check whether user wants SELinux support
		2956	SELINUX_MSG="no"
		2957	LIBSELINUX=""
		2958	AC_ARG_WITH(selinux,
		2959	[ --with-selinux Enable SELinux support],
		2960	[ if test "x$withval" != "xno" ; then
		2961	AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.])
		2962	SELINUX_MSG="yes"
		2963	AC_CHECK_HEADERS(selinux.h)
		2964	LIBSELINUX="-lselinux"
		2965	fi
		2966	])
		2967	AC_SUBST(LIBSELINUX)
		2968
2955	# Check whether user wants Kerberos 5 support	2969	# Check whether user wants Kerberos 5 support
2956	KRB5_MSG="no"	2970	KRB5_MSG="no"
2957	AC_ARG_WITH(kerberos5,	2971	AC_ARG_WITH(kerberos5,
Lines 3770-3775 Link Here
3770	echo " Manpage format: $MANTYPE"	3784	echo " Manpage format: $MANTYPE"
3771	echo " PAM support: $PAM_MSG"	3785	echo " PAM support: $PAM_MSG"
3772	echo " KerberosV support: $KRB5_MSG"	3786	echo " KerberosV support: $KRB5_MSG"
		3787	echo " SELinux support: $SELINUX_MSG"
3773	echo " Smartcard support: $SCARD_MSG"	3788	echo " Smartcard support: $SCARD_MSG"
3774	echo " S/KEY support: $SKEY_MSG"	3789	echo " S/KEY support: $SKEY_MSG"
3775	echo " TCP Wrappers support: $TCPW_MSG"	3790	echo " TCP Wrappers support: $TCPW_MSG"

Lines 271-276 Link Here

(-)openssh-4.3p2.orig/monitor_wrap.c (+19 lines)
271	buffer_free(&m);	271	buffer_free(&m);
272	}	272	}
273		273
		274	#ifdef WITH_SELINUX
		275	/* Inform the privileged process about role */
		276
		277	void
		278	mm_inform_authrole(char *role)
		279	{
		280	Buffer m;
		281
		282	debug3("%s entering", __func__);
		283
		284	buffer_init(&m);
		285	buffer_put_cstring(&m, role ? role : "");
		286
		287	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
		288
		289	buffer_free(&m);
		290	}
		291	#endif
		292
274	/* Do the password authentication */	293	/* Do the password authentication */
275	int	294	int
276	mm_auth_password(Authctxt authctxt, char password)	295	mm_auth_password(Authctxt authctxt, char password)

Lines 43-48 Link Here

(-)openssh-4.3p2.orig/Makefile.in (-2 / +3 lines)
43	CFLAGS=@CFLAGS@	43	CFLAGS=@CFLAGS@
44	CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@	44	CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
45	LIBS=@LIBS@	45	LIBS=@LIBS@
		46	LIBSELINUX=@LIBSELINUX@
46	LIBEDIT=@LIBEDIT@	47	LIBEDIT=@LIBEDIT@
47	LIBPAM=@LIBPAM@	48	LIBPAM=@LIBPAM@
48	LIBWRAP=@LIBWRAP@	49	LIBWRAP=@LIBWRAP@
Lines 77-83 Link Here
77	sshconnect.o sshconnect1.o sshconnect2.o	78	sshconnect.o sshconnect1.o sshconnect2.o
78		79
79	SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \	80	SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
80	sshpty.o sshlogin.o servconf.o serverloop.o \	81	sshpty.o sshlogin.o servconf.o serverloop.o selinux.o \
81	auth.o auth1.o auth2.o auth-options.o session.o \	82	auth.o auth1.o auth2.o auth-options.o session.o \
82	auth-chall.o auth2-chall.o groupaccess.o \	83	auth-chall.o auth2-chall.o groupaccess.o \
83	auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \	84	auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
Lines 136-142 Link Here
136	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)	137	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
137		138
138	sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)	139	sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
139	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS)	140	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBS)
140		141
141	scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o	142	scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
142	$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)	143	$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)

Line 0 Link Here

(-)openssh-4.3p2.orig/selinux.c (+86 lines)
		1	#include "includes.h"
		2	#include "auth.h"
		3	#include "log.h"
		4
		5	#ifdef WITH_SELINUX
		6	#include <selinux/selinux.h>
		7	#include <selinux/flask.h>
		8	#include <selinux/context.h>
		9	#include <selinux/get_context_list.h>
		10	#include <selinux/get_default_type.h>
		11	extern Authctxt *the_authctxt;
		12
		13	static const security_context_t selinux_get_user_context(const char *name) {
		14	security_context_t user_context=NULL;
		15	char *role=NULL;
		16	int ret=-1;
		17	char *seuser=NULL;
		18	char *level=NULL;
		19
		20	if (the_authctxt)
		21	role=the_authctxt->role;
		22
		23	if (getseuserbyname(name, &seuser, &level)==0) {
		24	if (role != NULL && role[0])
		25	ret=get_default_context_with_rolelevel(seuser, role, level,NULL,&user_context);
		26	else
		27	ret=get_default_context_with_level(seuser, level, NULL,&user_context);
		28	}
		29
		30	if ( ret < 0 ) {
		31	if (security_getenforce() > 0)
		32	fatal("Failed to get default security context for %s.", name);
		33	else
		34	error("Failed to get default security context for %s. Continuing in permissive mode", name);
		35	}
		36	return user_context;
		37	}
		38
		39	void setup_selinux_pty(const char name, const char tty) {
		40	if (is_selinux_enabled() > 0) {
		41	security_context_t new_tty_context=NULL, user_context=NULL, old_tty_context=NULL;
		42
		43	user_context=selinux_get_user_context(name);
		44
		45	if (getfilecon(tty, &old_tty_context) < 0) {
		46	error("getfilecon(%.100s) failed: %.100s", tty, strerror(errno));
		47	} else {
		48	if (security_compute_relabel(user_context,old_tty_context,
		49	SECCLASS_CHR_FILE,
		50	&new_tty_context) != 0) {
		51	error("security_compute_relabel(%.100s) failed: %.100s", tty,
		52	strerror(errno));
		53	} else {
		54	if (setfilecon (tty, new_tty_context) != 0)
		55	error("setfilecon(%.100s, %s) failed: %.100s",
		56	tty, new_tty_context,
		57	strerror(errno));
		58	freecon(new_tty_context);
		59	}
		60	freecon(old_tty_context);
		61	}
		62	if (user_context) {
		63	freecon(user_context);
		64	}
65	}
66	}
67
68	void setup_selinux_exec_context(char *name) {
69
70	if (is_selinux_enabled() > 0) {
71	security_context_t user_context=selinux_get_user_context(name);
72	if (setexeccon(user_context)) {
73	if (security_getenforce() > 0)
74	fatal("Failed to set exec security context %s for %s.", user_context, name);
75	else
76	error("Failed to set exec security context %s for %s. Continuing in permissive mode", user_context, name);
77	}
78	if (user_context) {
79	freecon(user_context);
80	}
81	}
82	}
83	#else
84	inline void setup_selinux_pty(const char name, const char tty) {}
85	inline void setup_selinux_exec_context(const char *name) {}
86	#endif /* WITH_SELINUX */